diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2017-09-15 17:10:47 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-15 17:10:47 -0700 |
commit | 37d6601922aae3420f52e36b55876beece585ab6 (patch) | |
tree | b6cbb6b965addcd62ca91e733ea1d32092a3b252 /roles | |
parent | 2747d1f1458e33979658f0075bbebab5c3cb6b34 (diff) | |
parent | 3f102592e305b81f6b0eb778a7170fc1cad8a6b1 (diff) | |
download | openshift-37d6601922aae3420f52e36b55876beece585ab6.tar.gz openshift-37d6601922aae3420f52e36b55876beece585ab6.tar.bz2 openshift-37d6601922aae3420f52e36b55876beece585ab6.tar.xz openshift-37d6601922aae3420f52e36b55876beece585ab6.zip |
Merge pull request #5345 from smarterclayton/firewall
Automatic merge from submit-queue
Add `openshift_node_open_ports` to allow arbitrary firewall exposure
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
Array(Object{'service':<name>,'port':<port_spec>,'cond':<boolean>})
which is the same format accepted by the firewall role.
@sdodson as discussed, open to alternatives. I used this from origin-gce with
openshift_node_open_ports:
- service: Router stats
port: 1936/tcp
- service: Open node ports
port: 9000-10000/tcp
- service: Open node ports
port: 9000-10000/udp
Which then allows me to set firewall rules appropriately.
Alternatives considered:
* Simpler external format (have to parse inputs)
* Additional parameter to role - felt ugly
Diffstat (limited to 'roles')
-rw-r--r-- | roles/openshift_node/defaults/main.yml | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 5424a64d2..433e92201 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -60,7 +60,7 @@ openshift_deployment_type: origin openshift_node_bootstrap: False r_openshift_node_os_firewall_deny: [] -r_openshift_node_os_firewall_allow: +default_r_openshift_node_os_firewall_allow: - service: Kubernetes kubelet port: 10250/tcp - service: http @@ -79,6 +79,8 @@ r_openshift_node_os_firewall_allow: - service: Kubernetes service NodePort UDP port: "{{ openshift_node_port_range | default('') }}/udp" cond: "{{ openshift_node_port_range is defined }}" +# Allow multiple port ranges to be added to the role +r_openshift_node_os_firewall_allow: "{{ default_r_openshift_node_os_firewall_allow | union(openshift_node_open_ports | default([])) }}" oreg_url: '' oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}" |