Disable usage of default security group (#4533)

2026-03-13 23:17:35 -02:30 · 2019-04-17 11:10:03 +02:00
parent d83181a2be
commit 1cf76a10db
4 changed files with 33 additions and 18 deletions
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -53,6 +53,7 @@ module "compute" {
  bastion_fips                                 = "${module.ips.bastion_fips}"
  bastion_allowed_remote_ips                   = "${var.bastion_allowed_remote_ips}"
  k8s_allowed_remote_ips                       = "${var.k8s_allowed_remote_ips}"
  k8s_allowed_egress_ips                       = "${var.k8s_allowed_egress_ips}"
  supplementary_master_groups                  = "${var.supplementary_master_groups}"
  supplementary_node_groups                    = "${var.supplementary_node_groups}"
  worker_allowed_ports                         = "${var.worker_allowed_ports}"
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -4,8 +4,9 @@ resource "openstack_compute_keypair_v2" "k8s" {
 }
 resource "openstack_networking_secgroup_v2" "k8s_master" {
-  name        = "${var.cluster_name}-k8s-master"
+  name                 = "${var.cluster_name}-k8s-master"
-  description = "${var.cluster_name} - Kubernetes Master"
+  description          = "${var.cluster_name} - Kubernetes Master"
  delete_default_rules = true
 }
 resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
@@ -19,9 +20,10 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
 }
 resource "openstack_networking_secgroup_v2" "bastion" {
-  name        = "${var.cluster_name}-bastion"
+  name                 = "${var.cluster_name}-bastion"
-  count       = "${var.number_of_bastions ? 1 : 0}"
+  count                = "${var.number_of_bastions ? 1 : 0}"
-  description = "${var.cluster_name} - Bastion Server"
+  description          = "${var.cluster_name} - Bastion Server"
  delete_default_rules = true
 }
 resource "openstack_networking_secgroup_rule_v2" "bastion" {
@@ -36,8 +38,9 @@ resource "openstack_networking_secgroup_rule_v2" "bastion" {
 }
 resource "openstack_networking_secgroup_v2" "k8s" {
-  name        = "${var.cluster_name}-k8s"
+  name                 = "${var.cluster_name}-k8s"
-  description = "${var.cluster_name} - Kubernetes"
+  description          = "${var.cluster_name} - Kubernetes"
  delete_default_rules = true
 }
 resource "openstack_networking_secgroup_rule_v2" "k8s" {
@@ -58,9 +61,18 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_allowed_remote_ips" {
  security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
 }
 resource "openstack_networking_secgroup_rule_v2" "egress" {
  count             = "${length(var.k8s_allowed_egress_ips)}"
  direction         = "egress"
  ethertype         = "IPv4"
  remote_ip_prefix  = "${var.k8s_allowed_egress_ips[count.index]}"
  security_group_id = "${openstack_networking_secgroup_v2.k8s.id}"
 }
 resource "openstack_networking_secgroup_v2" "worker" {
-  name        = "${var.cluster_name}-k8s-worker"
+  name                 = "${var.cluster_name}-k8s-worker"
-  description = "${var.cluster_name} - Kubernetes worker nodes"
+  description          = "${var.cluster_name} - Kubernetes worker nodes"
  delete_default_rules = true
 }
 resource "openstack_networking_secgroup_rule_v2" "worker" {
@@ -87,7 +99,6 @@ resource "openstack_compute_instance_v2" "bastion" {
  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
    "${openstack_networking_secgroup_v2.bastion.name}",
    "default",
  ]
  metadata = {
@@ -115,7 +126,6 @@ resource "openstack_compute_instance_v2" "k8s_master" {
  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
    "${openstack_networking_secgroup_v2.k8s.name}",
    "default",
  ]
  metadata = {
@@ -143,7 +153,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
    "${openstack_networking_secgroup_v2.k8s.name}",
    "default",
  ]
  metadata = {
@@ -192,7 +201,6 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
  security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
    "${openstack_networking_secgroup_v2.k8s.name}",
    "default",
  ]
  metadata = {
@@ -239,7 +247,6 @@ resource "openstack_compute_instance_v2" "k8s_node" {
  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
    "${openstack_networking_secgroup_v2.worker.name}",
    "default",
  ]
  metadata = {
@@ -267,7 +274,6 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
    "${openstack_networking_secgroup_v2.worker.name}",
    "default",
  ]
  metadata = {
@@ -314,9 +320,7 @@ resource "openstack_compute_instance_v2" "glusterfs_node_no_floating_ip" {
    name = "${var.network_name}"
  }
-  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
+  security_groups = ["${openstack_networking_secgroup_v2.k8s.name}"]
    "default",
  ]
  metadata = {
    ssh_user         = "${var.ssh_user_gfs}"
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -70,6 +70,10 @@ variable "k8s_allowed_remote_ips" {
  type = "list"
 }
 variable "k8s_allowed_egress_ips" {
  type = "list"
 }
 variable "supplementary_master_groups" {
  default = ""
 }
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -151,6 +151,12 @@ variable "k8s_allowed_remote_ips" {
  default     = []
 }
 variable "k8s_allowed_egress_ips" {
  description = "An array of CIDRs allowed for egress traffic"
  type        = "list"
  default     = ["0.0.0.0/0"]
 }
 variable "worker_allowed_ports" {
  type = "list"