# Required Python packages: # # ansible # openstackclient # openstacksdk - ansible.builtin.import_playbook: common.yaml - hosts: all gather_facts: no tasks: - name: 'Create the master security group' openstack.cloud.security_group: name: "{{ os_sg_master }}" - name: 'Set master security group tag' ansible.builtin.command: cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_master }} " - name: 'Create the worker security group' openstack.cloud.security_group: name: "{{ os_sg_worker }}" - name: 'Set worker security group tag' ansible.builtin.command: cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_worker }} " - name: 'Create master-sg rule "ICMP"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: icmp - name: 'Create master-sg rule "machine config server"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 22623 port_range_max: 22623 - name: 'Create master-sg rule "SSH"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 22 port_range_max: 22 - name: 'Create master-sg rule "DNS (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" remote_ip_prefix: "{{ os_subnet_range }}" protocol: tcp port_range_min: 53 port_range_max: 53 - name: 'Create master-sg rule "DNS (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" remote_ip_prefix: "{{ os_subnet_range }}" protocol: udp port_range_min: 53 port_range_max: 53 - name: 'Create master-sg rule "OpenShift API"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp port_range_min: 6443 port_range_max: 6443 - name: 'Create master-sg rule "VXLAN"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 4789 port_range_max: 4789 - name: 'Create master-sg rule "Geneve"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 6081 port_range_max: 6081 - name: 'Create master-sg rule "IPsec IKE"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 500 port_range_max: 500 - name: 'Create master-sg rule "IPsec NAT-T"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 4500 port_range_max: 4500 - name: 'Create master-sg rule "ovndb"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 6641 port_range_max: 6642 - name: 'Create master-sg rule "master ingress internal (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 9000 port_range_max: 9999 - name: 'Create master-sg rule "master ingress internal (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 9000 port_range_max: 9999 - name: 'Create master-sg rule "kube scheduler"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 10259 port_range_max: 10259 - name: 'Create master-sg rule "kube controller manager"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 10257 port_range_max: 10257 - name: 'Create master-sg rule "master ingress kubelet secure"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 10250 port_range_max: 10250 - name: 'Create master-sg rule "etcd"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 2379 port_range_max: 2380 - name: 'Create master-sg rule "master ingress services (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create master-sg rule "master ingress services (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create master-sg rule "VRRP"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: '112' remote_ip_prefix: "{{ os_subnet_range }}" - name: 'Create master-sg rule "master ingress HTTP (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp port_range_min: 80 port_range_max: 80 when: os_master_schedulable is defined and os_master_schedulable - name: 'Create master-sg rule "master ingress HTTPS (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp port_range_min: 443 port_range_max: 443 when: os_master_schedulable is defined and os_master_schedulable - name: 'Create master-sg rule "router"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 1936 port_range_max: 1936 when: os_master_schedulable is defined and os_master_schedulable - name: 'Create worker-sg rule "ICMP"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: icmp - name: 'Create worker-sg rule "SSH"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 22 port_range_max: 22 - name: 'Create worker-sg rule "Ingress HTTP"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp port_range_min: 80 port_range_max: 80 - name: 'Create worker-sg rule "Ingress HTTPS"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp port_range_min: 443 port_range_max: 443 - name: 'Create worker-sg rule "router"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 1936 port_range_max: 1936 - name: 'Create worker-sg rule "VXLAN"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 4789 port_range_max: 4789 - name: 'Create worker-sg rule "Geneve"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 6081 port_range_max: 6081 - name: 'Create worker-sg rule "IPsec IKE"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 500 port_range_max: 500 - name: 'Create worker-sg rule "IPsec NAT-T"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 4500 port_range_max: 4500 - name: 'Create worker-sg rule "worker ingress internal (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 9000 port_range_max: 9999 - name: 'Create worker-sg rule "worker ingress internal (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 9000 port_range_max: 9999 - name: 'Create worker-sg rule "worker ingress kubelet insecure"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 10250 port_range_max: 10250 - name: 'Create worker-sg rule "worker ingress services (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: tcp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create worker-sg rule "worker ingress services (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: udp remote_ip_prefix: "{{ os_subnet_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create worker-sg rule "VRRP"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" protocol: '112' remote_ip_prefix: "{{ os_subnet_range }}" - name: 'Create security groups for IPv6' block: - name: 'Create master-sg IPv6 rule "OpenShift API"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" ethertype: IPv6 protocol: tcp port_range_min: 6443 port_range_max: 6443 - name: 'Create worker-sg IPv6 rule "Ingress HTTP"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" ethertype: IPv6 protocol: tcp port_range_min: 80 port_range_max: 80 - name: 'Create worker-sg IPv6 rule "Ingress HTTPS"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" ethertype: IPv6 protocol: tcp port_range_min: 443 port_range_max: 443 - name: 'Create master-sg rule "master ingress HTTP (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" ethertype: IPv6 protocol: tcp port_range_min: 80 port_range_max: 80 when: os_master_schedulable is defined and os_master_schedulable - name: 'Create master-sg rule "master ingress HTTPS (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" ethertype: IPv6 protocol: tcp port_range_min: 443 port_range_max: 443 when: os_master_schedulable is defined and os_master_schedulable - name: 'Create master-sg rule "router"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" ethertype: IPv6 protocol: tcp remote_ip_prefix: "{{ os_subnet6_range }}" port_range_min: 1936 port_range_max: 1936 when: os_master_schedulable is defined and os_master_schedulable - name: 'Create master-sg IPv6 rule "master ingress services (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" ethertype: IPv6 protocol: tcp remote_ip_prefix: "{{ os_subnet6_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create master-sg IPv6 rule "master ingress services (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" ethertype: IPv6 protocol: udp remote_ip_prefix: "{{ os_subnet6_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create worker-sg IPv6 rule "worker ingress services (TCP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" ethertype: IPv6 protocol: tcp remote_ip_prefix: "{{ os_subnet6_range }}" port_range_min: 30000 port_range_max: 32767 - name: 'Create worker-sg rule IPv6 "worker ingress services (UDP)"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" ethertype: IPv6 protocol: udp remote_ip_prefix: "{{ os_subnet6_range }}" port_range_min: 30000 port_range_max: 32767 when: os_subnet6_range is defined