openshift/installer
1
0
Fork 0
mirror of https://github.com/openshift/installer.git synced 2026-02-05 15:47:14 +01:00
Code Issues Releases Activity
Files
release-4.19
installer/upi/openstack/security-groups.yaml
Martin André 1064621394 OCPBUGS-39402: Fix IPv6 security group rule for schedulable master 
There was a typo and we were trying to match an IPv6 network for remote
IP prefix instead of an IPv6 one.
2024-09-03 15:54:48 +02:00

412 lines
13 KiB
YAML
Raw Permalink Blame History

# Required Python packages:
#
# ansible
# openstackclient
# openstacksdk
- ansible.builtin.import_playbook: common.yaml
- hosts: all
gather_facts: no
tasks:
- name: 'Create the master security group'
openstack.cloud.security_group:
name: "{{ os_sg_master }}"
- name: 'Set master security group tag'
ansible.builtin.command:
cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_master }} "
- name: 'Create the worker security group'
openstack.cloud.security_group:
name: "{{ os_sg_worker }}"
- name: 'Set worker security group tag'
ansible.builtin.command:
cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_worker }} "
- name: 'Create master-sg rule "ICMP"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: icmp
- name: 'Create master-sg rule "machine config server"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 22623
port_range_max: 22623
- name: 'Create master-sg rule "SSH"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 22
port_range_max: 22
- name: 'Create master-sg rule "DNS (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
protocol: tcp
port_range_min: 53
port_range_max: 53
- name: 'Create master-sg rule "DNS (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
protocol: udp
port_range_min: 53
port_range_max: 53
- name: 'Create master-sg rule "OpenShift API"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
port_range_min: 6443
port_range_max: 6443
- name: 'Create master-sg rule "VXLAN"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create master-sg rule "Geneve"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create master-sg rule "IPsec IKE"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 500
port_range_max: 500
- name: 'Create master-sg rule "IPsec NAT-T"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4500
port_range_max: 4500
- name: 'Create master-sg rule "ovndb"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6641
port_range_max: 6642
- name: 'Create master-sg rule "master ingress internal (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create master-sg rule "master ingress internal (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create master-sg rule "kube scheduler"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10259
port_range_max: 10259
- name: 'Create master-sg rule "kube controller manager"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10257
port_range_max: 10257
- name: 'Create master-sg rule "master ingress kubelet secure"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create master-sg rule "etcd"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 2379
port_range_max: 2380
- name: 'Create master-sg rule "master ingress services (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create master-sg rule "master ingress services (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create master-sg rule "VRRP"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: '112'
remote_ip_prefix: "{{ os_subnet_range }}"
- name: 'Create master-sg rule "master ingress HTTP (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
port_range_min: 80
port_range_max: 80
when: os_master_schedulable is defined and os_master_schedulable
- name: 'Create master-sg rule "master ingress HTTPS (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
port_range_min: 443
port_range_max: 443
when: os_master_schedulable is defined and os_master_schedulable
- name: 'Create master-sg rule "router"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
when: os_master_schedulable is defined and os_master_schedulable
- name: 'Create worker-sg rule "ICMP"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: icmp
- name: 'Create worker-sg rule "SSH"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 22
port_range_max: 22
- name: 'Create worker-sg rule "Ingress HTTP"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
port_range_min: 80
port_range_max: 80
- name: 'Create worker-sg rule "Ingress HTTPS"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
port_range_min: 443
port_range_max: 443
- name: 'Create worker-sg rule "router"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "IPsec IKE"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 500
port_range_max: 500
- name: 'Create worker-sg rule "IPsec NAT-T"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4500
port_range_max: 4500
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "worker ingress services (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "worker ingress services (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "VRRP"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_subnet_range }}"
- name: 'Create security groups for IPv6'
block:
- name: 'Create master-sg IPv6 rule "OpenShift API"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
ethertype: IPv6
protocol: tcp
port_range_min: 6443
port_range_max: 6443
- name: 'Create worker-sg IPv6 rule "Ingress HTTP"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
ethertype: IPv6
protocol: tcp
port_range_min: 80
port_range_max: 80
- name: 'Create worker-sg IPv6 rule "Ingress HTTPS"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
ethertype: IPv6
protocol: tcp
port_range_min: 443
port_range_max: 443
- name: 'Create master-sg rule "master ingress HTTP (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
ethertype: IPv6
protocol: tcp
port_range_min: 80
port_range_max: 80
when: os_master_schedulable is defined and os_master_schedulable
- name: 'Create master-sg rule "master ingress HTTPS (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
ethertype: IPv6
protocol: tcp
port_range_min: 443
port_range_max: 443
when: os_master_schedulable is defined and os_master_schedulable
- name: 'Create master-sg rule "router"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
ethertype: IPv6
protocol: tcp
remote_ip_prefix: "{{ os_subnet6_range }}"
port_range_min: 1936
port_range_max: 1936
when: os_master_schedulable is defined and os_master_schedulable
- name: 'Create master-sg IPv6 rule "master ingress services (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
ethertype: IPv6
protocol: tcp
remote_ip_prefix: "{{ os_subnet6_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create master-sg IPv6 rule "master ingress services (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_master }}"
ethertype: IPv6
protocol: udp
remote_ip_prefix: "{{ os_subnet6_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg IPv6 rule "worker ingress services (TCP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
ethertype: IPv6
protocol: tcp
remote_ip_prefix: "{{ os_subnet6_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule IPv6 "worker ingress services (UDP)"'
openstack.cloud.security_group_rule:
security_group: "{{ os_sg_worker }}"
ethertype: IPv6
protocol: udp
remote_ip_prefix: "{{ os_subnet6_range }}"
port_range_min: 30000
port_range_max: 32767
when: os_subnet6_range is defined
View Git Blame Copy Permalink