mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
155 lines
5.4 KiB
Plaintext
155 lines
5.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_gcp/installing-gcp-user-infra.adoc
|
|
// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
|
|
|
|
[id="installation-deployment-manager-security_{context}"]
|
|
= Deployment Manager template for firewall rules and IAM roles
|
|
|
|
You can use the following Deployment Manager template to deploy the security
|
|
objects that you need for your {product-title} cluster:
|
|
|
|
.`03_security.py` Deployment Manager template
|
|
[source,python]
|
|
----
|
|
def GenerateConfig(context):
|
|
|
|
resources = [{
|
|
'name': context.properties['infra_id'] + '-api',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['6443']
|
|
}],
|
|
'sourceRanges': ['0.0.0.0/0'],
|
|
'targetTags': [context.properties['infra_id'] + '-master']
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-mcs',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['22623']
|
|
}],
|
|
'sourceRanges': [
|
|
context.properties['network_cidr'],
|
|
context.properties['master_nat_ip'],
|
|
context.properties['worker_nat_ip']
|
|
],
|
|
'targetTags': [context.properties['infra_id'] + '-master']
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-health-checks',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['6080', '22624']
|
|
}],
|
|
'sourceRanges': ['35.191.0.0/16', '209.85.152.0/22', '209.85.204.0/22'],
|
|
'targetTags': [context.properties['infra_id'] + '-master']
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-etcd',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['2379-2380']
|
|
}],
|
|
'sourceTags': [context.properties['infra_id'] + '-master'],
|
|
'targetTags': [context.properties['infra_id'] + '-master']
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-control-plane',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['10257']
|
|
},{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['10259']
|
|
}],
|
|
'sourceTags': [
|
|
context.properties['infra_id'] + '-master',
|
|
context.properties['infra_id'] + '-worker'
|
|
],
|
|
'targetTags': [context.properties['infra_id'] + '-master']
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-internal-network',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'icmp'
|
|
},{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['22']
|
|
}],
|
|
'sourceRanges': [context.properties['network_cidr']],
|
|
'targetTags': [
|
|
context.properties['infra_id'] + '-master',
|
|
context.properties['infra_id'] + '-worker'
|
|
]
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-internal-cluster',
|
|
'type': 'compute.v1.firewall',
|
|
'properties': {
|
|
'network': context.properties['cluster_network'],
|
|
'allowed': [{
|
|
'IPProtocol': 'udp',
|
|
'ports': ['4789', '6081']
|
|
},{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['9000-9999']
|
|
},{
|
|
'IPProtocol': 'udp',
|
|
'ports': ['9000-9999']
|
|
},{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['10250']
|
|
},{
|
|
'IPProtocol': 'tcp',
|
|
'ports': ['30000-32767']
|
|
},{
|
|
'IPProtocol': 'udp',
|
|
'ports': ['30000-32767']
|
|
}],
|
|
'sourceTags': [
|
|
context.properties['infra_id'] + '-master',
|
|
context.properties['infra_id'] + '-worker'
|
|
],
|
|
'targetTags': [
|
|
context.properties['infra_id'] + '-master',
|
|
context.properties['infra_id'] + '-worker'
|
|
]
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-master-node-sa',
|
|
'type': 'iam.v1.serviceAccount',
|
|
'properties': {
|
|
'accountId': context.properties['infra_id'] + '-m',
|
|
'displayName': context.properties['infra_id'] + '-master-node'
|
|
}
|
|
}, {
|
|
'name': context.properties['infra_id'] + '-worker-node-sa',
|
|
'type': 'iam.v1.serviceAccount',
|
|
'properties': {
|
|
'accountId': context.properties['infra_id'] + '-w',
|
|
'displayName': context.properties['infra_id'] + '-worker-node'
|
|
}
|
|
}]
|
|
|
|
return {'resources': resources}
|
|
----
|