From 1f5dc1aa91f145b8554deda3fed7265d33b3cb22 Mon Sep 17 00:00:00 2001
From: Feilong Wang <flwang@catalyst.net.nz>
Date: Tue, 26 Mar 2019 15:49:27 +1300
Subject: [PATCH] [fedora-atomic-k8s] Allow all traffic from master to worker
 nodes

In Rocky release, the k8s workers security group was wide opened but
in Stein release it is more restrictive which prevent the access of
Kubnertes dashboard(and other serivces) via the command:

  $ kubectl proxy

This patch can fix it by allowing traffic from master security group
to workers security group.

Co-Authored: Feilong Wang<flwang@catalyst.net.nz>

Task: 30171
Story: 2005294

Change-Id: I546cd7324b87b267e945477c78539ea80534538f
---
 .../k8s_fedora_atomic_v1/templates/kubecluster.yaml   | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index 850cb94874..421e3da01f 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -676,6 +676,17 @@ resources:
         - protocol: udp
           port_range_min: 8472
           port_range_max: 8472
+        # allow any traffic from master nodes
+        - protocol: tcp
+          port_range_min: 1
+          port_range_max: 65535
+          remote_mode: 'remote_group_id'
+          remote_group_id: {get_resource: secgroup_kube_master}
+        - protocol: udp
+          port_range_min: 1
+          port_range_max: 65535
+          remote_mode: 'remote_group_id'
+          remote_group_id: {get_resource: secgroup_kube_master}
 
   ######################################################################
   #