[k8s-fedora-atomic] Security group definition for worker nodes

Defines more strict security group rules for kubernetes worker nodes. The
ports that are open by default: default port range(30000-32767) for
external service ports; kubelet healthcheck port; Calico BGP network ports;
flannel overlay network ports. The cluster admin should manually config the
security group on the nodes where Traefik is allowed.

Story: #2005082
Task: #29661
Change-Id: Idbc67cb95133d3a4029105e6d4dc92519c816288

doc/source/user/index.rst

@@ -1257,6 +1257,19 @@ Magnum allows selecting one of multiple controller options via the
 'ingress_controller' label. Check the Kubernetes documentation to define
 your own Ingress resources.
 
+Traefik:
+Traefik's pods by default expose port 80 and 443 for http(s) traffic
+on the nodes they are running. In kubernetes cluster, these ports are
+closed by default. Cluster administrator needs to add a rule in the
+worker nodes security group. For example::
+
+    openstack security group rule create <SECURITY_GROUP> \
+      --protocol tcp \
+      --dst-port 80:80
+    openstack security group rule create <SECURITY_GROUP> \
+      --protocol tcp \
+      --dst-port 443:443
+
 _`ingress_controller`
   This label sets the Ingress Controller to be used. Currently 'traefik' and
   'octavia' are supported. The default is '', meaning no Ingress Controller

magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@@ -638,8 +638,30 @@ resources:
     properties:
       rules:
         - protocol: icmp
+        # Default port range for external service ports.
+        # In future, if the option `manage-security-groups` for ccm works
+        # well, we could remove this rule here.
+        # The PR in ccm is
+        # https://github.com/kubernetes/cloud-provider-openstack/pull/491
         - protocol: tcp
+          port_range_min: 30000
+          port_range_max: 32767
+        # Worker node kubelet healthcheck port.
+        - protocol: tcp
+          port_range_min: 10250
+          port_range_max: 10250
+        # Calico BGP network, only required if the BGP backend is used.
+        - protocol: tcp
+          port_range_min: 179
+          port_range_max: 179
+        # flannel overlay network - udp backend.
         - protocol: udp
+          port_range_min: 8285
+          port_range_max: 8285
+        # flannel overlay network - vxlan backend.
+        - protocol: udp
+          port_range_min: 8472
+          port_range_max: 8472
 
   ######################################################################
   #

releasenotes/notes/k8s-nodes-security-group-9d8dbb91b006d9dd.yaml

@@ -0,0 +1,12 @@
+security:
+  - |
+    Defines more strict security group rules for kubernetes worker nodes. The
+    ports that are open by default: default port range(30000-32767) for
+    external service ports; kubelet healthcheck port; Calico BGP network ports;
+    flannel overlay network ports. The cluster admin should manually config the
+    security group on the nodes where Traefik is allowed. To allow traffic to
+    the default ports (80, 443) that the traefik ingress controller exposes
+    users will need to create additional rules or expose traefik with a
+    kubernetes service with type: LoadBalaner. Finally, the ssh port in worker
+    nodes is closed as well. If ssh access is required, users will need to
+    create a rule for port 22 as well.