From 5b02a6090d88c0bfb3dcbdf0a6aa78949d2f873d Mon Sep 17 00:00:00 2001
From: Rajiv Kumar <rajiv.kumar@nectechnologies.in>
Date: Mon, 8 Aug 2016 16:44:07 +0530
Subject: [PATCH] Improve security for swarm

All traffic was allowed for swarm manager. With this patch
following secgroup is created for restricted access.

Security Group: secgroup_swarm_manager

  1) Allow TCP 22, 2376 ports for everyone.
  2) Allow all the ports to subnet created.
  3) Allow UDP 53 port for everyone.

Change-Id: Ie1aa4fffeb6317dc200a764319ac93e18d414a4b
Depends-On: I9ad6e0577918e811e9dd051b56aa69bfe2c391a0
Closes-bug: #1501050
---
 .../templates/cluster.yaml                    | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
index 871fd0b500..4398b65145 100644
--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
+++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/cluster.yaml
@@ -281,7 +281,26 @@ resources:
   # sorts.
   #
 
-  secgroup_manager:
+  secgroup_swarm_manager:
+    type: "OS::Neutron::SecurityGroup"
+    properties:
+      rules:
+        - protocol: icmp
+        - protocol: tcp
+          port_range_min: 22
+          port_range_max: 22
+        - protocol: tcp
+          port_range_min: 2376
+          port_range_max: 2376
+        - protocol: tcp
+          remote_ip_prefix: {get_param: fixed_network_cidr}
+          port_range_min: 1
+          port_range_max: 65535
+        - protocol: udp
+          port_range_min: 53
+          port_range_max: 53
+
+  secgroup_swarm_node:
     type: "OS::Neutron::SecurityGroup"
     properties:
       rules:
@@ -409,7 +428,7 @@ resources:
           cluster_uuid: {get_param: cluster_uuid}
           magnum_url: {get_param: magnum_url}
           tls_disabled: {get_param: tls_disabled}
-          secgroup_swarm_master_id: {get_resource: secgroup_manager}
+          secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
           network_driver: {get_param: network_driver}
           flannel_network_cidr: {get_param: flannel_network_cidr}
           flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
@@ -452,7 +471,7 @@ resources:
           cluster_uuid: {get_param: cluster_uuid}
           magnum_url: {get_param: magnum_url}
           tls_disabled: {get_param: tls_disabled}
-          secgroup_swarm_node_id: {get_resource: secgroup_manager}
+          secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
           flannel_network_cidr: {get_param: flannel_network_cidr}
           network_driver: {get_param: network_driver}
           etcd_server_ip: {get_attr: [etcd_address_switch, private_ip]}