Improve security for swarm
All traffic was allowed for swarm manager. With this patch following secgroup is created for restricted access. Security Group: secgroup_swarm_manager 1) Allow TCP 22, 2376 ports for everyone. 2) Allow all the ports to subnet created. 3) Allow UDP 53 port for everyone. Change-Id: Ie1aa4fffeb6317dc200a764319ac93e18d414a4b Depends-On: I9ad6e0577918e811e9dd051b56aa69bfe2c391a0 Closes-bug: #1501050
This commit is contained in:
parent
137b26a64c
commit
5b02a6090d
|
@ -281,7 +281,26 @@ resources:
|
|||
# sorts.
|
||||
#
|
||||
|
||||
secgroup_manager:
|
||||
secgroup_swarm_manager:
|
||||
type: "OS::Neutron::SecurityGroup"
|
||||
properties:
|
||||
rules:
|
||||
- protocol: icmp
|
||||
- protocol: tcp
|
||||
port_range_min: 22
|
||||
port_range_max: 22
|
||||
- protocol: tcp
|
||||
port_range_min: 2376
|
||||
port_range_max: 2376
|
||||
- protocol: tcp
|
||||
remote_ip_prefix: {get_param: fixed_network_cidr}
|
||||
port_range_min: 1
|
||||
port_range_max: 65535
|
||||
- protocol: udp
|
||||
port_range_min: 53
|
||||
port_range_max: 53
|
||||
|
||||
secgroup_swarm_node:
|
||||
type: "OS::Neutron::SecurityGroup"
|
||||
properties:
|
||||
rules:
|
||||
|
@ -409,7 +428,7 @@ resources:
|
|||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
secgroup_swarm_master_id: {get_resource: secgroup_manager}
|
||||
secgroup_swarm_master_id: {get_resource: secgroup_swarm_manager}
|
||||
network_driver: {get_param: network_driver}
|
||||
flannel_network_cidr: {get_param: flannel_network_cidr}
|
||||
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
|
||||
|
@ -452,7 +471,7 @@ resources:
|
|||
cluster_uuid: {get_param: cluster_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
secgroup_swarm_node_id: {get_resource: secgroup_manager}
|
||||
secgroup_swarm_node_id: {get_resource: secgroup_swarm_node}
|
||||
flannel_network_cidr: {get_param: flannel_network_cidr}
|
||||
network_driver: {get_param: network_driver}
|
||||
etcd_server_ip: {get_attr: [etcd_address_switch, private_ip]}
|
||||
|
|
Loading…
Reference in New Issue