Move security group setting to kubecluster.yaml
Currently security group is created for each kube masters and kube minions. It's very redundant. This patch moves security group setting to kubecluster.yaml to share. Change-Id: Idb6cdb5c5c6015b29331238f7fbbcd92e1a70d83 Closes-Bug: #1499184
This commit is contained in:
parent
115a8a3405
commit
6742074286
|
@ -266,6 +266,46 @@ resources:
|
|||
router_id: {get_resource: extrouter}
|
||||
subnet: {get_resource: fixed_subnet}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# security groups. we need to permit network traffic of various
|
||||
# sorts.
|
||||
#
|
||||
|
||||
secgroup_base:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
rules:
|
||||
- protocol: icmp
|
||||
- protocol: tcp
|
||||
port_range_min: 22
|
||||
port_range_max: 22
|
||||
|
||||
secgroup_kube_master:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
rules:
|
||||
- protocol: tcp
|
||||
port_range_min: 7080
|
||||
port_range_max: 7080
|
||||
- protocol: tcp
|
||||
port_range_min: 8080
|
||||
port_range_max: 8080
|
||||
- protocol: tcp
|
||||
port_range_min: 2379
|
||||
port_range_max: 2379
|
||||
- protocol: tcp
|
||||
port_range_min: 2380
|
||||
port_range_max: 2380
|
||||
|
||||
secgroup_kube_minion:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
rules:
|
||||
- protocol: icmp
|
||||
- protocol: tcp
|
||||
- protocol: udp
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# load balancers.
|
||||
|
@ -357,6 +397,8 @@ resources:
|
|||
tenant_name: {get_param: tenant_name}
|
||||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
secgroup_base_id: {get_resource: secgroup_base}
|
||||
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -403,6 +445,7 @@ resources:
|
|||
magnum_url: {get_param: magnum_url}
|
||||
kubernetes_port: {get_param: kubernetes_port}
|
||||
tls_disabled: {get_param: tls_disabled}
|
||||
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -107,6 +107,12 @@ parameters:
|
|||
type: number
|
||||
description : >
|
||||
timeout for the Wait Conditions
|
||||
secgroup_base_id:
|
||||
type: string
|
||||
description: ID of the security group for base.
|
||||
secgroup_kube_master_id:
|
||||
type: string
|
||||
description: ID of the security group for kubernetes master.
|
||||
api_pool_id:
|
||||
type: string
|
||||
description: ID of the load balancer pool of k8s API server.
|
||||
|
@ -142,38 +148,6 @@ resources:
|
|||
handle: {get_resource: master_wait_handle}
|
||||
timeout: {get_param: wait_condition_timeout}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# security groups. we need to permit network traffic of various
|
||||
# sorts.
|
||||
#
|
||||
|
||||
secgroup_base:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
rules:
|
||||
- protocol: icmp
|
||||
- protocol: tcp
|
||||
port_range_min: 22
|
||||
port_range_max: 22
|
||||
|
||||
secgroup_kubernetes:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
rules:
|
||||
- protocol: tcp
|
||||
port_range_min: 7080
|
||||
port_range_max: 7080
|
||||
- protocol: tcp
|
||||
port_range_min: {get_param: kubernetes_port}
|
||||
port_range_max: {get_param: kubernetes_port}
|
||||
- protocol: tcp
|
||||
port_range_min: 2379
|
||||
port_range_max: 2379
|
||||
- protocol: tcp
|
||||
port_range_min: 2380
|
||||
port_range_max: 2380
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# software configs. these are components that are combined into
|
||||
|
@ -318,8 +292,8 @@ resources:
|
|||
properties:
|
||||
network: {get_param: fixed_network}
|
||||
security_groups:
|
||||
- {get_resource: secgroup_base}
|
||||
- {get_resource: secgroup_kubernetes}
|
||||
- {get_param: secgroup_base_id}
|
||||
- {get_param: secgroup_kube_master_id}
|
||||
fixed_ips:
|
||||
- subnet: {get_param: fixed_subnet}
|
||||
replacement_policy: AUTO
|
||||
|
|
|
@ -145,6 +145,10 @@ parameters:
|
|||
size fo the data segments for the swift dynamic large objects
|
||||
default: 5242880
|
||||
|
||||
secgroup_kube_minion_id:
|
||||
type: string
|
||||
description: ID of the security group for kubernetes minion.
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -157,14 +161,6 @@ resources:
|
|||
handle: {get_resource: minion_wait_handle}
|
||||
timeout: {get_param: wait_condition_timeout}
|
||||
|
||||
secgroup_all_open:
|
||||
type: OS::Neutron::SecurityGroup
|
||||
properties:
|
||||
rules:
|
||||
- protocol: icmp
|
||||
- protocol: tcp
|
||||
- protocol: udp
|
||||
|
||||
######################################################################
|
||||
#
|
||||
# software configs. these are components that are combined into
|
||||
|
@ -329,7 +325,7 @@ resources:
|
|||
properties:
|
||||
network: {get_param: fixed_network}
|
||||
security_groups:
|
||||
- get_resource: secgroup_all_open
|
||||
- get_param: secgroup_kube_minion_id
|
||||
fixed_ips:
|
||||
- subnet: {get_param: fixed_subnet}
|
||||
replacement_policy: AUTO
|
||||
|
|
Loading…
Reference in New Issue