From ecd074484f0cd29fe811cd42459bd1ad998c4f97 Mon Sep 17 00:00:00 2001
From: Feilong Wang <flwang@catalyst.net.nz>
Date: Tue, 16 Apr 2019 19:23:35 +1200
Subject: [PATCH] [fedora atomic] Allow traffic between k8s workers

When using calico as network driver, the traffic between k8s
worker nodes need to be allowed otherwise services maybe not
accessible sometimes because connection can't be established.
This issue only impacts calico.

Task: 30525
Story: 2005294

Change-Id: Ia71283a1abc75a7fb806f2601ac09a685dc5a4bc
---
 .../templates/kubecluster.yaml                | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index a8fa1d568c..948ef1675f 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -665,22 +665,6 @@ resources:
         - protocol: tcp
           port_range_min: 30000
           port_range_max: 32767
-        # Worker node kubelet healthcheck port.
-        - protocol: tcp
-          port_range_min: 10250
-          port_range_max: 10250
-        # Calico BGP network, only required if the BGP backend is used.
-        - protocol: tcp
-          port_range_min: 179
-          port_range_max: 179
-        # flannel overlay network - udp backend.
-        - protocol: udp
-          port_range_min: 8285
-          port_range_max: 8285
-        # flannel overlay network - vxlan backend.
-        - protocol: udp
-          port_range_min: 8472
-          port_range_max: 8472
         # allow any traffic from master nodes
         - protocol: tcp
           port_range_min: 1
@@ -693,6 +677,24 @@ resources:
           remote_mode: 'remote_group_id'
           remote_group_id: {get_resource: secgroup_kube_master}
 
+  # allow any traffic between worker nodes
+  secgroup_rule_tcp_kube_minion:
+    type: OS::Neutron::SecurityGroupRule
+    properties:
+      protocol: tcp
+      port_range_min: 1
+      port_range_max: 65535
+      security_group: {get_resource: secgroup_kube_minion}
+      remote_group: {get_resource: secgroup_kube_minion}
+  secgroup_rule_udp_kube_minion:
+    type: OS::Neutron::SecurityGroupRule
+    properties:
+      protocol: udp
+      port_range_min: 1
+      port_range_max: 65535
+      security_group: {get_resource: secgroup_kube_minion}
+      remote_group: {get_resource: secgroup_kube_minion}
+
   ######################################################################
   #
   # resources that expose the IPs of either the kube master or a given