Merge "Move security group setting to kubecluster.yaml"

This commit is contained in:
Jenkins 2015-10-13 02:28:29 +00:00 committed by Gerrit Code Review
commit 86365ac8b8
3 changed files with 56 additions and 43 deletions

View File

@ -266,6 +266,46 @@ resources:
router_id: {get_resource: extrouter}
subnet: {get_resource: fixed_subnet}
######################################################################
#
# security groups. we need to permit network traffic of various
# sorts.
#
secgroup_base:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: icmp
- protocol: tcp
port_range_min: 22
port_range_max: 22
secgroup_kube_master:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: tcp
port_range_min: 7080
port_range_max: 7080
- protocol: tcp
port_range_min: 8080
port_range_max: 8080
- protocol: tcp
port_range_min: 2379
port_range_max: 2379
- protocol: tcp
port_range_min: 2380
port_range_max: 2380
secgroup_kube_minion:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: icmp
- protocol: tcp
- protocol: udp
######################################################################
#
# load balancers.
@ -357,6 +397,8 @@ resources:
tenant_name: {get_param: tenant_name}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
secgroup_base_id: {get_resource: secgroup_base}
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
######################################################################
#
@ -403,6 +445,7 @@ resources:
magnum_url: {get_param: magnum_url}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
outputs:

View File

@ -107,6 +107,12 @@ parameters:
type: number
description : >
timeout for the Wait Conditions
secgroup_base_id:
type: string
description: ID of the security group for base.
secgroup_kube_master_id:
type: string
description: ID of the security group for kubernetes master.
api_pool_id:
type: string
description: ID of the load balancer pool of k8s API server.
@ -142,38 +148,6 @@ resources:
handle: {get_resource: master_wait_handle}
timeout: {get_param: wait_condition_timeout}
######################################################################
#
# security groups. we need to permit network traffic of various
# sorts.
#
secgroup_base:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: icmp
- protocol: tcp
port_range_min: 22
port_range_max: 22
secgroup_kubernetes:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: tcp
port_range_min: 7080
port_range_max: 7080
- protocol: tcp
port_range_min: {get_param: kubernetes_port}
port_range_max: {get_param: kubernetes_port}
- protocol: tcp
port_range_min: 2379
port_range_max: 2379
- protocol: tcp
port_range_min: 2380
port_range_max: 2380
######################################################################
#
# software configs. these are components that are combined into
@ -318,8 +292,8 @@ resources:
properties:
network: {get_param: fixed_network}
security_groups:
- {get_resource: secgroup_base}
- {get_resource: secgroup_kubernetes}
- {get_param: secgroup_base_id}
- {get_param: secgroup_kube_master_id}
fixed_ips:
- subnet: {get_param: fixed_subnet}
replacement_policy: AUTO

View File

@ -145,6 +145,10 @@ parameters:
size fo the data segments for the swift dynamic large objects
default: 5242880
secgroup_kube_minion_id:
type: string
description: ID of the security group for kubernetes minion.
resources:
minion_wait_handle:
@ -157,14 +161,6 @@ resources:
handle: {get_resource: minion_wait_handle}
timeout: {get_param: wait_condition_timeout}
secgroup_all_open:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: icmp
- protocol: tcp
- protocol: udp
######################################################################
#
# software configs. these are components that are combined into
@ -329,7 +325,7 @@ resources:
properties:
network: {get_param: fixed_network}
security_groups:
- get_resource: secgroup_all_open
- get_param: secgroup_kube_minion_id
fixed_ips:
- subnet: {get_param: fixed_subnet}
replacement_policy: AUTO