Reduce security groups # for k8s coreos cluster

This patch allows two security groups to be created for k8s coreos cluster(one for master and one for minion) Change-Id: Id12cba8fbe060ced017ea0c402aab77325f71b09 Closes-bug: 1642752
2016-11-17 22:05:51 -08:00 · 2016-11-17 22:05:51 -08:00 · 8d6bf7c621
parent 60b7724609
commit 8d6bf7c621
3 changed files with 50 additions and 52 deletions
--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@ -234,6 +234,44 @@ resources:
      router_id: {get_resource: extrouter}
      subnet: {get_resource: fixed_subnet}

+ ######################################################################
+  #
+  # security groups.  we need to permit network traffic of various
+  # sorts.
+  #
+
+  secgroup_master:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      rules:
+        - protocol: icmp
+        - protocol: tcp
+          port_range_min: 22
+          port_range_max: 22
+        - protocol: tcp
+          port_range_min: 7080
+          port_range_max: 7080
+        - protocol: tcp
+          port_range_min: 8080
+          port_range_max: 8080
+        - protocol: tcp
+          port_range_min: 2379
+          port_range_max: 2379
+        - protocol: tcp
+          port_range_min: 2380
+          port_range_max: 2380
+        - protocol: tcp
+          port_range_min: 6443
+          port_range_max: 6443
+
+  secgroup_minion_all_open:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      rules:
+        - protocol: icmp
+        - protocol: tcp
+        - protocol: udp
+
  ######################################################################
  #
  # load balancers.
@ -366,6 +404,7 @@ resources:
          network_driver: {get_param: network_driver}
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
+          secgroup_kube_master_id: {get_resource: secgroup_master}
          http_proxy: {get_param: http_proxy}
          https_proxy: {get_param: https_proxy}
          no_proxy: {get_param: no_proxy}
@ -409,6 +448,7 @@ resources:
          network_driver: {get_param: network_driver}
          kubernetes_port: {get_param: kubernetes_port}
          tls_disabled: {get_param: tls_disabled}
+          secgroup_kube_minion_id: {get_resource: secgroup_minion_all_open}
          http_proxy: {get_param: http_proxy}
          https_proxy: {get_param: https_proxy}
          no_proxy: {get_param: no_proxy}
--- a/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
@ -76,6 +76,10 @@ parameters:
    description : >
      timeout for the Wait Conditions

+  secgroup_kube_master_id:
+    type: string
+    description: ID of the security group for kubernetes master.
+
  network_driver:
    type: string
    description: network driver to use for instantiating container networks
@ -172,41 +176,6 @@ resources:
      master_public_ip: {get_attr: [kube_master_floating, floating_ip_address]}
      master_private_ip: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}

-  ######################################################################
-  #
-  # security groups.  we need to permit network traffic of various
-  # sorts.
-  #
-
-  secgroup_base:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: icmp
-        - protocol: tcp
-          port_range_min: 22
-          port_range_max: 22
-
-  secgroup_kubernetes:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: tcp
-          port_range_min: 7080
-          port_range_max: 7080
-        - protocol: tcp
-          port_range_min: 8080
-          port_range_max: 8080
-        - protocol: tcp
-          port_range_min: 2379
-          port_range_max: 2379
-        - protocol: tcp
-          port_range_min: 2380
-          port_range_max: 2380
-        - protocol: tcp
-          port_range_min: 6443
-          port_range_max: 6443
-
  ######################################################################
  #
  # software configs.  these are components that are combined into
@ -411,8 +380,7 @@ resources:
    properties:
      network: {get_param: fixed_network}
      security_groups:
-        - {get_resource: secgroup_base}
-        - {get_resource: secgroup_kubernetes}
+        - {get_param: secgroup_kube_master_id}
      fixed_ips:
        - subnet: {get_param: fixed_subnet}
      allowed_address_pairs:
--- a/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
@ -82,6 +82,10 @@ parameters:
    description: >
      timeout for the Wait Conditions

+  secgroup_kube_minion_id:
+    type: string
+    description: ID of the security group for kubernetes minion.
+
  http_proxy:
    type: string
    description: http proxy address for docker
@ -127,20 +131,6 @@ resources:
      handle: {get_resource: minion_wait_handle}
      timeout: {get_param: wait_condition_timeout}

-  ######################################################################
-  #
-  # security groups.  we need to permit network traffic of various
-  # sorts.
-  #
-
-  secgroup_all_open:
-    type: OS::Neutron::SecurityGroup
-    properties:
-      rules:
-        - protocol: icmp
-        - protocol: tcp
-        - protocol: udp
-
  ######################################################################
  #
  # software configs.  these are components that are combined into
@ -279,7 +269,7 @@ resources:
    properties:
      network: {get_param: fixed_network}
      security_groups:
-        - get_resource: secgroup_all_open
+        - {get_param: secgroup_kube_minion_id}
      fixed_ips:
        - subnet: {get_param: fixed_subnet}
      allowed_address_pairs: