Rocky only - allow SSH from any source
With change I89cff59947dda3f51482486c41a3d67c4aa36a3e SSH was limited to the ctlplane_subnet only. This changes the previous behaviour that allowed SSH from any source. The use of hiera introduced a regression where overcloud nodes on remote subnet in a DCN (or spine-and-leaf) set up are not available via SSH from the undercloud or from overcloud nodes in other sites/leafs. Introducing the tripleo::firewall::firewall_rules to allow operators to define more granular ssh firewall rules does make sense, but changeing the default will also break users doing monitoring or management/maintenance operations via SSH. Change-Id: I8c8ca93744934746d588c7228caa2950a53b23ce Closes-Bug: #1834161
This commit is contained in:
parent
b09dec03b9
commit
d8ef4512b8
|
@ -48,8 +48,7 @@ outputs:
|
|||
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
|
||||
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
|
||||
tripleo::tripleo_firewall::firewall_rules:
|
||||
'003 accept ssh from controlplane':
|
||||
source: "%{hiera('ctlplane_subnet')}"
|
||||
'003 accept ssh from any':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
|
||||
|
|
Loading…
Reference in New Issue