github.com/SUSE/skuba@v1.4.17/ci/infra/openstack/security-groups-common.tf

github.com/SUSE/skuba@v1.4.17/ci/infra/openstack/security-groups-common.tf (about)

     1  resource "openstack_networking_secgroup_v2" "common" {
     2    name        = "${var.stack_name}-caasp_common_secgroup"
     3    description = "Common security group for CaaSP nodes"
     4  }
     5  
     6  # Allow ping and cilium health checks as well
     7  resource "openstack_networking_secgroup_rule_v2" "icmp" {
     8    direction         = "ingress"
     9    ethertype         = "IPv4"
    10    protocol          = "icmp"
    11    port_range_min    = 0
    12    port_range_max    = 0
    13    remote_ip_prefix  = "0.0.0.0/0"
    14    security_group_id = openstack_networking_secgroup_v2.common.id
    15  }
    16  
    17  resource "openstack_networking_secgroup_rule_v2" "ssh" {
    18    direction         = "ingress"
    19    ethertype         = "IPv4"
    20    protocol          = "tcp"
    21    port_range_min    = 22
    22    port_range_max    = 22
    23    remote_ip_prefix  = "0.0.0.0/0"
    24    security_group_id = openstack_networking_secgroup_v2.common.id
    25  }
    26  
    27  resource "openstack_networking_secgroup_rule_v2" "cilium_health_check" {
    28    direction         = "ingress"
    29    ethertype         = "IPv4"
    30    protocol          = "tcp"
    31    port_range_min    = 4240
    32    port_range_max    = 4240
    33    remote_ip_prefix  = var.subnet_cidr
    34    security_group_id = openstack_networking_secgroup_v2.common.id
    35  }
    36  
    37  resource "openstack_networking_secgroup_rule_v2" "cilium_vxlan" {
    38    direction         = "ingress"
    39    ethertype         = "IPv4"
    40    protocol          = "udp"
    41    port_range_min    = 8472
    42    port_range_max    = 8472
    43    remote_ip_prefix  = var.subnet_cidr
    44    security_group_id = openstack_networking_secgroup_v2.common.id
    45  }
    46  
    47  resource "openstack_networking_secgroup_rule_v2" "api_server_to_kubelet_communication" {
    48    direction         = "ingress"
    49    ethertype         = "IPv4"
    50    protocol          = "tcp"
    51    port_range_min    = 10250
    52    port_range_max    = 10250
    53    remote_ip_prefix  = var.subnet_cidr
    54    security_group_id = openstack_networking_secgroup_v2.common.id
    55  }
    56  
    57  resource "openstack_networking_secgroup_rule_v2" "kubeproxy_health_check" {
    58    direction         = "ingress"
    59    ethertype         = "IPv4"
    60    protocol          = "tcp"
    61    port_range_min    = 10256
    62    port_range_max    = 10256
    63    remote_ip_prefix  = var.subnet_cidr
    64    security_group_id = openstack_networking_secgroup_v2.common.id
    65  }
    66  
    67  # Range of ports used by kubernetes when allocating services of type `NodePort`
    68  resource "openstack_networking_secgroup_rule_v2" "kubernetes_services_tcp" {
    69    direction         = "ingress"
    70    ethertype         = "IPv4"
    71    protocol          = "tcp"
    72    port_range_min    = 30000
    73    port_range_max    = 32767
    74    remote_ip_prefix  = "0.0.0.0/0"
    75    security_group_id = openstack_networking_secgroup_v2.common.id
    76  }
    77  
    78  resource "openstack_networking_secgroup_rule_v2" "kubernetes_services_udp" {
    79    direction         = "ingress"
    80    ethertype         = "IPv4"
    81    protocol          = "udp"
    82    port_range_min    = 30000
    83    port_range_max    = 32767
    84    remote_ip_prefix  = "0.0.0.0/0"
    85    security_group_id = openstack_networking_secgroup_v2.common.id
    86  }
    87