github.com/openshift/installer@v1.4.17/upi/aws/cloudformation/03_cluster_security.yaml (about) 1 AWSTemplateFormatVersion: 2010-09-09 2 Description: Template for OpenShift Cluster Security Elements (Security Groups & IAM) 3 4 Parameters: 5 InfrastructureName: 6 AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$ 7 MaxLength: 27 8 MinLength: 1 9 ConstraintDescription: Infrastructure name must be alphanumeric, start with a letter, and have a maximum of 27 characters. 10 Description: A short, unique cluster ID used to tag cloud resources and identify items owned or used by the cluster. 11 Type: String 12 VpcCidr: 13 AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-4]))$ 14 ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-24. 15 Default: 10.0.0.0/16 16 Description: CIDR block for VPC. 17 Type: String 18 VpcId: 19 Description: The VPC-scoped resources will belong to this VPC. 20 Type: AWS::EC2::VPC::Id 21 PrivateSubnets: 22 Description: The internal subnets. 23 Type: List<AWS::EC2::Subnet::Id> 24 25 Metadata: 26 AWS::CloudFormation::Interface: 27 ParameterGroups: 28 - Label: 29 default: "Cluster Information" 30 Parameters: 31 - InfrastructureName 32 - Label: 33 default: "Network Configuration" 34 Parameters: 35 - VpcId 36 - VpcCidr 37 - PrivateSubnets 38 ParameterLabels: 39 InfrastructureName: 40 default: "Infrastructure Name" 41 VpcId: 42 default: "VPC ID" 43 VpcCidr: 44 default: "VPC CIDR" 45 PrivateSubnets: 46 default: "Private Subnets" 47 48 Resources: 49 MasterSecurityGroup: 50 Type: AWS::EC2::SecurityGroup 51 Properties: 52 GroupDescription: Cluster Master Security Group 53 SecurityGroupIngress: 54 - IpProtocol: icmp 55 FromPort: 0 56 ToPort: 0 57 CidrIp: !Ref VpcCidr 58 - IpProtocol: tcp 59 FromPort: 22 60 ToPort: 22 61 CidrIp: !Ref VpcCidr 62 - IpProtocol: tcp 63 ToPort: 6443 64 FromPort: 6443 65 CidrIp: !Ref VpcCidr 66 - IpProtocol: tcp 67 FromPort: 22623 68 ToPort: 22623 69 CidrIp: !Ref VpcCidr 70 VpcId: !Ref VpcId 71 72 WorkerSecurityGroup: 73 Type: AWS::EC2::SecurityGroup 74 Properties: 75 GroupDescription: Cluster Worker Security Group 76 SecurityGroupIngress: 77 - IpProtocol: icmp 78 FromPort: 0 79 ToPort: 0 80 CidrIp: !Ref VpcCidr 81 - IpProtocol: tcp 82 FromPort: 22 83 ToPort: 22 84 CidrIp: !Ref VpcCidr 85 VpcId: !Ref VpcId 86 87 MasterIngressEtcd: 88 Type: AWS::EC2::SecurityGroupIngress 89 Properties: 90 GroupId: !GetAtt MasterSecurityGroup.GroupId 91 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 92 Description: etcd 93 FromPort: 2379 94 ToPort: 2380 95 IpProtocol: tcp 96 97 MasterIngressVxlan: 98 Type: AWS::EC2::SecurityGroupIngress 99 Properties: 100 GroupId: !GetAtt MasterSecurityGroup.GroupId 101 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 102 Description: Vxlan packets 103 FromPort: 4789 104 ToPort: 4789 105 IpProtocol: udp 106 107 MasterIngressWorkerVxlan: 108 Type: AWS::EC2::SecurityGroupIngress 109 Properties: 110 GroupId: !GetAtt MasterSecurityGroup.GroupId 111 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 112 Description: Vxlan packets 113 FromPort: 4789 114 ToPort: 4789 115 IpProtocol: udp 116 117 MasterIngressGeneve: 118 Type: AWS::EC2::SecurityGroupIngress 119 Properties: 120 GroupId: !GetAtt MasterSecurityGroup.GroupId 121 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 122 Description: Geneve packets 123 FromPort: 6081 124 ToPort: 6081 125 IpProtocol: udp 126 127 MasterIngressWorkerGeneve: 128 Type: AWS::EC2::SecurityGroupIngress 129 Properties: 130 GroupId: !GetAtt MasterSecurityGroup.GroupId 131 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 132 Description: Geneve packets 133 FromPort: 6081 134 ToPort: 6081 135 IpProtocol: udp 136 137 MasterIngressIpsecIke: 138 Type: AWS::EC2::SecurityGroupIngress 139 Properties: 140 GroupId: !GetAtt MasterSecurityGroup.GroupId 141 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 142 Description: IPsec IKE packets 143 FromPort: 500 144 ToPort: 500 145 IpProtocol: udp 146 147 MasterIngressIpsecNat: 148 Type: AWS::EC2::SecurityGroupIngress 149 Properties: 150 GroupId: !GetAtt MasterSecurityGroup.GroupId 151 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 152 Description: IPsec NAT-T packets 153 FromPort: 4500 154 ToPort: 4500 155 IpProtocol: udp 156 157 MasterIngressIpsecEsp: 158 Type: AWS::EC2::SecurityGroupIngress 159 Properties: 160 GroupId: !GetAtt MasterSecurityGroup.GroupId 161 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 162 Description: IPsec ESP packets 163 IpProtocol: 50 164 165 MasterIngressWorkerIpsecIke: 166 Type: AWS::EC2::SecurityGroupIngress 167 Properties: 168 GroupId: !GetAtt MasterSecurityGroup.GroupId 169 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 170 Description: IPsec IKE packets 171 FromPort: 500 172 ToPort: 500 173 IpProtocol: udp 174 175 MasterIngressWorkerIpsecNat: 176 Type: AWS::EC2::SecurityGroupIngress 177 Properties: 178 GroupId: !GetAtt MasterSecurityGroup.GroupId 179 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 180 Description: IPsec NAT-T packets 181 FromPort: 4500 182 ToPort: 4500 183 IpProtocol: udp 184 185 MasterIngressWorkerIpsecEsp: 186 Type: AWS::EC2::SecurityGroupIngress 187 Properties: 188 GroupId: !GetAtt MasterSecurityGroup.GroupId 189 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 190 Description: IPsec ESP packets 191 IpProtocol: 50 192 193 MasterIngressInternal: 194 Type: AWS::EC2::SecurityGroupIngress 195 Properties: 196 GroupId: !GetAtt MasterSecurityGroup.GroupId 197 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 198 Description: Internal cluster communication 199 FromPort: 9000 200 ToPort: 9999 201 IpProtocol: tcp 202 203 MasterIngressWorkerInternal: 204 Type: AWS::EC2::SecurityGroupIngress 205 Properties: 206 GroupId: !GetAtt MasterSecurityGroup.GroupId 207 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 208 Description: Internal cluster communication 209 FromPort: 9000 210 ToPort: 9999 211 IpProtocol: tcp 212 213 MasterIngressInternalUDP: 214 Type: AWS::EC2::SecurityGroupIngress 215 Properties: 216 GroupId: !GetAtt MasterSecurityGroup.GroupId 217 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 218 Description: Internal cluster communication 219 FromPort: 9000 220 ToPort: 9999 221 IpProtocol: udp 222 223 MasterIngressWorkerInternalUDP: 224 Type: AWS::EC2::SecurityGroupIngress 225 Properties: 226 GroupId: !GetAtt MasterSecurityGroup.GroupId 227 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 228 Description: Internal cluster communication 229 FromPort: 9000 230 ToPort: 9999 231 IpProtocol: udp 232 233 MasterIngressKube: 234 Type: AWS::EC2::SecurityGroupIngress 235 Properties: 236 GroupId: !GetAtt MasterSecurityGroup.GroupId 237 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 238 Description: Kubernetes kubelet, scheduler and controller manager 239 FromPort: 10250 240 ToPort: 10259 241 IpProtocol: tcp 242 243 MasterIngressWorkerKube: 244 Type: AWS::EC2::SecurityGroupIngress 245 Properties: 246 GroupId: !GetAtt MasterSecurityGroup.GroupId 247 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 248 Description: Kubernetes kubelet, scheduler and controller manager 249 FromPort: 10250 250 ToPort: 10259 251 IpProtocol: tcp 252 253 MasterIngressIngressServices: 254 Type: AWS::EC2::SecurityGroupIngress 255 Properties: 256 GroupId: !GetAtt MasterSecurityGroup.GroupId 257 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 258 Description: Kubernetes ingress services 259 FromPort: 30000 260 ToPort: 32767 261 IpProtocol: tcp 262 263 MasterIngressWorkerIngressServices: 264 Type: AWS::EC2::SecurityGroupIngress 265 Properties: 266 GroupId: !GetAtt MasterSecurityGroup.GroupId 267 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 268 Description: Kubernetes ingress services 269 FromPort: 30000 270 ToPort: 32767 271 IpProtocol: tcp 272 273 MasterIngressIngressServicesUDP: 274 Type: AWS::EC2::SecurityGroupIngress 275 Properties: 276 GroupId: !GetAtt MasterSecurityGroup.GroupId 277 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 278 Description: Kubernetes ingress services 279 FromPort: 30000 280 ToPort: 32767 281 IpProtocol: udp 282 283 MasterIngressWorkerIngressServicesUDP: 284 Type: AWS::EC2::SecurityGroupIngress 285 Properties: 286 GroupId: !GetAtt MasterSecurityGroup.GroupId 287 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 288 Description: Kubernetes ingress services 289 FromPort: 30000 290 ToPort: 32767 291 IpProtocol: udp 292 293 WorkerIngressVxlan: 294 Type: AWS::EC2::SecurityGroupIngress 295 Properties: 296 GroupId: !GetAtt WorkerSecurityGroup.GroupId 297 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 298 Description: Vxlan packets 299 FromPort: 4789 300 ToPort: 4789 301 IpProtocol: udp 302 303 WorkerIngressMasterVxlan: 304 Type: AWS::EC2::SecurityGroupIngress 305 Properties: 306 GroupId: !GetAtt WorkerSecurityGroup.GroupId 307 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 308 Description: Vxlan packets 309 FromPort: 4789 310 ToPort: 4789 311 IpProtocol: udp 312 313 WorkerIngressGeneve: 314 Type: AWS::EC2::SecurityGroupIngress 315 Properties: 316 GroupId: !GetAtt WorkerSecurityGroup.GroupId 317 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 318 Description: Geneve packets 319 FromPort: 6081 320 ToPort: 6081 321 IpProtocol: udp 322 323 WorkerIngressMasterGeneve: 324 Type: AWS::EC2::SecurityGroupIngress 325 Properties: 326 GroupId: !GetAtt WorkerSecurityGroup.GroupId 327 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 328 Description: Geneve packets 329 FromPort: 6081 330 ToPort: 6081 331 IpProtocol: udp 332 333 WorkerIngressIpsecIke: 334 Type: AWS::EC2::SecurityGroupIngress 335 Properties: 336 GroupId: !GetAtt WorkerSecurityGroup.GroupId 337 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 338 Description: IPsec IKE packets 339 FromPort: 500 340 ToPort: 500 341 IpProtocol: udp 342 343 WorkerIngressIpsecNat: 344 Type: AWS::EC2::SecurityGroupIngress 345 Properties: 346 GroupId: !GetAtt WorkerSecurityGroup.GroupId 347 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 348 Description: IPsec NAT-T packets 349 FromPort: 4500 350 ToPort: 4500 351 IpProtocol: udp 352 353 WorkerIngressIpsecEsp: 354 Type: AWS::EC2::SecurityGroupIngress 355 Properties: 356 GroupId: !GetAtt WorkerSecurityGroup.GroupId 357 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 358 Description: IPsec ESP packets 359 IpProtocol: 50 360 361 WorkerIngressMasterIpsecIke: 362 Type: AWS::EC2::SecurityGroupIngress 363 Properties: 364 GroupId: !GetAtt WorkerSecurityGroup.GroupId 365 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 366 Description: IPsec IKE packets 367 FromPort: 500 368 ToPort: 500 369 IpProtocol: udp 370 371 WorkerIngressMasterIpsecNat: 372 Type: AWS::EC2::SecurityGroupIngress 373 Properties: 374 GroupId: !GetAtt WorkerSecurityGroup.GroupId 375 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 376 Description: IPsec NAT-T packets 377 FromPort: 4500 378 ToPort: 4500 379 IpProtocol: udp 380 381 WorkerIngressMasterIpsecEsp: 382 Type: AWS::EC2::SecurityGroupIngress 383 Properties: 384 GroupId: !GetAtt WorkerSecurityGroup.GroupId 385 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 386 Description: IPsec ESP packets 387 IpProtocol: 50 388 389 WorkerIngressInternal: 390 Type: AWS::EC2::SecurityGroupIngress 391 Properties: 392 GroupId: !GetAtt WorkerSecurityGroup.GroupId 393 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 394 Description: Internal cluster communication 395 FromPort: 9000 396 ToPort: 9999 397 IpProtocol: tcp 398 399 WorkerIngressMasterInternal: 400 Type: AWS::EC2::SecurityGroupIngress 401 Properties: 402 GroupId: !GetAtt WorkerSecurityGroup.GroupId 403 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 404 Description: Internal cluster communication 405 FromPort: 9000 406 ToPort: 9999 407 IpProtocol: tcp 408 409 WorkerIngressInternalUDP: 410 Type: AWS::EC2::SecurityGroupIngress 411 Properties: 412 GroupId: !GetAtt WorkerSecurityGroup.GroupId 413 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 414 Description: Internal cluster communication 415 FromPort: 9000 416 ToPort: 9999 417 IpProtocol: udp 418 419 WorkerIngressMasterInternalUDP: 420 Type: AWS::EC2::SecurityGroupIngress 421 Properties: 422 GroupId: !GetAtt WorkerSecurityGroup.GroupId 423 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 424 Description: Internal cluster communication 425 FromPort: 9000 426 ToPort: 9999 427 IpProtocol: udp 428 429 WorkerIngressKube: 430 Type: AWS::EC2::SecurityGroupIngress 431 Properties: 432 GroupId: !GetAtt WorkerSecurityGroup.GroupId 433 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 434 Description: Kubernetes secure kubelet port 435 FromPort: 10250 436 ToPort: 10250 437 IpProtocol: tcp 438 439 WorkerIngressWorkerKube: 440 Type: AWS::EC2::SecurityGroupIngress 441 Properties: 442 GroupId: !GetAtt WorkerSecurityGroup.GroupId 443 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 444 Description: Internal Kubernetes communication 445 FromPort: 10250 446 ToPort: 10250 447 IpProtocol: tcp 448 449 WorkerIngressIngressServices: 450 Type: AWS::EC2::SecurityGroupIngress 451 Properties: 452 GroupId: !GetAtt WorkerSecurityGroup.GroupId 453 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 454 Description: Kubernetes ingress services 455 FromPort: 30000 456 ToPort: 32767 457 IpProtocol: tcp 458 459 WorkerIngressMasterIngressServices: 460 Type: AWS::EC2::SecurityGroupIngress 461 Properties: 462 GroupId: !GetAtt WorkerSecurityGroup.GroupId 463 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 464 Description: Kubernetes ingress services 465 FromPort: 30000 466 ToPort: 32767 467 IpProtocol: tcp 468 469 WorkerIngressIngressServicesUDP: 470 Type: AWS::EC2::SecurityGroupIngress 471 Properties: 472 GroupId: !GetAtt WorkerSecurityGroup.GroupId 473 SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId 474 Description: Kubernetes ingress services 475 FromPort: 30000 476 ToPort: 32767 477 IpProtocol: udp 478 479 WorkerIngressMasterIngressServicesUDP: 480 Type: AWS::EC2::SecurityGroupIngress 481 Properties: 482 GroupId: !GetAtt WorkerSecurityGroup.GroupId 483 SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId 484 Description: Kubernetes ingress services 485 FromPort: 30000 486 ToPort: 32767 487 IpProtocol: udp 488 489 MasterIamRole: 490 Type: AWS::IAM::Role 491 Properties: 492 AssumeRolePolicyDocument: 493 Version: "2012-10-17" 494 Statement: 495 - Effect: "Allow" 496 Principal: 497 Service: 498 - "ec2.amazonaws.com" 499 Action: 500 - "sts:AssumeRole" 501 Policies: 502 - PolicyName: !Join ["-", [!Ref InfrastructureName, "master", "policy"]] 503 PolicyDocument: 504 Version: "2012-10-17" 505 Statement: 506 - Effect: "Allow" 507 Action: 508 - "ec2:AttachVolume" 509 - "ec2:AuthorizeSecurityGroupIngress" 510 - "ec2:CreateSecurityGroup" 511 - "ec2:CreateTags" 512 - "ec2:CreateVolume" 513 - "ec2:DeleteSecurityGroup" 514 - "ec2:DeleteVolume" 515 - "ec2:Describe*" 516 - "ec2:DetachVolume" 517 - "ec2:ModifyInstanceAttribute" 518 - "ec2:ModifyVolume" 519 - "ec2:RevokeSecurityGroupIngress" 520 - "elasticloadbalancing:AddTags" 521 - "elasticloadbalancing:AttachLoadBalancerToSubnets" 522 - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer" 523 - "elasticloadbalancing:CreateListener" 524 - "elasticloadbalancing:CreateLoadBalancer" 525 - "elasticloadbalancing:CreateLoadBalancerPolicy" 526 - "elasticloadbalancing:CreateLoadBalancerListeners" 527 - "elasticloadbalancing:CreateTargetGroup" 528 - "elasticloadbalancing:ConfigureHealthCheck" 529 - "elasticloadbalancing:DeleteListener" 530 - "elasticloadbalancing:DeleteLoadBalancer" 531 - "elasticloadbalancing:DeleteLoadBalancerListeners" 532 - "elasticloadbalancing:DeleteTargetGroup" 533 - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer" 534 - "elasticloadbalancing:DeregisterTargets" 535 - "elasticloadbalancing:Describe*" 536 - "elasticloadbalancing:DetachLoadBalancerFromSubnets" 537 - "elasticloadbalancing:ModifyListener" 538 - "elasticloadbalancing:ModifyLoadBalancerAttributes" 539 - "elasticloadbalancing:ModifyTargetGroup" 540 - "elasticloadbalancing:ModifyTargetGroupAttributes" 541 - "elasticloadbalancing:RegisterInstancesWithLoadBalancer" 542 - "elasticloadbalancing:RegisterTargets" 543 - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" 544 - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" 545 - "kms:DescribeKey" 546 Resource: "*" 547 548 MasterInstanceProfile: 549 Type: "AWS::IAM::InstanceProfile" 550 Properties: 551 Roles: 552 - Ref: "MasterIamRole" 553 554 WorkerIamRole: 555 Type: AWS::IAM::Role 556 Properties: 557 AssumeRolePolicyDocument: 558 Version: "2012-10-17" 559 Statement: 560 - Effect: "Allow" 561 Principal: 562 Service: 563 - "ec2.amazonaws.com" 564 Action: 565 - "sts:AssumeRole" 566 Policies: 567 - PolicyName: !Join ["-", [!Ref InfrastructureName, "worker", "policy"]] 568 PolicyDocument: 569 Version: "2012-10-17" 570 Statement: 571 - Effect: "Allow" 572 Action: 573 - "ec2:DescribeInstances" 574 - "ec2:DescribeRegions" 575 Resource: "*" 576 577 WorkerInstanceProfile: 578 Type: "AWS::IAM::InstanceProfile" 579 Properties: 580 Roles: 581 - Ref: "WorkerIamRole" 582 583 Outputs: 584 MasterSecurityGroupId: 585 Description: Master Security Group ID 586 Value: !GetAtt MasterSecurityGroup.GroupId 587 588 WorkerSecurityGroupId: 589 Description: Worker Security Group ID 590 Value: !GetAtt WorkerSecurityGroup.GroupId 591 592 MasterInstanceProfile: 593 Description: Master IAM Instance Profile 594 Value: !Ref MasterInstanceProfile 595 596 WorkerInstanceProfile: 597 Description: Worker IAM Instance Profile 598 Value: !Ref WorkerInstanceProfile