github.com/openshift/installer@v1.4.17/upi/openstack/security-groups.yaml (about) 1 # Required Python packages: 2 # 3 # ansible 4 # openstackclient 5 # openstacksdk 6 7 - ansible.builtin.import_playbook: common.yaml 8 9 - hosts: all 10 gather_facts: no 11 12 tasks: 13 - name: 'Create the master security group' 14 openstack.cloud.security_group: 15 name: "{{ os_sg_master }}" 16 17 - name: 'Set master security group tag' 18 ansible.builtin.command: 19 cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_master }} " 20 21 - name: 'Create the worker security group' 22 openstack.cloud.security_group: 23 name: "{{ os_sg_worker }}" 24 25 - name: 'Set worker security group tag' 26 ansible.builtin.command: 27 cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_worker }} " 28 29 - name: 'Create master-sg rule "ICMP"' 30 openstack.cloud.security_group_rule: 31 security_group: "{{ os_sg_master }}" 32 protocol: icmp 33 34 - name: 'Create master-sg rule "machine config server"' 35 openstack.cloud.security_group_rule: 36 security_group: "{{ os_sg_master }}" 37 protocol: tcp 38 remote_ip_prefix: "{{ os_subnet_range }}" 39 port_range_min: 22623 40 port_range_max: 22623 41 42 - name: 'Create master-sg rule "SSH"' 43 openstack.cloud.security_group_rule: 44 security_group: "{{ os_sg_master }}" 45 protocol: tcp 46 remote_ip_prefix: "{{ os_subnet_range }}" 47 port_range_min: 22 48 port_range_max: 22 49 50 - name: 'Create master-sg rule "DNS (TCP)"' 51 openstack.cloud.security_group_rule: 52 security_group: "{{ os_sg_master }}" 53 remote_ip_prefix: "{{ os_subnet_range }}" 54 protocol: tcp 55 port_range_min: 53 56 port_range_max: 53 57 58 - name: 'Create master-sg rule "DNS (UDP)"' 59 openstack.cloud.security_group_rule: 60 security_group: "{{ os_sg_master }}" 61 remote_ip_prefix: "{{ os_subnet_range }}" 62 protocol: udp 63 port_range_min: 53 64 port_range_max: 53 65 66 - name: 'Create master-sg rule "OpenShift API"' 67 openstack.cloud.security_group_rule: 68 security_group: "{{ os_sg_master }}" 69 protocol: tcp 70 port_range_min: 6443 71 port_range_max: 6443 72 73 - name: 'Create master-sg rule "VXLAN"' 74 openstack.cloud.security_group_rule: 75 security_group: "{{ os_sg_master }}" 76 protocol: udp 77 remote_ip_prefix: "{{ os_subnet_range }}" 78 port_range_min: 4789 79 port_range_max: 4789 80 81 - name: 'Create master-sg rule "Geneve"' 82 openstack.cloud.security_group_rule: 83 security_group: "{{ os_sg_master }}" 84 protocol: udp 85 remote_ip_prefix: "{{ os_subnet_range }}" 86 port_range_min: 6081 87 port_range_max: 6081 88 89 - name: 'Create master-sg rule "IPsec IKE"' 90 openstack.cloud.security_group_rule: 91 security_group: "{{ os_sg_master }}" 92 protocol: udp 93 remote_ip_prefix: "{{ os_subnet_range }}" 94 port_range_min: 500 95 port_range_max: 500 96 97 - name: 'Create master-sg rule "IPsec NAT-T"' 98 openstack.cloud.security_group_rule: 99 security_group: "{{ os_sg_master }}" 100 protocol: udp 101 remote_ip_prefix: "{{ os_subnet_range }}" 102 port_range_min: 4500 103 port_range_max: 4500 104 105 - name: 'Create master-sg rule "ovndb"' 106 openstack.cloud.security_group_rule: 107 security_group: "{{ os_sg_master }}" 108 protocol: tcp 109 remote_ip_prefix: "{{ os_subnet_range }}" 110 port_range_min: 6641 111 port_range_max: 6642 112 113 - name: 'Create master-sg rule "master ingress internal (TCP)"' 114 openstack.cloud.security_group_rule: 115 security_group: "{{ os_sg_master }}" 116 protocol: tcp 117 remote_ip_prefix: "{{ os_subnet_range }}" 118 port_range_min: 9000 119 port_range_max: 9999 120 121 - name: 'Create master-sg rule "master ingress internal (UDP)"' 122 openstack.cloud.security_group_rule: 123 security_group: "{{ os_sg_master }}" 124 protocol: udp 125 remote_ip_prefix: "{{ os_subnet_range }}" 126 port_range_min: 9000 127 port_range_max: 9999 128 129 - name: 'Create master-sg rule "kube scheduler"' 130 openstack.cloud.security_group_rule: 131 security_group: "{{ os_sg_master }}" 132 protocol: tcp 133 remote_ip_prefix: "{{ os_subnet_range }}" 134 port_range_min: 10259 135 port_range_max: 10259 136 137 - name: 'Create master-sg rule "kube controller manager"' 138 openstack.cloud.security_group_rule: 139 security_group: "{{ os_sg_master }}" 140 protocol: tcp 141 remote_ip_prefix: "{{ os_subnet_range }}" 142 port_range_min: 10257 143 port_range_max: 10257 144 145 - name: 'Create master-sg rule "master ingress kubelet secure"' 146 openstack.cloud.security_group_rule: 147 security_group: "{{ os_sg_master }}" 148 protocol: tcp 149 remote_ip_prefix: "{{ os_subnet_range }}" 150 port_range_min: 10250 151 port_range_max: 10250 152 153 - name: 'Create master-sg rule "etcd"' 154 openstack.cloud.security_group_rule: 155 security_group: "{{ os_sg_master }}" 156 protocol: tcp 157 remote_ip_prefix: "{{ os_subnet_range }}" 158 port_range_min: 2379 159 port_range_max: 2380 160 161 - name: 'Create master-sg rule "master ingress services (TCP)"' 162 openstack.cloud.security_group_rule: 163 security_group: "{{ os_sg_master }}" 164 protocol: tcp 165 remote_ip_prefix: "{{ os_subnet_range }}" 166 port_range_min: 30000 167 port_range_max: 32767 168 169 - name: 'Create master-sg rule "master ingress services (UDP)"' 170 openstack.cloud.security_group_rule: 171 security_group: "{{ os_sg_master }}" 172 protocol: udp 173 remote_ip_prefix: "{{ os_subnet_range }}" 174 port_range_min: 30000 175 port_range_max: 32767 176 177 - name: 'Create master-sg rule "VRRP"' 178 openstack.cloud.security_group_rule: 179 security_group: "{{ os_sg_master }}" 180 protocol: '112' 181 remote_ip_prefix: "{{ os_subnet_range }}" 182 183 - name: 'Create master-sg rule "master ingress HTTP (TCP)"' 184 openstack.cloud.security_group_rule: 185 security_group: "{{ os_sg_master }}" 186 protocol: tcp 187 port_range_min: 80 188 port_range_max: 80 189 when: os_master_schedulable is defined and os_master_schedulable 190 191 - name: 'Create master-sg rule "master ingress HTTPS (TCP)"' 192 openstack.cloud.security_group_rule: 193 security_group: "{{ os_sg_master }}" 194 protocol: tcp 195 port_range_min: 443 196 port_range_max: 443 197 when: os_master_schedulable is defined and os_master_schedulable 198 199 - name: 'Create master-sg rule "router"' 200 openstack.cloud.security_group_rule: 201 security_group: "{{ os_sg_master }}" 202 protocol: tcp 203 remote_ip_prefix: "{{ os_subnet_range }}" 204 port_range_min: 1936 205 port_range_max: 1936 206 when: os_master_schedulable is defined and os_master_schedulable 207 208 - name: 'Create worker-sg rule "ICMP"' 209 openstack.cloud.security_group_rule: 210 security_group: "{{ os_sg_worker }}" 211 protocol: icmp 212 213 - name: 'Create worker-sg rule "SSH"' 214 openstack.cloud.security_group_rule: 215 security_group: "{{ os_sg_worker }}" 216 protocol: tcp 217 remote_ip_prefix: "{{ os_subnet_range }}" 218 port_range_min: 22 219 port_range_max: 22 220 221 - name: 'Create worker-sg rule "Ingress HTTP"' 222 openstack.cloud.security_group_rule: 223 security_group: "{{ os_sg_worker }}" 224 protocol: tcp 225 port_range_min: 80 226 port_range_max: 80 227 228 - name: 'Create worker-sg rule "Ingress HTTPS"' 229 openstack.cloud.security_group_rule: 230 security_group: "{{ os_sg_worker }}" 231 protocol: tcp 232 port_range_min: 443 233 port_range_max: 443 234 235 - name: 'Create worker-sg rule "router"' 236 openstack.cloud.security_group_rule: 237 security_group: "{{ os_sg_worker }}" 238 protocol: tcp 239 remote_ip_prefix: "{{ os_subnet_range }}" 240 port_range_min: 1936 241 port_range_max: 1936 242 243 - name: 'Create worker-sg rule "VXLAN"' 244 openstack.cloud.security_group_rule: 245 security_group: "{{ os_sg_worker }}" 246 protocol: udp 247 remote_ip_prefix: "{{ os_subnet_range }}" 248 port_range_min: 4789 249 port_range_max: 4789 250 251 - name: 'Create worker-sg rule "Geneve"' 252 openstack.cloud.security_group_rule: 253 security_group: "{{ os_sg_worker }}" 254 protocol: udp 255 remote_ip_prefix: "{{ os_subnet_range }}" 256 port_range_min: 6081 257 port_range_max: 6081 258 259 - name: 'Create worker-sg rule "IPsec IKE"' 260 openstack.cloud.security_group_rule: 261 security_group: "{{ os_sg_worker }}" 262 protocol: udp 263 remote_ip_prefix: "{{ os_subnet_range }}" 264 port_range_min: 500 265 port_range_max: 500 266 267 - name: 'Create worker-sg rule "IPsec NAT-T"' 268 openstack.cloud.security_group_rule: 269 security_group: "{{ os_sg_worker }}" 270 protocol: udp 271 remote_ip_prefix: "{{ os_subnet_range }}" 272 port_range_min: 4500 273 port_range_max: 4500 274 275 - name: 'Create worker-sg rule "worker ingress internal (TCP)"' 276 openstack.cloud.security_group_rule: 277 security_group: "{{ os_sg_worker }}" 278 protocol: tcp 279 remote_ip_prefix: "{{ os_subnet_range }}" 280 port_range_min: 9000 281 port_range_max: 9999 282 283 - name: 'Create worker-sg rule "worker ingress internal (UDP)"' 284 openstack.cloud.security_group_rule: 285 security_group: "{{ os_sg_worker }}" 286 protocol: udp 287 remote_ip_prefix: "{{ os_subnet_range }}" 288 port_range_min: 9000 289 port_range_max: 9999 290 291 - name: 'Create worker-sg rule "worker ingress kubelet insecure"' 292 openstack.cloud.security_group_rule: 293 security_group: "{{ os_sg_worker }}" 294 protocol: tcp 295 remote_ip_prefix: "{{ os_subnet_range }}" 296 port_range_min: 10250 297 port_range_max: 10250 298 299 - name: 'Create worker-sg rule "worker ingress services (TCP)"' 300 openstack.cloud.security_group_rule: 301 security_group: "{{ os_sg_worker }}" 302 protocol: tcp 303 remote_ip_prefix: "{{ os_subnet_range }}" 304 port_range_min: 30000 305 port_range_max: 32767 306 307 - name: 'Create worker-sg rule "worker ingress services (UDP)"' 308 openstack.cloud.security_group_rule: 309 security_group: "{{ os_sg_worker }}" 310 protocol: udp 311 remote_ip_prefix: "{{ os_subnet_range }}" 312 port_range_min: 30000 313 port_range_max: 32767 314 315 - name: 'Create worker-sg rule "VRRP"' 316 openstack.cloud.security_group_rule: 317 security_group: "{{ os_sg_worker }}" 318 protocol: '112' 319 remote_ip_prefix: "{{ os_subnet_range }}" 320 321 - name: 'Create security groups for IPv6' 322 block: 323 - name: 'Create master-sg IPv6 rule "OpenShift API"' 324 openstack.cloud.security_group_rule: 325 security_group: "{{ os_sg_master }}" 326 ethertype: IPv6 327 protocol: tcp 328 port_range_min: 6443 329 port_range_max: 6443 330 331 - name: 'Create worker-sg IPv6 rule "Ingress HTTP"' 332 openstack.cloud.security_group_rule: 333 security_group: "{{ os_sg_worker }}" 334 ethertype: IPv6 335 protocol: tcp 336 port_range_min: 80 337 port_range_max: 80 338 339 - name: 'Create worker-sg IPv6 rule "Ingress HTTPS"' 340 openstack.cloud.security_group_rule: 341 security_group: "{{ os_sg_worker }}" 342 ethertype: IPv6 343 protocol: tcp 344 port_range_min: 443 345 port_range_max: 443 346 347 - name: 'Create master-sg rule "master ingress HTTP (TCP)"' 348 openstack.cloud.security_group_rule: 349 security_group: "{{ os_sg_master }}" 350 ethertype: IPv6 351 protocol: tcp 352 port_range_min: 80 353 port_range_max: 80 354 when: os_master_schedulable is defined and os_master_schedulable 355 356 - name: 'Create master-sg rule "master ingress HTTPS (TCP)"' 357 openstack.cloud.security_group_rule: 358 security_group: "{{ os_sg_master }}" 359 ethertype: IPv6 360 protocol: tcp 361 port_range_min: 443 362 port_range_max: 443 363 when: os_master_schedulable is defined and os_master_schedulable 364 365 - name: 'Create master-sg rule "router"' 366 openstack.cloud.security_group_rule: 367 security_group: "{{ os_sg_master }}" 368 ethertype: IPv6 369 protocol: tcp 370 remote_ip_prefix: "{{ os_subnet_range }}" 371 port_range_min: 1936 372 port_range_max: 1936 373 when: os_master_schedulable is defined and os_master_schedulable 374 375 - name: 'Create master-sg IPv6 rule "master ingress services (TCP)"' 376 openstack.cloud.security_group_rule: 377 security_group: "{{ os_sg_master }}" 378 ethertype: IPv6 379 protocol: tcp 380 remote_ip_prefix: "{{ os_subnet6_range }}" 381 port_range_min: 30000 382 port_range_max: 32767 383 384 - name: 'Create master-sg IPv6 rule "master ingress services (UDP)"' 385 openstack.cloud.security_group_rule: 386 security_group: "{{ os_sg_master }}" 387 ethertype: IPv6 388 protocol: udp 389 remote_ip_prefix: "{{ os_subnet6_range }}" 390 port_range_min: 30000 391 port_range_max: 32767 392 393 - name: 'Create worker-sg IPv6 rule "worker ingress services (TCP)"' 394 openstack.cloud.security_group_rule: 395 security_group: "{{ os_sg_worker }}" 396 ethertype: IPv6 397 protocol: tcp 398 remote_ip_prefix: "{{ os_subnet6_range }}" 399 port_range_min: 30000 400 port_range_max: 32767 401 402 - name: 'Create worker-sg rule IPv6 "worker ingress services (UDP)"' 403 openstack.cloud.security_group_rule: 404 security_group: "{{ os_sg_worker }}" 405 ethertype: IPv6 406 protocol: udp 407 remote_ip_prefix: "{{ os_subnet6_range }}" 408 port_range_min: 30000 409 port_range_max: 32767 410 411 when: os_subnet6_range is defined