Skip to content
Snippets Groups Projects
Normal view Permalink
security_group.tf 4.66 KiB
Newer Older
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
1 2 3 4 5 
resource "openstack_networking_secgroup_v2" "cluster_security_group" {
  name        = var.cluster_name
  description = "${var.cluster_name} kubernetes cluster security group"
}
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
# ----------------------------------------------------------------------
# Egress
# ----------------------------------------------------------------------

#Egress  IPv4  Any Any 0.0.0.0/0 - - 
#resource "openstack_networking_secgroup_rule_v2" "egress_ipv4" {
#  direction         = "egress"
#  ethertype         = "IPv4"
#  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
#  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
#}

#Egress  IPv6  Any Any ::/0  - - 
#resource "openstack_networking_secgroup_rule_v2" "egress_ipv6" {
#  direction         = "egress"
#  ethertype         = "IPv6"
#  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
#  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
#}
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 
# ----------------------------------------------------------------------
# Ingress
# ----------------------------------------------------------------------

# Ingress IPv4  ICMP  Any 0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_icmp" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "icmp"
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 22 (SSH)  0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_ssh" {
  description       = "ssh"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 22
  port_range_max    = 22
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 80 (HTTP) 0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_http" {
  description       = "http"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 80
  port_range_max    = 80
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 443 (HTTPS) 0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_https" {
  description       = "https"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 443
  port_range_max    = 443
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
75 
# Ingress IPv4  TCP 6443  racher  - kube api
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
76 
resource "openstack_networking_secgroup_rule_v2" "ingress_kubeapi" {
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
77 78 
  for_each          = var.openstack_security_kubernetes
  description       = "kubeapi ${each.key}"
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
79 80 81 82 83 
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 6443
  port_range_max    = 6443
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
84 
  remote_ip_prefix  = each.value
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

resource "openstack_networking_secgroup_rule_v2" "same_security_group_ingress_tcp" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  remote_group_id   = openstack_networking_secgroup_v2.cluster_security_group.id
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

resource "openstack_networking_secgroup_rule_v2" "same_security_group_ingress_udp" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "udp"
  remote_group_id   = openstack_networking_secgroup_v2.cluster_security_group.id
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 1 - 65535 192.168.100.0/24  - - 
# Ingress IPv4  TCP 1 - 65535 141.142.216.0/21  - - 
# Ingress IPv4  TCP 2376  141.142.0.0/16  - - 
# Ingress IPv4  TCP 2379 - 2380 141.142.0.0/16  - etcd  
# Ingress IPv4  TCP 5201  0.0.0.0/0 - - 
# Ingress IPv4  TCP 6783  141.142.0.0/16  - weave 
# Ingress IPv4  TCP 10250 - 10255 141.142.0.0/16  - kubelet 
# Ingress IPv4  UDP 1 - 65535 192.168.100.0/24  - - 
# Ingress IPv4  UDP 1 - 65535 141.142.216.0/21  - - 
# Ingress IPv4  UDP 6783 - 6784 141.142.0.0/16  - weave

Contact help@ncsa.illinois.edu with questions regarding this site. | All rights reserved. ©2024 Board of Trustees of the University of Illinois. | Web Privacy Notice