Skip to content
Snippets Groups Projects
Normal view Permalink
security_group.tf 5.29 KiB
Newer Older
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
1 2 3 4 5 
resource "openstack_networking_secgroup_v2" "cluster_security_group" {
  name        = var.cluster_name
  description = "${var.cluster_name} kubernetes cluster security group"
}
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
# ----------------------------------------------------------------------
# Egress
# ----------------------------------------------------------------------

#Egress  IPv4  Any Any 0.0.0.0/0 - - 
#resource "openstack_networking_secgroup_rule_v2" "egress_ipv4" {
#  direction         = "egress"
#  ethertype         = "IPv4"
#  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
#  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
#}

#Egress  IPv6  Any Any ::/0  - - 
#resource "openstack_networking_secgroup_rule_v2" "egress_ipv6" {
#  direction         = "egress"
#  ethertype         = "IPv6"
#  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
#  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
#}
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 
# ----------------------------------------------------------------------
# Ingress
# ----------------------------------------------------------------------

# Ingress IPv4  ICMP  Any 0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_icmp" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "icmp"
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 22 (SSH)  0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_ssh" {
Rob Kooper's avatar
allow to set ssh access  
Rob Kooper committed
41 42 
  for_each          = var.openstack_security_ssh
  description       = "ssh from ${each.key}"
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
43 44 45 46 47 
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 22
  port_range_max    = 22
Rob Kooper's avatar
allow to set ssh access  
Rob Kooper committed
48 
  remote_ip_prefix  = each.value
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 80 (HTTP) 0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_http" {
  description       = "http"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 80
  port_range_max    = 80
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 443 (HTTPS) 0.0.0.0/0 - - 
resource "openstack_networking_secgroup_rule_v2" "ingress_https" {
  description       = "https"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 443
  port_range_max    = 443
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
77 
# Ingress IPv4  TCP 6443  racher  - kube api
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
78 
resource "openstack_networking_secgroup_rule_v2" "ingress_kubeapi" {
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
79 80 
  for_each          = var.openstack_security_kubernetes
  description       = "kubeapi ${each.key}"
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
81 82 83 84 85 
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 6443
  port_range_max    = 6443
Rob Kooper's avatar
backwards compatible  
Rob Kooper committed
86 
  remote_ip_prefix  = each.value
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
87 88 89 90 
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}
Rob Kooper's avatar
ncsa security  
Rob Kooper committed
91 92 93 94 95 96 97 98 99 100 101 102 103 
resource "openstack_networking_secgroup_rule_v2" "custom" {
  for_each          = var.openstack_security_custom
  description       = "custom ${each.key}"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = each.value.port_range_min
  port_range_max    = each.value.port_range_max
  remote_ip_prefix  = each.value.remote_ip_prefix
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}
Rob Kooper's avatar
create rke1 cluster
Rob Kooper committed
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 
resource "openstack_networking_secgroup_rule_v2" "same_security_group_ingress_tcp" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  remote_group_id   = openstack_networking_secgroup_v2.cluster_security_group.id
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

resource "openstack_networking_secgroup_rule_v2" "same_security_group_ingress_udp" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "udp"
  remote_group_id   = openstack_networking_secgroup_v2.cluster_security_group.id
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
}

# Ingress IPv4  TCP 1 - 65535 192.168.100.0/24  - - 
# Ingress IPv4  TCP 1 - 65535 141.142.216.0/21  - - 
# Ingress IPv4  TCP 2376  141.142.0.0/16  - - 
# Ingress IPv4  TCP 2379 - 2380 141.142.0.0/16  - etcd  
# Ingress IPv4  TCP 5201  0.0.0.0/0 - - 
# Ingress IPv4  TCP 6783  141.142.0.0/16  - weave 
# Ingress IPv4  TCP 10250 - 10255 141.142.0.0/16  - kubelet 
# Ingress IPv4  UDP 1 - 65535 192.168.100.0/24  - - 
# Ingress IPv4  UDP 1 - 65535 141.142.216.0/21  - - 
# Ingress IPv4  UDP 6783 - 6784 141.142.0.0/16  - weave

Contact help@ncsa.illinois.edu with questions regarding this site. | All rights reserved. ©2024 Board of Trustees of the University of Illinois. | Web Privacy Notice