Skip to content

Instantly share code, notes, and snippets.

@mandre
Last active May 24, 2022 11:38
Show Gist options
  • Save mandre/a6f61ee66cabdd7747e0801010b05c9f to your computer and use it in GitHub Desktop.
Save mandre/a6f61ee66cabdd7747e0801010b05c9f to your computer and use it in GitHub Desktop.
Ansible playbook to adjust security groups for additional subnet
all:
hosts:
localhost:
ansible_connection: local
ansible_python_interpreter: "{{ansible_playbook_python}}"
# User-provided values
infraID: "your_cluster_id"
os_subnet_range: '10.0.128.0/17'
os_new_subnet_range: '192.168.123.0/24'
# Required Python packages:
#
# ansible
# openstackclient
# openstacksdk
- hosts: all
gather_facts: no
tasks:
- name: 'Compute resource names'
set_fact:
cluster_id_tag: "openshiftClusterID={{ infraID }}"
# Security groups names
os_sg_master: "{{ infraID }}-master"
os_sg_worker: "{{ infraID }}-worker"
os_sg_new_worker: "{{ infraID }}-worker-additional"
# Master -> new subnet
- name: 'Create master-sg rule "machine config server"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 22623
port_range_max: 22623
- name: 'Create master-sg rule "SSH"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 22
port_range_max: 22
- name: 'Create master-sg rule "DNS (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_new_subnet_range }}"
protocol: tcp
port_range_min: 53
port_range_max: 53
- name: 'Create master-sg rule "DNS (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_new_subnet_range }}"
protocol: udp
port_range_min: 53
port_range_max: 53
- name: 'Create master-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create master-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create master-sg rule "IPsec IKE"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 500
port_range_max: 500
- name: 'Create master-sg rule "IPsec NAT-T"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4500
port_range_max: 4500
- name: 'Create master-sg rule "ovndb"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6641
port_range_max: 6642
- name: 'Create master-sg rule "master ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create master-sg rule "master ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create master-sg rule "kube scheduler"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10259
port_range_max: 10259
- name: 'Create master-sg rule "kube controller manager"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10257
port_range_max: 10257
- name: 'Create master-sg rule "master ingress kubelet secure"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create master-sg rule "etcd"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 2379
port_range_max: 2380
- name: 'Create master-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: '112'
remote_ip_prefix: "{{ os_new_subnet_range }}"
# Worker -> new subnet
- name: 'Create worker-sg rule "SSH"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 22
port_range_max: 22
- name: 'Create worker-sg rule "router"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "IPsec IKE"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 500
port_range_max: 500
- name: 'Create worker-sg rule "IPsec NAT-T"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4500
port_range_max: 4500
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_new_subnet_range }}"
# Additional security group, similar to initial worker security group
- name: 'Create the additional worker security group'
os_security_group:
name: "{{ os_sg_new_worker }}"
- name: 'Set worker security group tag'
command:
cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_new_worker }} "
- name: 'Create worker-sg rule "ICMP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: icmp
- name: 'Create worker-sg rule "SSH"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
remote_ip_prefix: "{{ os_new_subnet_range }}"
protocol: tcp
port_range_min: 22
port_range_max: 22
- name: 'Create worker-sg rule "Ingress HTTP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
port_range_min: 80
port_range_max: 80
- name: 'Create worker-sg rule "Ingress HTTPS"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
port_range_min: 443
port_range_max: 443
- name: 'Create worker-sg rule "router"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "IPsec IKE"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 500
port_range_max: 500
- name: 'Create worker-sg rule "IPsec NAT-T"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4500
port_range_max: 4500
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "worker ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "worker ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_new_subnet_range }}"
# New subnet -> initial node subnet
- name: 'Create worker-sg rule "SSH"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 22
port_range_max: 22
- name: 'Create worker-sg rule "router"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_subnet_range }}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment