Skip to content

Instantly share code, notes, and snippets.

@rlobillo

rlobillo/security-groups-additional-network.yaml Secret

Last active February 1, 2021 15:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rlobillo/9a4b549d8ecfb8f7a0feae3fb2081e82 to your computer and use it in GitHub Desktop.
Save rlobillo/9a4b549d8ecfb8f7a0feae3fb2081e82 to your computer and use it in GitHub Desktop.
Download ZIP
OSP SG creation for deploying a new OCP worker on a separate subnet
Raw
security-groups-additional-network.yaml
# Required Python packages:
#
# ansible
# openstackclient
# openstacksdk
- hosts: localhost
gather_facts: no
vars:
ansible_python_interpreter: "/var/tmp/venv_shade/bin/python"
tasks:
- name: 'Compute resource names'
set_fact:
infraID: "ostest-p7sj6" # update this with the proper value
os_subnet_range: '10.128.0.0/14' # update this with the proper value
os_new_subnet_range: '192.168.123.0/24'
- name: 'Compute resource names'
set_fact:
cluster_id_tag: "openshiftClusterID={{ infraID }}"
os_infra_id: "{{ infraID }}"
os_network: "{{ infraID }}-network"
os_subnet: "{{ infraID }}-nodes"
os_router: "{{ infraID }}-external-router"
# Port names
os_port_api: "{{ infraID }}-api-port"
os_port_ingress: "{{ infraID }}-ingress-port"
os_port_bootstrap: "{{ infraID }}-bootstrap-port"
os_port_master: "{{ infraID }}-master-port"
os_port_worker: "{{ infraID }}-worker-port"
# Security groups names
os_sg_master: "{{ infraID }}-master"
os_sg_worker: "{{ infraID }}-worker"
os_sg_new_worker: "{{ infraID }}-worker-additional"
# Server names
os_bootstrap_server_name: "{{ infraID }}-bootstrap"
os_cp_server_name: "{{ infraID }}-master"
os_cp_server_group_name: "{{ infraID }}-master"
os_compute_server_name: "{{ infraID }}-worker"
# Trunk names
os_cp_trunk_name: "{{ infraID }}-master-trunk"
os_compute_trunk_name: "{{ infraID }}-worker-trunk"
# Subnet pool name
subnet_pool: "{{ infraID }}-kuryr-pod-subnetpool"
# Service network name
os_svc_network: "{{ infraID }}-kuryr-service-network"
# Service subnet name
os_svc_subnet: "{{ infraID }}-kuryr-service-subnet"
# Ignition files
os_bootstrap_ignition: "{{ infraID }}-bootstrap-ignition.json"
- name: 'Create the additional worker security group'
os_security_group:
name: "{{ os_sg_new_worker }}"
- name: 'Set worker security group tag'
command:
cmd: "openstack security group set {{ os_sg_new_worker }} "
- name: 'Create master-sg rule "machine config server"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 22623
port_range_max: 22623
- name: 'Create master-sg rule "DNS (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_new_subnet_range }}"
protocol: tcp
port_range_min: 53
port_range_max: 53
- name: 'Create master-sg rule "DNS (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_new_subnet_range }}"
protocol: udp
port_range_min: 53
port_range_max: 53
- name: 'Create master-sg rule "mDNS"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_new_subnet_range }}"
protocol: udp
port_range_min: 5353
port_range_max: 5353
- name: 'Create master-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create master-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create master-sg rule "ovndb"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6641
port_range_max: 6642
- name: 'Create master-sg rule "master ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create master-sg rule "master ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create master-sg rule "kube scheduler"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10259
port_range_max: 10259
- name: 'Create master-sg rule "kube controller manager"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10257
port_range_max: 10257
- name: 'Create master-sg rule "master ingress kubelet secure"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create master-sg rule "etcd"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 2379
port_range_max: 2380
- name: 'Create master-sg rule "master ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create master-sg rule "master ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create master-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: '112'
remote_ip_prefix: "{{ os_new_subnet_range }}"
- name: 'Create worker-sg rule "mDNS"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 5353
port_range_max: 5353
- name: 'Create worker-sg rule "router"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "worker ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "worker ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_new_subnet_range }}"
- name: 'Create worker-sg rule "ICMP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: icmp
- name: 'Create worker-sg rule "SSH"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
port_range_min: 22
port_range_max: 22
- name: 'Create worker-sg rule "mDNS"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 5353
port_range_max: 5353
- name: 'Create worker-sg rule "Ingress HTTP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
port_range_min: 80
port_range_max: 80
- name: 'Create worker-sg rule "Ingress HTTPS"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
port_range_min: 443
port_range_max: 443
- name: 'Create worker-sg rule "router"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "worker ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "worker ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_new_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_new_subnet_range }}"
- name: 'Create worker-sg rule "mDNS"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 5353
port_range_max: 5353
- name: 'Create worker-sg rule "router"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 1936
port_range_max: 1936
- name: 'Create worker-sg rule "VXLAN"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4789
port_range_max: 4789
- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6081
port_range_max: 6081
- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10250
port_range_max: 10250
- name: 'Create worker-sg rule "worker ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: tcp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "worker ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: udp
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767
- name: 'Create worker-sg rule "VRRP"'
os_security_group_rule:
security_group: "{{ os_sg_new_worker }}"
protocol: '112'
remote_ip_prefix: "{{ os_subnet_range }}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment