From fabbcf192c758025ed762976f96f92b4823cdb7b Mon Sep 17 00:00:00 2001 From: Magnus Andersson Date: Fri, 12 Jan 2024 13:33:22 +0100 Subject: [PATCH] Define kubenode security groups and assign it to kube nodes --- kube.tf | 12 ++++++++++-- securitygroups.tf | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/kube.tf b/kube.tf index 7054f49..ea22150 100644 --- a/kube.tf +++ b/kube.tf @@ -5,7 +5,11 @@ resource "openstack_networking_port_v2" "kubeport" { count = var.kubesize # size of cluster network_id = data.openstack_networking_network_v2.public.id # A list of security group ID - security_group_ids = [ data.openstack_networking_secgroup_v2.sshfromjumphosts.id, data.openstack_networking_secgroup_v2.allegress.id ] + security_group_ids = [ + data.openstack_networking_secgroup_v2.sshfromjumphosts.id, + data.openstack_networking_secgroup_v2.allegress.id, + resource.openstack_networking_secgroup_v2.kubenode.id + ] admin_state_up = "true" } @@ -32,7 +36,11 @@ resource "openstack_compute_instance_v2" "kube" { count = var.kubesize flavor_id = data.openstack_compute_flavor_v2.b2c4r16.id key_pair = data.openstack_compute_keypair_v2.manderssonpub.id - security_groups = [ data.openstack_networking_secgroup_v2.sshfromjumphosts.name, data.openstack_networking_secgroup_v2.allegress.name ] + security_groups = [ + data.openstack_networking_secgroup_v2.sshfromjumphosts.name, + data.openstack_networking_secgroup_v2.allegress.name, + resource.openstack_networking_secgroup_v2.kubenode.name + ] network { port = resource.openstack_networking_port_v2.kubeport[count.index].id diff --git a/securitygroups.tf b/securitygroups.tf index c1131be..b550091 100644 --- a/securitygroups.tf +++ b/securitygroups.tf @@ -1,3 +1,5 @@ +# Data sources for existing groups + # Datasource of sunet ssh-from-jumphost security group. data "openstack_networking_secgroup_v2" "sshfromjumphosts" { name = "ssh-from-jumphost" @@ -6,3 +8,40 @@ data "openstack_networking_secgroup_v2" "sshfromjumphosts" { data "openstack_networking_secgroup_v2" "allegress" { name = "allegress" } + +# Resources to define new security groups + +# Securitygroup to allow kubernetes nodes +resource "openstack_networking_secgroup_v2" "kubenode" { + name = "kubenode" + description = "Securitygroup for microk8s nodes" + delete_default_rules = true +} + +resource "openstack_networking_secgroup_rule_v2" "kubeingressv4" { + direction = "ingress" + ethertype = "IPv4" + remote_group_id = openstack_networking_secgroup_v2.kubenode.id + security_group_id = openstack_networking_secgroup_v2.kubenode.id +} + +resource "openstack_networking_secgroup_rule_v2" "kubeingressv6" { + direction = "ingress" + ethertype = "IPv6" + remote_group_id = openstack_networking_secgroup_v2.kubenode.id + security_group_id = openstack_networking_secgroup_v2.kubenode.id +} + +resource "openstack_networking_secgroup_rule_v2" "kubeegressv4" { + direction = "egress" + ethertype = "IPv4" + remote_group_id = openstack_networking_secgroup_v2.kubenode.id + security_group_id = openstack_networking_secgroup_v2.kubenode.id +} + +resource "openstack_networking_secgroup_rule_v2" "kubeegressv6" { + direction = "egress" + ethertype = "IPv6" + remote_group_id = openstack_networking_secgroup_v2.kubenode.id + security_group_id = openstack_networking_secgroup_v2.kubenode.id +}