search

redhat-openstack / openshift-on-openstack

A place to write templates, docs etc. for deploying OpenShift on OpenStack.
Apache License 2.0
136 stars 87 forks source link

masters are exposed on floatingip #348

Open ioggstream opened 7 years ago

ioggstream commented 7 years ago

I expect

there should be an option to avoid exposing masters.

From the doc:

Master nodes and infra nodes have floating IP assigned to make sure these nodes are accessible when an external loadbalancer is used for accessing OpenShift services.

So if we use a LBaaS, we should be able to avoid assigning floating ips to masters.

this could be done

with conditions, eg.

feedback welcome!

diff --git a/master.yaml b/master.yaml
index 2989e1d..cd7f9b7 100644
--- a/master.yaml
+++ b/master.yaml
@@ -1,4 +1,4 @@
-heat_template_version: 2014-10-16
+heat_template_version: newton

@@ -242,6 +242,10 @@ parameters:
+conditions:
+  expose_masters: false
+
+
 resources:

@@ -319,6 +323,7 @@ resources:

   # Provide access to the Master on the public network
   floating_ip:
+    condition: expose_masters
     type: OS::Neutron::FloatingIP
     properties:
       floating_network: {get_param: external_network}

Moreover we could limit ssh access to master and infra using remote_group_id in security groups.

ioggstream commented 7 years ago

@markllama @tomassedovic exposing masters and infra gives access to port 10250 too.

Is that fine?

Thx++, R.