Last active
May 24, 2022 11:38
-
-
Save mandre/a6f61ee66cabdd7747e0801010b05c9f to your computer and use it in GitHub Desktop.
Ansible playbook to adjust security groups for additional subnet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| all: | |
| hosts: | |
| localhost: | |
| ansible_connection: local | |
| ansible_python_interpreter: "{{ansible_playbook_python}}" | |
| # User-provided values | |
| infraID: "your_cluster_id" | |
| os_subnet_range: '10.0.128.0/17' | |
| os_new_subnet_range: '192.168.123.0/24' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Required Python packages: | |
| # | |
| # ansible | |
| # openstackclient | |
| # openstacksdk | |
| - hosts: all | |
| gather_facts: no | |
| tasks: | |
| - name: 'Compute resource names' | |
| set_fact: | |
| cluster_id_tag: "openshiftClusterID={{ infraID }}" | |
| # Security groups names | |
| os_sg_master: "{{ infraID }}-master" | |
| os_sg_worker: "{{ infraID }}-worker" | |
| os_sg_new_worker: "{{ infraID }}-worker-additional" | |
| # Master -> new subnet | |
| - name: 'Create master-sg rule "machine config server"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 22623 | |
| port_range_max: 22623 | |
| - name: 'Create master-sg rule "SSH"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 22 | |
| port_range_max: 22 | |
| - name: 'Create master-sg rule "DNS (TCP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| protocol: tcp | |
| port_range_min: 53 | |
| port_range_max: 53 | |
| - name: 'Create master-sg rule "DNS (UDP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| protocol: udp | |
| port_range_min: 53 | |
| port_range_max: 53 | |
| - name: 'Create master-sg rule "VXLAN"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 4789 | |
| port_range_max: 4789 | |
| - name: 'Create master-sg rule "Geneve"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 6081 | |
| port_range_max: 6081 | |
| - name: 'Create master-sg rule "IPsec IKE"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 500 | |
| port_range_max: 500 | |
| - name: 'Create master-sg rule "IPsec NAT-T"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 4500 | |
| port_range_max: 4500 | |
| - name: 'Create master-sg rule "ovndb"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 6641 | |
| port_range_max: 6642 | |
| - name: 'Create master-sg rule "master ingress internal (TCP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create master-sg rule "master ingress internal (UDP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create master-sg rule "kube scheduler"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 10259 | |
| port_range_max: 10259 | |
| - name: 'Create master-sg rule "kube controller manager"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 10257 | |
| port_range_max: 10257 | |
| - name: 'Create master-sg rule "master ingress kubelet secure"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 10250 | |
| port_range_max: 10250 | |
| - name: 'Create master-sg rule "etcd"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 2379 | |
| port_range_max: 2380 | |
| - name: 'Create master-sg rule "VRRP"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_master }}" | |
| protocol: '112' | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| # Worker -> new subnet | |
| - name: 'Create worker-sg rule "SSH"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 22 | |
| port_range_max: 22 | |
| - name: 'Create worker-sg rule "router"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 1936 | |
| port_range_max: 1936 | |
| - name: 'Create worker-sg rule "VXLAN"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 4789 | |
| port_range_max: 4789 | |
| - name: 'Create worker-sg rule "Geneve"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 6081 | |
| port_range_max: 6081 | |
| - name: 'Create worker-sg rule "IPsec IKE"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 500 | |
| port_range_max: 500 | |
| - name: 'Create worker-sg rule "IPsec NAT-T"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 4500 | |
| port_range_max: 4500 | |
| - name: 'Create worker-sg rule "worker ingress internal (TCP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create worker-sg rule "worker ingress internal (UDP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create worker-sg rule "worker ingress kubelet insecure"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 10250 | |
| port_range_max: 10250 | |
| - name: 'Create worker-sg rule "VRRP"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_worker }}" | |
| protocol: '112' | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| # Additional security group, similar to initial worker security group | |
| - name: 'Create the additional worker security group' | |
| os_security_group: | |
| name: "{{ os_sg_new_worker }}" | |
| - name: 'Set worker security group tag' | |
| command: | |
| cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_new_worker }} " | |
| - name: 'Create worker-sg rule "ICMP"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: icmp | |
| - name: 'Create worker-sg rule "SSH"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| protocol: tcp | |
| port_range_min: 22 | |
| port_range_max: 22 | |
| - name: 'Create worker-sg rule "Ingress HTTP"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| port_range_min: 80 | |
| port_range_max: 80 | |
| - name: 'Create worker-sg rule "Ingress HTTPS"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| port_range_min: 443 | |
| port_range_max: 443 | |
| - name: 'Create worker-sg rule "router"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 1936 | |
| port_range_max: 1936 | |
| - name: 'Create worker-sg rule "VXLAN"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 4789 | |
| port_range_max: 4789 | |
| - name: 'Create worker-sg rule "Geneve"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 6081 | |
| port_range_max: 6081 | |
| - name: 'Create worker-sg rule "IPsec IKE"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 500 | |
| port_range_max: 500 | |
| - name: 'Create worker-sg rule "IPsec NAT-T"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 4500 | |
| port_range_max: 4500 | |
| - name: 'Create worker-sg rule "worker ingress internal (TCP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create worker-sg rule "worker ingress internal (UDP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create worker-sg rule "worker ingress kubelet insecure"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| port_range_min: 10250 | |
| port_range_max: 10250 | |
| - name: 'Create worker-sg rule "worker ingress services (TCP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| port_range_min: 30000 | |
| port_range_max: 32767 | |
| - name: 'Create worker-sg rule "worker ingress services (UDP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| port_range_min: 30000 | |
| port_range_max: 32767 | |
| - name: 'Create worker-sg rule "VRRP"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: '112' | |
| remote_ip_prefix: "{{ os_new_subnet_range }}" | |
| # New subnet -> initial node subnet | |
| - name: 'Create worker-sg rule "SSH"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 22 | |
| port_range_max: 22 | |
| - name: 'Create worker-sg rule "router"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 1936 | |
| port_range_max: 1936 | |
| - name: 'Create worker-sg rule "VXLAN"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 4789 | |
| port_range_max: 4789 | |
| - name: 'Create worker-sg rule "Geneve"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 6081 | |
| port_range_max: 6081 | |
| - name: 'Create worker-sg rule "worker ingress internal (TCP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create worker-sg rule "worker ingress internal (UDP)"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: udp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 9000 | |
| port_range_max: 9999 | |
| - name: 'Create worker-sg rule "worker ingress kubelet insecure"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: tcp | |
| remote_ip_prefix: "{{ os_subnet_range }}" | |
| port_range_min: 10250 | |
| port_range_max: 10250 | |
| - name: 'Create worker-sg rule "VRRP"' | |
| os_security_group_rule: | |
| security_group: "{{ os_sg_new_worker }}" | |
| protocol: '112' | |
| remote_ip_prefix: "{{ os_subnet_range }}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment