openshift-on-openstack icon indicating copy to clipboard operation
openshift-on-openstack copied to clipboard

Published 20 hours ago verified publisher icon redhat-openstack

Allow to set allowed_ssh_prefixes list parameter

Open BenoitCattie opened this issue 7 years ago • 2 comments

Hello,

this PR allow to set a list of IP prefixes allowed for SSH in instances security groups.

Notes :

  • adding OS::Neutron::SecurityGroupRule as i wasn't able to combine "repeat" and "static" rules

Benoit

BenoitCattie avatar Dec 05 '17 18:12 BenoitCattie

Thanks @BenoitCattie! I understand the desire for this change, but it makes the template much more verbose :-(.

What do you think about creating a separate SSH security group with the IP prefixes rules and passing that in addition to the current security group?

A server/port can have more than one security group applied:

https://github.com/BenoitCattie/openshift-on-openstack/blob/4d8d64516dc6b0fb2ee7416a88f239449b06b9a2/master.yaml#L235

If that doesn't work out (but it should), I'd prefer if we moved all the security groups & rules to separate files.

tomassedovic avatar Dec 06 '17 08:12 tomassedovic

Hello,

indeed, the template is much more verbose with OS::Neutron::SecurityGroupRule.

I'm not sure how to pass IP prefixes in a different security group, as existing security group have a SSH rule allowing any ingress traffic. So adding restricted prefixes in addition will not remove the existing rule.

Do i misunderstood something ?

Benoit

BenoitCattie avatar Dec 08 '17 09:12 BenoitCattie