diff options
| author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-06-23 17:14:44 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-23 17:14:44 +0200 |
| commit | 6ab4acbc8e03e22600cad41413425bab5202a37e (patch) | |
| tree | 34d3633c00d33731a264cc28a7082fd8875e0d6e /playbooks | |
| parent | 1b07329f99bf31d6a644f851b02bea4f25eabe17 (diff) | |
| parent | 3f10c266aab0881ab294513d4ef93a1528d33c6b (diff) | |
| download | openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.gz openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.bz2 openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.tar.xz openshift-6ab4acbc8e03e22600cad41413425bab5202a37e.zip | |
Merge pull request #488 from bogdando/fix_flat_sg
Fix flat sec group and infra/dns sec rules
Diffstat (limited to 'playbooks')
| -rw-r--r-- | playbooks/provisioning/openstack/README.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 423d57113..df00e5507 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -72,6 +72,17 @@ stacks. Set it to true, if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set of firewall rules for master, node, etcd and infra nodes. +#### Security notes + +Configure required `*_ingress_cidr` variables to restrict public access +to provisioned servers from your laptop (a /32 notation should be used) +or your trusted network. The most important is the `node_ingress_cidr` +that restricts public access to the deployed DNS server and cluster +nodes' ephemeral ports range. + +Note, the command ``curl https://api.ipify.org`` helps fiding an external +IP address of your box (the ansible admin node). + ### Update the DNS names in `inventory/hosts` The different server groups are currently grouped by the domain name, |