Skip to content

Commit c3c7619

Browse files
author
Matt Pryor
committed
Small update to docs
1 parent 7cacdb7 commit c3c7619

File tree

1 file changed

+33
-5
lines changed

1 file changed

+33
-5
lines changed

docs/book/src/clusteropenstack/configuration.md

+33-5
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@
2828
- [Multiple Networks](#multiple-networks)
2929
- [Subnet Filters](#subnet-filters)
3030
- [Ports](#ports)
31+
- [Port network and IP addresses](#port-network-and-ip-addresses)
32+
- [Examples](#examples)
33+
- [Port Security](#port-security)
3134
- [Security groups](#security-groups)
3235
- [Tagging](#tagging)
3336
- [Metadata](#metadata)
@@ -571,14 +574,17 @@ set to `true`, the rules for the managed security groups permit all traffic
571574
between cluster nodes on all ports and protocols (API server and node port traffic is still
572575
permitted from anywhere, as with the default rules).
573576

574-
We can add security group rules that authorize traffic from all nodes via `allNodesSecurityGroupRules`.
575-
It takes a list of security groups rules that should be applied to selected nodes.
576-
The following rule fields are mutually exclusive: `remoteManagedGroups`, `remoteGroupID` and `remoteIPPrefix`.
577+
We can add additional security group rules that authorize traffic between nodes and/or from the outside
578+
world using `allNodesSecurityGroupRules`, `ControlPlaneNodesSecurityGroupRules` and `WorkerNodesSecurityGroupRules`.
579+
These properties take a list of security group rules that should be applied to all nodes, control plane nodes only
580+
or worker nodes only respectively.
581+
582+
In a rule definition, the fields `remoteManagedGroups`, `remoteGroupID` and `remoteIPPrefix` are mutually exclusive.
577583
If none of these fields are set, the rule will have a remote IP prefix of `0.0.0.0/0` per Neutron default.
578584

579585
Valid values for `remoteManagedGroups` are `controlplane`, `worker` and `bastion`.
580586

581-
To apply a security group rule that will allow BGP between the control plane and workers, you can follow this example:
587+
For example, to apply a security group rule to all nodes to permit BGP traffic between the nodes, use the following:
582588

583589
```yaml
584590
managedSecurityGroups:
@@ -593,7 +599,29 @@ managedSecurityGroups:
593599
portRangeMax: 179
594600
protocol: tcp
595601
description: "Allow BGP between control plane and workers"
596-
```
602+
```
603+
604+
Or to enable traffic from anywhere to node port services on worker nodes only,
605+
which is **required for the OVN load-balancer provider**, the following can be used:
606+
607+
```yaml
608+
managedSecurityGroups:
609+
workerNodesSecurityGroupRules:
610+
- remoteIPPrefix: 0.0.0.0/0
611+
direction: ingress
612+
etherType: IPv4
613+
name: Node Port (TCP, anywhere)
614+
portRangeMin: 30000
615+
portRangeMax: 32767
616+
protocol: tcp
617+
- remoteIPPrefix: 0.0.0.0/0
618+
direction: ingress
619+
etherType: IPv4
620+
name: Node Port (UDP, anywhere)
621+
portRangeMin: 30000
622+
portRangeMax: 32767
623+
protocol: udp
624+
```
597625

598626
If this is not flexible enough, pre-existing security groups can be added to the
599627
spec of an `OpenStackMachineTemplate`, e.g.:

0 commit comments

Comments
 (0)