Skip to content

Allow to set allowed_ssh_prefixes list parameter#396

Open
BenoitCattie wants to merge 1 commit intoredhat-openstack:masterfrom
BenoitCattie:ssh_security_groups
Open

Allow to set allowed_ssh_prefixes list parameter#396
BenoitCattie wants to merge 1 commit intoredhat-openstack:masterfrom
BenoitCattie:ssh_security_groups

Conversation

@BenoitCattie
Copy link

@BenoitCattie BenoitCattie commented Dec 5, 2017

Hello,

this PR allow to set a list of IP prefixes allowed for SSH in instances security groups.

Notes :

  • adding OS::Neutron::SecurityGroupRule as i wasn't able to combine "repeat" and "static" rules

Benoit

@tomassedovic
Copy link
Contributor

tomassedovic commented Dec 6, 2017

Thanks @BenoitCattie! I understand the desire for this change, but it makes the template much more verbose :-(.

What do you think about creating a separate SSH security group with the IP prefixes rules and passing that in addition to the current security group?

A server/port can have more than one security group applied:

https://github.com/BenoitCattie/openshift-on-openstack/blob/4d8d64516dc6b0fb2ee7416a88f239449b06b9a2/master.yaml#L235

If that doesn't work out (but it should), I'd prefer if we moved all the security groups & rules to separate files.

@BenoitCattie
Copy link
Author

BenoitCattie commented Dec 8, 2017

Hello,

indeed, the template is much more verbose with OS::Neutron::SecurityGroupRule.

I'm not sure how to pass IP prefixes in a different security group, as existing security group have a SSH rule allowing any ingress traffic. So adding restricted prefixes in addition will not remove the existing rule.

Do i misunderstood something ?

Benoit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BenoitCattie @tomassedovic