Merge pull request #77 from yefei0423/nacl-security

Remove 30000- ports from ROKS security group
IBM · Aug 5, 2022 · e2eeba7 · e2eeba7
2 parents 2659f3a + fe01c19
commit e2eeba7
Show file tree

Hide file tree

Showing 7 changed files with 110 additions and 2 deletions.
diff --git a/automation-generators/ibm-cloud/openshift/preprocessor.py b/automation-generators/ibm-cloud/openshift/preprocessor.py
@@ -73,6 +73,12 @@ def preprocessor(attributes=None, fullConfig=None):
             if type(ge['infrastructure']['private_only']) != bool:
                 g.appendError(msg='Attribute infrastructure.private_only must be either true or false if specified. Default is false.')
 
+
+        # check deny_node_ports must be true or false if specified
+        if 'deny_node_ports' in ge['infrastructure']:
+            if type(ge['infrastructure']['deny_node_ports']) != bool:
+                g.appendError(msg='Attribute infrastructure.deny_node_ports must be either true or false if specified. Default is false.')
+
         # Check upstream DNS server
         if 'upstream_dns' in ge:
             for dns in ge['upstream_dns']:

diff --git a/...les/40-configure-infra/openshift-nacl-security/tasks/ibmcloud-configure-nacl-security.yml b/...les/40-configure-infra/openshift-nacl-security/tasks/ibmcloud-configure-nacl-security.yml
@@ -0,0 +1,88 @@
+---
+- set_fact:
+    _current_openshift_cluster: "{{ all_config.openshift | json_query(query) | first | default({}) }}"
+  vars:
+    query: >-
+      [?name=='{{ environment_name }}']
+
+- name: Get information in the current openshift configuration
+  debug:
+    var: _current_openshift_cluster
+
+- name: Get information in the current openshift configuration
+  debug:
+    var: _current_openshift_cluster.infrastructure.deny_node_ports | default(False)
+
+- set_fact:
+    _nacl_security_setting: "{{ _current_openshift_cluster.infrastructure.deny_node_ports | default(False) }}"
+
+- debug:
+    msg: "_nacl_security_setting is {{ _nacl_security_setting }}"
+
+- name: Get all OpenShift clusters
+  shell: ibmcloud oc cluster ls --provider vpc-gen2 --output json
+  register: _all_oc_clusters_output
+
+- set_fact:
+    _all_oc_clusters: "{{ _all_oc_clusters_output.stdout }}"
+
+- set_fact:
+    _current_cluster: "{{ _all_oc_clusters | json_query(query) | first | default({}) }}"
+  vars:
+    query: >-
+      [?name=='{{ _current_openshift_cluster.name }}']
+
+- fail:
+    msg: "Unable to locate OpenShift cluster with name {{ _current_openshift_cluster.name }}"
+  when: _current_cluster == {}
+
+- name: Get the Security Group for current OpenShift cluster 
+  shell: ibmcloud is security-group kube-{{ _current_cluster.id }} --output json
+  register: _current_security_group_output
+
+- set_fact:
+    _current_security_group: "{{ _current_security_group_output.stdout }}"
+
+- set_fact:
+    _inbound_rules: "{{ _current_security_group.rules | json_query(query) | default([]) }}"
+  vars:
+    query: >-
+      [?direction=='inbound']
+
+- name: Remove ICMP, TCP and UDP rules when deny_node_ports is True
+  shell: ibmcloud is security-group-rule-delete kube-{{ _current_cluster.id }} {{ item.id }} -f
+  when: ((item.protocol | lower == "tcp") or (item.protocol | lower == "udp") or (item.protocol | lower == "icmp")) and _nacl_security_setting | bool
+  with_items: "{{ _inbound_rules }}"
+
+- set_fact:
+    _inbound_rules_tcp: "{{ _inbound_rules | json_query(query) | default([]) }}"
+  vars:
+    query: >-
+      [?protocol=='tcp']
+  when: not (_nacl_security_setting | bool )
+
+- name: Add TCP rule when it does not exist and deny_node_ports is False
+  shell: ibmcloud is security-group-rule-add kube-{{ _current_cluster.id }} inbound tcp --port-min {{ _nacl_security_rule_tcp_min }} --port-max {{ _nacl_security_rule_tcp_max }}
+  when: _inbound_rules_tcp is defined and _inbound_rules_tcp | length == 0
+
+- set_fact:
+    _inbound_rules_udp: "{{ _inbound_rules | json_query(query) | default([]) }}"
+  vars:
+    query: >-
+      [?protocol=='udp']
+  when: not (_nacl_security_setting | bool )
+
+- name: Add UDP rule when it does not exist and deny_node_ports is False
+  shell: ibmcloud is security-group-rule-add kube-{{ _current_cluster.id }} inbound udp --port-min {{ _nacl_security_rule_udp_min }} --port-max {{ _nacl_security_rule_udp_max }}
+  when: _inbound_rules_udp is defined and _inbound_rules_udp | length == 0
+
+- set_fact:
+    _inbound_rules_icmp: "{{ _inbound_rules | json_query(query) | default([]) }}"
+  vars:
+    query: >-
+      [?protocol=='icmp']
+  when: not (_nacl_security_setting | bool )
+
+- name: Add ICMP rule when it does not exist and deny_node_ports is False
+  shell: ibmcloud is security-group-rule-add kube-{{ _current_cluster.id }} inbound icmp --icmp-type 8
+  when: _inbound_rules_icmp is defined and _inbound_rules_icmp | length == 0
diff --git a/automation-roles/40-configure-infra/openshift-nacl-security/tasks/main.yml b/automation-roles/40-configure-infra/openshift-nacl-security/tasks/main.yml
@@ -0,0 +1,3 @@
+---
+- include_tasks: ibmcloud-configure-nacl-security.yml
+  when: cloud_platform == 'ibm-cloud'
diff --git a/automation-roles/40-configure-infra/openshift-nacl-security/vars/main.yml b/automation-roles/40-configure-infra/openshift-nacl-security/vars/main.yml
@@ -0,0 +1,4 @@
+_nacl_security_rule_tcp_min: 30000
+_nacl_security_rule_tcp_max: 32767
+_nacl_security_rule_udp_min: 30000
+_nacl_security_rule_udp_max: 32767
diff --git a/automation-roles/99-generic/ibmcloud/download-ibmcloud/tasks/main.yml b/automation-roles/99-generic/ibmcloud/download-ibmcloud/tasks/main.yml
@@ -39,7 +39,8 @@
   shell: |
     {{ status_dir }}/downloads/ibmcloud-linux.sh && \
     ibmcloud plugin install kubernetes-service -f && \
-    ibmcloud plugin install container-registry -f
+    ibmcloud plugin install container-registry -f && \
+    ibmcloud plugin install vpc-infrastructure -f
   when: not _ibmcloud_command.stat.exists
 
 - name: Get ibmcloud CLI version

diff --git a/doc/src/pages/cpd-design/objects/openshift.mdx b/doc/src/pages/cpd-design/objects/openshift.mdx
@@ -51,6 +51,7 @@ openshift:
     - sample-subnet-zone-3
     cos_name: sample-cos
     private_only: False
+    deny_node_ports: False
   upstream_dns:
   - name: sample-dns
      zones:
@@ -92,6 +93,7 @@ openshift:
 | infrastructure.subnets  | List of subnets within the VPC to use. Either 1 or 3 subnets must be specified            | Yes            | Existing subnet        |
 | infrastructure.cos_name | Reference to the `cos` object created for this cluster                                    | Yes            | Existing cos object    |
 | infrastructure.private_only | If true, it indicates that the ROKS cluster must be provisioned without public endpoints            | No             | True, False (default)  |
+| infrastructure.deny_node_ports | If true, the Allow ICMP, TCP and UDP rules for the security group associated with the ROKS cluster are removed if present. If false, the Allow ICMP, TCP and UDP rules are added if not present.             | No             | True, False (default)  |
 | openshift_logging[]     | Logging attributes for OpenShift cluster, see [OpenShift logging](#openshift-logging)     | No             |                        |
 | upstream_dns[]          | Upstream DNS servers(s), see [Upstream DNS Servers](#upstream-dns-servers)                | No             |                        |
 | openshift_storage[]     | List of storage definitions to be defined on OpenShift, see below for further explanation | No             |                        |

diff --git a/playbooks/playbook-env-apply-40-configure-infra.yml b/playbooks/playbook-env-apply-40-configure-infra.yml
@@ -61,4 +61,8 @@
       name: configure-openshift
     loop: "{{ all_config.openshift | default([]) }}"
     loop_control:
-      loop_var: current_openshift_cluster
+      loop_var: current_openshift_cluster
+
+  - name: OpenShift NACL Security
+    include_role:
+      name: openshift-nacl-security