TripleO Should Report Required Firewall Rules by Role
TripleO service definitions include the ports used by the service, and this information is used to configure iptables on the host running the service. Some operators want to enhance this security with hardware firewalls. Unfortunately, it isn't clear to operators what rules need to be configured on hardware firewalls or router ACLs.
Since we already have the firewall ports used by each service in the service definition, we have the information about which ports are needed for a particular service. TripleO should publish or report, on a per-node or per-role basis, what ports need to be open for each composable role. This would be used to report which ports need to be opened when using a hardware firewall or router ACL to further secure the environment.
It would be ideal if we could publish this data in a machine-readable format such as JSON. This would allow some automation to be inserted so that hardware firewalls could be automatically configured based on which services are used on which nodes. This would also make it clear what changes were required on hardware firewalls during upgrades.
Each service contains firewall rules in a unique key, for instance:
'113 nova_api':
- 8774
- 13774
- 8775
So what is needed is a way to compile all the applicable tripleo.
Blueprint information
- Status:
- Complete
- Approver:
- Emilien Macchi
- Priority:
- Medium
- Drafter:
- Dan Sneddon
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- Accepted for ussuri
- Implementation:
- Not started
- Milestone target:
- None
- Started by
- Completed by
- Emilien Macchi
Related branches
Related bugs
Sprints
Whiteboard
[2019-09-18] (aschultz): Not implemented by the end of Train, moving out to Ussuri