Merge pull request #4797 from kwoodson/os_firewall_refactor

Refactor the firewall workflow.

playbooks/common/openshift-cluster/initialize_firewall.yml

@@ -0,0 +1,7 @@
+---
+- name: Initialize host facts
+  hosts: oo_all_hosts
+  tasks:
+  - name: install and configure the proper firewall settings
+    include_role:
+      name: os_firewall

playbooks/common/openshift-cluster/openshift_hosted.yml

@@ -29,6 +29,7 @@
   - role: openshift_default_storage_class
     when: openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')
   - role: openshift_hosted
+    r_openshift_hosted_use_calico: "{{ openshift.common.use_calico | default(false) | bool }}"
   - role: openshift_metrics
     when: openshift_hosted_metrics_deploy | default(false) | bool
   - role: openshift_logging

playbooks/common/openshift-cluster/std_include.yml

@@ -14,3 +14,7 @@
 - include: initialize_openshift_version.yml
   tags:
   - always
+
+- include: initialize_firewall.yml
+  tags:
+  - always

roles/cockpit/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+r_cockpit_firewall_enabled: True
+r_cockpit_use_firewalld: False
+
+r_cockpit_os_firewall_deny: []
+r_cockpit_os_firewall_allow:
+- service: cockpit-ws
+  port: 9090/tcp

roles/cockpit/meta/main.yml

@@ -12,7 +12,4 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- role: os_firewall
-  os_firewall_allow:
-  - service: cockpit-ws
-    port: 9090/tcp
+- role: lib_os_firewall

roles/cockpit/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_cockpit_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_cockpit_os_firewall_deny }}"
+
+- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_cockpit_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_cockpit_os_firewall_deny }}"

roles/cockpit/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
 - name: Install cockpit-ws
   package: name={{ item }} state=present
   with_items:

roles/docker/meta/main.yml

@@ -10,5 +10,4 @@ galaxy_info:
     versions:
     - 7
 dependencies:
-- role: os_firewall
 - role: lib_openshift

roles/etcd/defaults/main.yaml

@@ -1,4 +1,7 @@
 ---
+r_etcd_firewall_enabled: True
+r_etcd_use_firewalld: False
+
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
 
@@ -7,4 +10,13 @@ etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_
 etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
 etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
 
+etcd_client_port: 2379
+etcd_peer_port: 2380
+
 etcd_systemd_dir: "/etc/systemd/system/{{ etcd_service }}.service.d"
+r_etcd_os_firewall_deny: []
+r_etcd_os_firewall_allow:
+- service: etcd
+  port: "{{etcd_client_port}}/tcp"
+- service: etcd peering
+  port: "{{ etcd_peer_port }}/tcp"

roles/etcd/meta/main.yml

@@ -17,11 +17,6 @@ galaxy_info:
   - system
 dependencies:
 - role: lib_openshift
-- role: os_firewall
-  os_firewall_allow:
-  - service: etcd
-    port: "{{etcd_client_port}}/tcp"
-  - service: etcd peering
-    port: "{{ etcd_peer_port }}/tcp"
+- role: lib_os_firewall
 - role: etcd_server_certificates
 - role: etcd_common

roles/etcd/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_etcd_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_etcd_os_firewall_deny }}"
+
+- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_etcd_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_etcd_os_firewall_deny }}"

roles/etcd/tasks/main.yml

@@ -6,6 +6,10 @@
     etcd_hostname: "{{ etcd_hostname }}"
     etcd_ip: "{{ etcd_ip }}"
 
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
 - name: Install etcd
   package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present
   when: not etcd_is_containerized | bool

roles/lib_os_firewall/README.md

@@ -0,0 +1,63 @@
+lib_os_firewall
+===========
+
+lib_os_firewall manages iptables firewall settings for a minimal use
+case (Adding/Removing rules based on protocol and port number).
+
+Note: firewalld is not supported on Atomic Host
+https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+
+Requirements
+------------
+
+Ansible 2.2
+
+Role Variables
+--------------
+
+| Name                      | Default |                                        |
+|---------------------------|---------|----------------------------------------|
+| os_firewall_allow         | []      | List of service,port mappings to allow |
+| os_firewall_deny          | []      | List of service, port mappings to deny |
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+Use iptables and open tcp ports 80 and 443:
+```
+---
+- hosts: servers
+  vars:
+    os_firewall_use_firewalld: false
+    os_firewall_allow:
+    - service: httpd
+      port: 80/tcp
+    - service: https
+      port: 443/tcp
+  tasks:
+  - include_role:
+      name: lib_os_firewall
+
+  - name: set allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    with_items: "{{ os_firewall_allow }}"
+```
+
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+Jason DeTiberus - jdetiber@redhat.com

roles/nuage_master/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+r_nuage_master_firewall_enabled: True
+r_nuage_master_use_firewalld: False
+
+nuage_mon_rest_server_port: '9443'
+
+r_nuage_master_os_firewall_deny: []
+r_nuage_master_os_firewall_allow:
+- service: openshift-monitor
+  port: "{{ nuage_mon_rest_server_port }}/tcp"

roles/nuage_master/meta/main.yml

@@ -16,8 +16,5 @@ dependencies:
 - role: nuage_ca
 - role: nuage_common
 - role: openshift_etcd_client_certificates
-- role: os_firewall
 - role: lib_openshift
-  os_firewall_allow:
-  - service: openshift-monitor
-    port: "{{ nuage_mon_rest_server_port }}/tcp"
+- role: lib_os_firewall

roles/nuage_master/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_master_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_master_os_firewall_deny }}"
+
+- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_master_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_master_os_firewall_deny }}"

roles/nuage_master/tasks/main.yaml

@@ -1,4 +1,8 @@
 ---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
 - name: Create directory /usr/share/nuage-openshift-monitor
   become: yes
   file: path=/usr/share/nuage-openshift-monitor state=directory

roles/nuage_node/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+r_nuage_node_firewall_enabled: True
+r_nuage_node_use_firewalld: False
+
+nuage_mon_rest_server_port: '9443'
+
+r_nuage_node_os_firewall_deny: []
+r_nuage_node_os_firewall_allow:
+- service: vxlan
+  port: 4789/udp
+- service: nuage-monitor
+  port: "{{ nuage_mon_rest_server_port }}/tcp"

roles/nuage_node/meta/main.yml

@@ -15,9 +15,4 @@ galaxy_info:
 dependencies:
 - role: nuage_common
 - role: nuage_ca
-- role: os_firewall
-  os_firewall_allow:
-  - service: vxlan
-    port: 4789/udp
-  - service: nuage-monitor
-    port: "{{ nuage_mon_rest_server_port }}/tcp"
+- role: lib_os_firewall

roles/nuage_node/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_node_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_node_os_firewall_deny }}"
+
+- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_node_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_nuage_node_os_firewall_deny }}"

roles/nuage_node/tasks/main.yaml

@@ -54,3 +54,7 @@
     - restart node
 
 - include: iptables.yml
+
+- name: setup firewall
+  include: firewall.yml
+  static: yes

roles/openshift_hosted/defaults/main.yml

@@ -1,4 +1,10 @@
 ---
+r_openshift_hosted_router_firewall_enabled: True
+r_openshift_hosted_router_use_firewalld: False
+
+r_openshift_hosted_registry_firewall_enabled: True
+r_openshift_hosted_registry_use_firewalld: False
+
 registry_volume_claim: 'registry-claim'
 
 openshift_hosted_router_edits:
@@ -26,12 +32,15 @@ openshift_hosted_routers:
   - 443:443
   certificate: "{{ openshift_hosted_router_certificate | default({}) }}"
 
-
 openshift_hosted_router_certificate: {}
 openshift_hosted_registry_cert_expire_days: 730
 openshift_hosted_router_create_certificate: True
 
-os_firewall_allow:
+r_openshift_hosted_router_os_firewall_deny: []
+r_openshift_hosted_router_os_firewall_allow: []
+
+r_openshift_hosted_registry_os_firewall_deny: []
+r_openshift_hosted_registry_os_firewall_allow:
 - service: Docker Registry Port
   port: 5000/tcp
-  when: openshift.common.use_calico | bool
+  cond: "{{ r_openshift_hosted_use_calico }}"

roles/openshift_hosted/meta/main.yml

@@ -15,8 +15,4 @@ dependencies:
 - role: openshift_cli
 - role: openshift_hosted_facts
 - role: lib_openshift
-- role: os_firewall
-  os_firewall_allow:
-  - service: Docker Registry Port
-    port: 5000/tcp
-  when: openshift.common.use_calico | bool
+- role: lib_os_firewall

roles/openshift_hosted/tasks/registry/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
+
+- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"

roles/openshift_hosted/tasks/registry/registry.yml

@@ -1,6 +1,10 @@
 ---
-- block:
+- name: setup firewall
+  include: firewall.yml
+  static: yes
 
+- when: openshift.hosted.registry.replicas | default(none) is none
+  block:
   - name: Retrieve list of openshift nodes matching registry selector
     oc_obj:
       state: list
@@ -28,7 +32,6 @@
       l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
     when: l_node_count | int > 0
 
-  when: openshift.hosted.registry.replicas | default(none) is none
 
 - name: set openshift_hosted facts
   set_fact:

roles/openshift_hosted/tasks/router/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
+
+- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"

roles/openshift_hosted/tasks/router/router.yml

@@ -1,4 +1,8 @@
 ---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
 - name: Retrieve list of openshift nodes matching router selector
   oc_obj:
     state: list

roles/openshift_loadbalancer/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_openshift_loadbalancer_firewall_enabled: True
+r_openshift_loadbalancer_use_firewalld: False
+
 haproxy_frontends:
 - name: main
   binds:
@@ -12,3 +15,13 @@ haproxy_backends:
   - name: web01
     address: 127.0.0.1:9000
     opts: check
+
+r_openshift_loadbalancer_os_firewall_deny: []
+r_openshift_loadbalancer_os_firewall_allow:
+- service: haproxy stats
+  port: "9000/tcp"
+- service: haproxy balance
+  port: "{{ openshift_master_api_port | default(8443) }}/tcp"
+- service: nuage mon
+  port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
+  cond: "{{ openshift_use_nuage | default(false) | bool }}"

roles/openshift_loadbalancer/meta/main.yml

@@ -10,16 +10,6 @@ galaxy_info:
     versions:
     - 7
 dependencies:
+- role: lib_os_firewall
 - role: openshift_facts
-- role: os_firewall
-  os_firewall_allow:
-  - service: haproxy stats
-    port: "9000/tcp"
-  - service: haproxy balance
-    port: "{{ openshift_master_api_port | default(8443) }}/tcp"
-- role: os_firewall
-  os_firewall_allow:
-  - service: nuage mon
-    port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
-  when: openshift_use_nuage | default(false) | bool
 - role: openshift_repos

roles/openshift_loadbalancer/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
+
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"

roles/openshift_loadbalancer/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
 - name: Install haproxy
   package: name=haproxy state=present
   when: not openshift.common.is_containerized | bool

roles/openshift_master/defaults/main.yml

@@ -1,4 +1,21 @@
 ---
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+
 openshift_node_ips: []
 r_openshift_master_clean_install: false
 r_openshift_master_etcd3_storage: false
+r_openshift_master_os_firewall_enable: true
+r_openshift_master_os_firewall_deny: []
+r_openshift_master_os_firewall_allow:
+- service: api server https
+  port: "{{ openshift.master.api_port }}/tcp"
+- service: api controllers https
+  port: "{{ openshift.master.controllers_port }}/tcp"
+- service: skydns tcp
+  port: "{{ openshift.master.dns_port }}/tcp"
+- service: skydns udp
+  port: "{{ openshift.master.dns_port }}/udp"
+- service: etcd embedded
+  port: 4001/tcp
+  cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"

roles/openshift_master/meta/main.yml

@@ -13,6 +13,7 @@ galaxy_info:
   - cloud
 dependencies:
 - role: lib_openshift
+- role: lib_os_firewall
 - role: openshift_master_facts
 - role: openshift_hosted_facts
 - role: openshift_master_certificates
@@ -25,21 +26,6 @@ dependencies:
 - role: openshift_cloud_provider
 - role: openshift_builddefaults
 - role: openshift_buildoverrides
-- role: os_firewall
-  os_firewall_allow:
-  - service: api server https
-    port: "{{ openshift.master.api_port }}/tcp"
-  - service: api controllers https
-    port: "{{ openshift.master.controllers_port }}/tcp"
-  - service: skydns tcp
-    port: "{{ openshift.master.dns_port }}/tcp"
-  - service: skydns udp
-    port: "{{ openshift.master.dns_port }}/udp"
-- role: os_firewall
-  os_firewall_allow:
-  - service: etcd embedded
-    port: 4001/tcp
-  when: groups.oo_etcd_to_config | default([]) | length == 0
 - role: nickhammond.logrotate
 - role: contiv
   contiv_role: netmaster

roles/openshift_master/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_master_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_master_os_firewall_deny }}"
+
+- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_master_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_master_os_firewall_deny }}"

roles/openshift_master/tasks/main.yml

@@ -23,6 +23,10 @@
     msg: "Pacemaker based HA is not supported at this time when used with containerized installs"
   when: openshift.master.ha | bool and openshift.master.cluster_method == "pacemaker" and openshift.common.is_containerized | bool
 
+- name: Open up firewall ports
+  include: firewall.yml
+  static: yes
+
 - name: Install Master package
   package:
     name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"

roles/openshift_node/defaults/main.yml

@@ -1,5 +1,8 @@
 ---
-os_firewall_allow:
+r_openshift_node_firewall_enabled: True
+r_openshift_node_use_firewalld: False
+r_openshift_node_os_firewall_deny: []
+r_openshift_node_os_firewall_allow:
 - service: Kubernetes kubelet
   port: 10250/tcp
 - service: http
@@ -8,7 +11,13 @@ os_firewall_allow:
   port: 443/tcp
 - service: OpenShift OVS sdn
   port: 4789/udp
-  when: openshift.common.use_openshift_sdn | default(true) | bool
+  cond: openshift.common.use_openshift_sdn | default(true) | bool
 - service: Calico BGP Port
   port: 179/tcp
-  when: openshift.common.use_calico | bool
+  cond: "{{ openshift.common.use_calico | bool }}"
+- service: Kubernetes service NodePort TCP
+  port: "{{ openshift_node_port_range | default('') }}/tcp"
+  cond: "{{ openshift_node_port_range is defined }}"
+- service: Kubernetes service NodePort UDP
+  port: "{{ openshift_node_port_range | default('') }}/udp"
+  cond: "{{ openshift_node_port_range is defined }}"

roles/openshift_node/meta/main.yml

@@ -14,36 +14,11 @@ galaxy_info:
 dependencies:
 - role: openshift_node_facts
 - role: lib_openshift
+- role: lib_os_firewall
 - role: openshift_common
 - role: openshift_clock
 - role: openshift_docker
 - role: openshift_node_certificates
 - role: openshift_cloud_provider
-- role: os_firewall
-  os_firewall_allow:
-  - service: Kubernetes kubelet
-    port: 10250/tcp
-  - service: http
-    port: 80/tcp
-  - service: https
-    port: 443/tcp
-- role: os_firewall
-  os_firewall_allow:
-  - service: OpenShift OVS sdn
-    port: 4789/udp
-  when: openshift.common.use_openshift_sdn | default(true) | bool
-- role: os_firewall
-  os_firewall_allow:
-  - service: Calico BGP Port
-    port: 179/tcp
-  when: openshift.common.use_calico | bool
-
-- role: os_firewall
-  os_firewall_allow:
-  - service: Kubernetes service NodePort TCP
-    port: "{{ openshift_node_port_range | default('') }}/tcp"
-  - service: Kubernetes service NodePort UDP
-    port: "{{ openshift_node_port_range | default('') }}/udp"
-  when: openshift_node_port_range is defined
 - role: openshift_node_dnsmasq
   when: openshift.common.use_dnsmasq | bool

roles/openshift_node/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_node_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_node_os_firewall_deny }}"
+
+- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_node_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_node_os_firewall_deny }}"

roles/openshift_node/tasks/main.yml

@@ -6,6 +6,38 @@
     - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
     - not openshift_docker_use_crio | default(false)
 
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
+- name: Set node facts
+  openshift_facts:
+    role: "{{ item.role }}"
+    local_facts: "{{ item.local_facts }}"
+  with_items:
+    # Reset node labels to an empty dictionary.
+    - role: node
+      local_facts:
+        labels: {}
+    - role: node
+      local_facts:
+        annotations: "{{ openshift_node_annotations | default(none) }}"
+        debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
+        iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}"
+        kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"
+        labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}"
+        registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}"
+        schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+        sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
+        storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}"
+        set_node_ip: "{{ openshift_set_node_ip | default(None) }}"
+        node_image: "{{ osn_image | default(None) }}"
+        ovs_image: "{{ osn_ovs_image | default(None) }}"
+        proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}"
+        local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}"
+        dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}"
+        env_vars: "{{ openshift_node_env_vars | default(None) }}"
+
 # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
 - name: Check for swap usage
   command: grep "^[^#].*swap" /etc/fstab

roles/openshift_storage_nfs/defaults/main.yml

@@ -1,4 +1,12 @@
 ---
+r_openshift_storage_nfs_firewall_enabled: True
+r_openshift_storage_nfs_use_firewalld: False
+
+r_openshift_storage_nfs_os_firewall_deny: []
+r_openshift_storage_nfs_os_firewall_allow:
+- service: nfs
+  port: "2049/tcp"
+
 openshift:
   hosted:
     registry:

roles/openshift_storage_nfs/meta/main.yml

@@ -10,9 +10,6 @@ galaxy_info:
     versions:
     - 7
 dependencies:
-- role: os_firewall
-  os_firewall_allow:
-  - service: nfs
-    port: "2049/tcp"
+- role: lib_os_firewall
 - role: openshift_hosted_facts
 - role: openshift_repos

roles/openshift_storage_nfs/tasks/firewall.yml

@@ -0,0 +1,40 @@
+---
+- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
+
+- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"

roles/openshift_storage_nfs/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
 - name: Install nfs-utils
   package: name=nfs-utils state=present
 

roles/os_firewall/README.md

@@ -1,8 +1,8 @@
 OS Firewall
 ===========
 
-OS Firewall manages firewalld and iptables firewall settings for a minimal use
-case (Adding/Removing rules based on protocol and port number).
+OS Firewall manages firewalld and iptables installation.
+case.
 
 Note: firewalld is not supported on Atomic Host
 https://bugzilla.redhat.com/show_bug.cgi?id=1403331
@@ -18,8 +18,6 @@ Role Variables
 | Name                      | Default |                                        |
 |---------------------------|---------|----------------------------------------|
 | os_firewall_use_firewalld | False   | If false, use iptables                 |
-| os_firewall_allow         | []      | List of service,port mappings to allow |
-| os_firewall_deny          | []      | List of service, port mappings to deny |
 
 Dependencies
 ------------
@@ -29,34 +27,27 @@ None.
 Example Playbook
 ----------------
 
-Use iptables and open tcp ports 80 and 443:
+Use iptables:
 ```
 ---
 - hosts: servers
-  vars:
-    os_firewall_use_firewalld: false
-    os_firewall_allow:
-    - service: httpd
-      port: 80/tcp
-    - service: https
-      port: 443/tcp
-  roles:
-  - os_firewall
+  task:
+  - include_role:
+      name: os_firewall
+    vars:
+      os_firewall_use_firewalld: false
 ```
 
-Use firewalld and open tcp port 443 and close previously open tcp port 80:
+Use firewalld:
 ```
 ---
 - hosts: servers
   vars:
-    os_firewall_allow:
-    - service: https
-      port: 443/tcp
-    os_firewall_deny:
-    - service: httpd
-      port: 80/tcp
-  roles:
-  - os_firewall
+  tasks:
+  - include_role:
+      name: os_firewall
+    vars:
+      os_firewall_use_firewalld: true
 ```
 
 License

roles/os_firewall/defaults/main.yml

@@ -3,5 +3,3 @@ os_firewall_enabled: True
 # firewalld is not supported on Atomic Host
 # https://bugzilla.redhat.com/show_bug.cgi?id=1403331
 os_firewall_use_firewalld: "{{ False }}"
-os_firewall_allow: []
-os_firewall_deny: []

roles/os_firewall/tasks/firewall/firewalld.yml

@@ -49,19 +49,3 @@
   until: pkaction.rc == 0
   retries: 6
   delay: 10
-
-- name: Add firewalld allow rules
-  firewalld:
-    port: "{{ item.port }}"
-    permanent: true
-    immediate: true
-    state: enabled
-  with_items: "{{ os_firewall_allow }}"
-
-- name: Remove firewalld allow rules
-  firewalld:
-    port: "{{ item.port }}"
-    permanent: true
-    immediate: true
-    state: disabled
-  with_items: "{{ os_firewall_deny }}"

roles/os_firewall/tasks/firewall/iptables.yml

@@ -33,19 +33,3 @@
 - name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
   pause: seconds=10
   when: result | changed
-
-- name: Add iptables allow rules
-  os_firewall_manage_iptables:
-    name: "{{ item.service }}"
-    action: add
-    protocol: "{{ item.port.split('/')[1] }}"
-    port: "{{ item.port.split('/')[0] }}"
-  with_items: "{{ os_firewall_allow }}"
-
-- name: Remove iptables rules
-  os_firewall_manage_iptables:
-    name: "{{ item.service }}"
-    action: remove
-    protocol: "{{ item.port.split('/')[1] }}"
-    port: "{{ item.port.split('/')[0] }}"
-  with_items: "{{ os_firewall_deny }}"