Always let the openshift nodes access the DNS

When `node_ingress_cidr` to limit the IP range for the DNS server, this
can prevent the actual openshift nodes from accessing it as well.

This commit makes the access from the `openstack_subnet_prefix` always
pass through and uses `node_ingress_cidr` for additional
access control.

roles/openstack-stack/templates/heat_stack.yaml.j2

@@ -289,6 +289,11 @@ resources:
           port_range_min: 30000
           port_range_max: 32767
           remote_ip_prefix: {{ node_ingress_cidr }}
+        - direction: ingress
+          protocol: tcp
+          port_range_min: 30000
+          port_range_max: 32767
+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
 
   infra-secgrp:
     type: OS::Neutron::SecurityGroup
@@ -338,10 +343,20 @@ resources:
           port_range_max: 53
           remote_ip_prefix: {{ node_ingress_cidr }}
         - direction: ingress
+          protocol: udp
+          port_range_min: 53
+          port_range_max: 53
+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
+        - direction: ingress
           protocol: tcp
           port_range_min: 53
           port_range_max: 53
           remote_ip_prefix: {{ node_ingress_cidr }}
+        - direction: ingress
+          protocol: tcp
+          port_range_min: 53
+          port_range_max: 53
+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
 {% if num_masters is greaterthan 1 %}
   lb-secgrp:
     type: OS::Neutron::SecurityGroup