We firewall the undercloud, which is only listening on the
provisioning network anyway, but our default settings leave the
overcloud, which needs to be publicly accessible (for a
deployment-specific definition of "public"), wide open. This
seems like a bad default.
Anyone who is deploying additional services can either open the
firewall ports themselves as part of the deployment or can set the
ManageFirewall param to false.
Change-Id: I3731a0a7bc4be94c8e7a289c90d304599634e928
description: Template string to be used to generate instance names
type: string
ManageFirewall:
- default: false
+ default: true
description: Whether to manage IPtables rules.
type: boolean
PurgeFirewallRules:
Code Review / apex-tripleo-heat-templates.git / commitdiff