Merge pull request #564 from jichenjc/update_doc_ssh

k8s-ci-robot · web-flow · commit 29e6e0e12eac · 2020-06-17T22:32:04.000-07:00
update doc about ssh security group
diff --git a/api/v1alpha3/openstackcluster_types.go b/api/v1alpha3/openstackcluster_types.go
@@ -84,9 +84,10 @@ type OpenStackClusterSpec struct {
 	APIServerLoadBalancerAdditionalPorts []int `json:"apiServerLoadBalancerAdditionalPorts,omitempty"`
 
 	// ManagedSecurityGroups defines that kubernetes manages the OpenStack security groups
-	// for now, that means that we'll create two security groups, one allowing SSH
-	// and API access from everywhere, and another one that allows all traffic to/from
-	// machines belonging to that group. In the future, we could make this more flexible.
+	// for now, that means that we'll create security group allows traffic to/from
+	// machines belonging to that group based on Calico CNI plugin default network
+	// requirements: BGP and IP-in-IP for master node(s) and worker node(s) respectively.
+	// In the future, we could make this more flexible.
 	// +optional
 	ManagedSecurityGroups bool `json:"managedSecurityGroups"`
 
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
@@ -238,11 +238,12 @@ spec:
                   properties are mandatory: APIServerLoadBalancerFloatingIP, APIServerLoadBalancerPort'
                 type: boolean
               managedSecurityGroups:
-                description: ManagedSecurityGroups defines that kubernetes manages
-                  the OpenStack security groups for now, that means that we'll create
-                  two security groups, one allowing SSH and API access from everywhere,
-                  and another one that allows all traffic to/from machines belonging
-                  to that group. In the future, we could make this more flexible.
+                description: 'ManagedSecurityGroups defines that kubernetes manages
+                  the OpenStack security groups for now, that means that we''ll create
+                  security group allows traffic to/from machines belonging to that
+                  group based on Calico CNI plugin default network requirements: BGP
+                  and IP-in-IP for master node(s) and worker node(s) respectively.
+                  In the future, we could make this more flexible.'
                 type: boolean
               network:
                 description: If NodeCIDR cannot be set this can be used to detect
