Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Tenant / Project Best Practice / Quick Start Templates

My apologies if this question has been asked before but I am trying to define best practice / standards for tenants (projects) and most of the searches for OpenStack talk in-depth about the underlay but not about the tenant environment. What would be great is if we had more reference designs / heat orchestration templates to allow people to create a kind of "quick start" that has well known security organisational approval and works (with little customisation) for most use cases.

What I want to achieve is at least the following:

  • What features to enable for each tenant or changes to policy.json to provide new roles like secops or secadm etc.
  • A set of standard virtual networks
    • private (for backend)
    • public (for frontend)
    • management (for bastion SSH access)
  • Use a selected RFC1918 range
  • Routing approach where more than one external network is used (e.g. on node,
  • Single vNIC on all VMs
  • A set of standard security groups that secure resources on the above
  • Shared services - what do these look like in OpenStack - do we need them?
  • Security best practice (beyond security groups e.g. FWaaS)
  • IPv6

I've looked at the github resources for Heat and just don't find the level of detail or best practice.

Any suggestions? Thanks a lot! Ian

Tenant / Project Best Practice / Quick Start Templates

My apologies if this question has been asked before but I am trying to define best practice / standards for tenants (projects) and most of the searches for OpenStack talk in-depth about the underlay but not about the tenant environment. What would be great is if we had more reference designs / heat orchestration templates to allow people to create a kind of "quick start" that has well known security organisational approval and works (with little customisation) for most use cases.

What I want to achieve is at least the following:

  • What features to enable for each tenant or changes to policy.json to provide new roles like secops or secadm etc.
  • A set of standard virtual networks
    • private (for backend)
    • public (for frontend)
    • management (for bastion SSH access)
  • Use a selected user-defined RFC1918 range
  • Routing approach where more than one external network is used (e.g. on node,
  • Single vNIC on all VMs
  • A set of standard security groups that secure resources on the above
  • Shared services - what do these look like in OpenStack - do we need them?
  • Security best practice (beyond security groups e.g. FWaaS)
  • IPv6

I've looked at the github resources for Heat and just don't find the level of detail or best practice.

Any suggestions? Thanks a lot! Ian