Adding advanced topic doc - ingress port opening

Author: carmat88

advanced_topics/ingress-port-opening.rst

@@ -0,0 +1,31 @@
+Ingress Port Opening
+====================
+On some deployments you might need to manually configure ports in order to allow specific service traffic. This can be done by adding/modifying the field ``ports_ingress_tcp`` in the configuration file ``config.tfvars`` (which you should be familiar with by now). Default is equals to ``["22", "80", "443"]``. Let's suppose your newly deployed service required ports ``7443`` and ``9443`` to be opened, then one would modify the ``config.tfvars`` as follows::
+
+ # Cluster configuration
+ provider = "openstack" # Cloud provider for this config
+ cluster_prefix = "whatever" # Your cluster prefix
+ kubeadm_token = "Aut0G3n3R8t3D" # Autogenerated kubeadm token
+ floating_ip_pool = "default"
+ external_network_uuid = "123a-456b-789c-..." # The uuid of the external network in the OpenStack tenancy
+ ports_ingress_tcp = ["7443", "9443"]
+ boot_image = "kubenow-v060b1"
+
+ # Master configuration
+ master_flavor = "medium"
+ master_as_edge = "true"
+
+ # Node configuration
+ node_count = "3"
+ node_flavor = "medium"
+ ....
+ 
+So we've modified the field ``ports_ingress_tcp`` so to read **ports_ingress_tcp = [7443", "9443"]**.
+
+To Keep in Mind
+~~~~~~~~~~~~~~~
+It is important to consider potential security risks to avoid future issues. While opening ports does put you more at risk than having none open, you are only in danger if an attack can exploit the service that is using that port. A port is not an all access pass to a cluster/network if an attacker happens upon it. Security is a complex topic indeed and can vary from case to case. Nevertheless here are some best practices for porper configuration:
+
+- **Block by default**: block all traffic by default and explicitly allow only specific traffic to known services. This strategy provides good control over the traffic and reduces the possibility of a breach because of service misconfiguration.
+ 
+- **Allow specific traffic**:in general the rules that you use to define network access should be as specific as possible. This strategy is referred to as *the principle of least privilege*, and it forces control over network traffic. In this case what you are specifying is a certain port (or list of them) for your services to be reachable from outside the cluster's network.

index.rst

@@ -32,6 +32,7 @@ Welcome to KubeNow's documentation! This is a place where we aim to help you to
   advanced_topics/alternative-image
   advanced_topics/scale
   advanced_topics/provision
+  advanced_topics/ingress-port-opening
 
 .. toctree::
   :maxdepth: 2