-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement a new API for managing Security Groups #1752
Comments
/assign EmilienM |
I think the original idea is to create a json file and describe the security group including its rules ? will the above proposal be same or customer need create a CR by themselves?
to confirm ,we still support pre-created sec group in openstack API layer then use in our template, correct? |
There have been discussions about this in various places, for example: I really like the way this is addressed in CAPA, which defines a CNIIngressRule resource, which could serve as an inspiration here as well. It might make sense to mirror their API/naming scheme where possible, to make it easier for users who are working with both providers. |
Me too, I very often take inspiration from CAPZ or CAPA when I think of new APIs in CAPO. However I also like to look at existing namings in CAPO and I think keeping it consistent with other fields is sometimes more helpful than trying to copy from other providers. |
Yes exactly.
I don't understand that question, but the customer provides the rules via the new API and CAPO manages the Security Group rules.
Yes, we should not touch that part and that's what I mean when I say "keep the option of (...)". |
let's use this KEP to discuss design: #1756 |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
/kind feature
How it works today
Currently, if
OpenStackCluster.spec.managedSecurityGroups
isTrue
, security groups will be created and added to the Bastion (if it exists), the control plane and the worker nodes respectively.By default, these groups have rules that allow the following traffic:
Additionally:
OpenStackMachineTemplate
, via itsOpenStackMachineSpec
and for the Bastion inOpenStackCluster
.OpenStackCluster.spec.allowAllInClusterTraffic
toTrue
. However, API server and node port traffic is still permitted from anywhere, as with the default rules.OpenStackCluster.spec.apiServerLoadBalancer.enabled
istrue
, it is possible to allow additional ports (both TCP & UDP will be opened!) from anywhere viaOpenStackCluster.spec.apiServerLoadBalancer.additionalPorts
.Proposed solution
2 options:
OpenStackCluster
, we want to design a new API that will allow our users to specify their security group rules for the Control Plane and the workers, and offer flexibility. CAPO will manage these rules. If no rules are provided, then we maintain the current behaviour of not managing any security group and it's up to the user to handle it.Or:
OpenStackSecurityGroup
and a new Controller (not necessarily by the way, the CRD can be managed byOpenStackCluster
controller?)And then:
OpenStackMachineTemplate
, via itsOpenStackMachineSpec
and for the Bastion inOpenStackCluster
. They'll not be exclusive to the provided rules in the new API, they'll be able to live together and both sets of rules will be applied to the machines.OpenStackCluster.spec.apiServerLoadBalancer.additionalPorts
as we'll have an API to create Control Plane Security Group rules (with more flexibility than we have now with this field). Conversion will happen between this parameter and the one one for Control Plane Security Group rules, for backward compatibility.OpenStackCluster.spec.managedSecurityGroups
toOpenStackCluster.spec.legacyManagedSecurityGroups
? However the new API will be mutually exclusive with the oldManagedSecurityGroups
field, to avoid complexity.OpenStackCluster.spec.allowAllInClusterTraffic
can be kept (otherwise upgrade path becomes complicated) and ingress/egress traffic will be allowed within the cluster through additional rules in the managed Control Plane & Worker security groups.API Change
or a new CRD.
The text was updated successfully, but these errors were encountered: