-
Notifications
You must be signed in to change notification settings - Fork 606
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[occm] Apply security groups #2554
Comments
What's the exact use case here? Allowing kube-proxy without allowing all in-cluster traffic? That might make sense, but it would require you to create a new controller. Current LoadBalancer interface will only be fed by LoadBalancer Services and there's no way to change that in the cloud-provider controller. Another way to solve your concern is to make ClusterIP traffic tunneled by the CNI which would allow you to set up a single SG for that traffic. ovn-kubernetes is doing that. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
If implemented, we would need to consider how this interacts with CAPO managed security groups. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/kind feature
What happened:
Actually the security groups can be managed by OCCM just for load balancers.
What you expected to happen:
To enhance security, manage security groups for all
Service
resources when they are created.In other words, when a new
Service
resource is created, depending if it is aClusterNode
,ClusterIP
orLoadBalancer
type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.Environment:
The text was updated successfully, but these errors were encountered: