Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[occm] remove SGs from non-existent nodes ports on Update #2696

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[occm] remove SGs from non-existent nodes ports on Update #2696

wants to merge 1 commit into from

Conversation

EmilienM
Copy link
Contributor

@EmilienM EmilienM commented Oct 21, 2024
edited
Loading

What this PR does / why we need it:

Update applyNodeSecurityGroupIDForLB() to also lookup ports that have the SG tag and detach the SG from the ports
that don't belong to the ports of the current list of Nodes.

This will ensure ports are cleaned up if a Node is being removed from a Loadbalancer.

Which issue this PR fixes(if applicable):
fixes #2695

Release note:

When a Node is removed from a load balancer, we'll now ensure that its ports don't have the security group associated
with the load balancer.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 21, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign fengyunpan2 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 21, 2024
@EmilienM
Copy link
Contributor Author

/cc dulek mdbooth

EmilienM
EmilienM commented Oct 21, 2024
View reviewed changes
pkg/openstack/loadbalancer_sg.go
@@ -63,7 +63,7 @@ func applyNodeSecurityGroupIDForLB(network *gophercloud.ServiceClient, svcConf *
continue
}

listOpts := neutronports.ListOpts{DeviceID: serverID}
listOpts := neutronports.ListOpts{}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this is an expensive request. I wonder if we can do better. The reason why I did it this way is to limit the number of API calls, but now this list might be really big in some deployments.

An alternative could be to make two queries: one that lists by SG and one that list by server ID.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will definitely increase the load

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an alternative could be another loop where we filter by SGs and update the ports... but it's also some load.

MaysaMacedo
MaysaMacedo reviewed Oct 22, 2024
View reviewed changes
pkg/openstack/loadbalancer_sg.go
@@ -75,6 +75,23 @@ func applyNodeSecurityGroupIDForLB(network *gophercloud.ServiceClient, svcConf *
continue
}

if port.DeviceID != serverID {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we have a check similar to line 101?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I actually think we can move the new block after L101, which will help to leave the loop earlier if the port isn't part of the LB's subnet.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 4, 2024
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaysaMacedo MaysaMacedo MaysaMacedo left review comments

@kayrus kayrus kayrus left review comments

@anguslees anguslees Awaiting requested review from anguslees

@FengyunPan2 FengyunPan2 Awaiting requested review from FengyunPan2

@dulek dulek Awaiting requested review from dulek

@mdbooth mdbooth Awaiting requested review from mdbooth

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove SGs from non-existent nodes ports on Update
4 participants
@EmilienM @k8s-ci-robot @kayrus @MaysaMacedo