Skip to content

Commit

Permalink
WIP - New API for Security Groups
Browse files Browse the repository at this point in the history
  • Loading branch information
@EmilienM
EmilienM committed Nov 20, 2023
1 parent 821a1a2 commit df38c23
Show file tree
Hide file tree
Showing 8 changed files with 256 additions and 0 deletions.
2 changes: 2 additions & 0 deletions api/v1alpha5/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions api/v1alpha6/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions api/v1alpha7/openstackcluster_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,20 @@ type OpenStackClusterSpec struct {
// +optional
ManagedSecurityGroups bool `json:"managedSecurityGroups"`

// ControlPlaneSecurityGroup contains all the information about the OpenStack Security
// Group that needs to be applied to control plane nodes.
// By default, we will create a security group with rules that allow the Kubelet, etcd and
// the Kubernetes API server to function correctly.
// +optional
ControlPlaneSecurityGroup *SecurityGroup `json:"controlPlaneSecurityGroup,omitempty"`

// WorkerSecurityGroup contains all the information about the OpenStack Security
// Group that needs to be applied to worker nodes.
// By default, we will create a security group with rules that allow the Kubelet to
// function correctly.
// +optional
WorkerSecurityGroup *SecurityGroup `json:"workerSecurityGroup,omitempty"`

// AllowAllInClusterTraffic is only used when managed security groups are in use.
// If set to true, the rules for the managed security groups are configured so that all
// ingress and egress between cluster nodes is permitted, allowing CNIs other than
Expand Down
10 changes: 10 additions & 0 deletions api/v1alpha7/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

107 changes: 107 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4169,6 +4169,60 @@ spec:
allowing the Nova scheduler to make a decision on which az to use
based on other scheduling constraints
type: boolean
controlPlaneSecurityGroup:
description: ControlPlaneSecurityGroup contains all the information
about the OpenStack Security Group that needs to be applied to control
plane nodes. By default, we will create a security group with rules
that allow the Kubelet, etcd and the Kubernetes API server to function
correctly.
properties:
id:
type: string
name:
type: string
rules:
items:
description: SecurityGroupRule represent the basic information
of the associated OpenStack Security Group Role.
properties:
description:
type: string
direction:
type: string
etherType:
type: string
name:
type: string
portRangeMax:
type: integer
portRangeMin:
type: integer
protocol:
type: string
remoteGroupID:
type: string
remoteIPPrefix:
type: string
securityGroupID:
type: string
required:
- description
- direction
- etherType
- name
- portRangeMax
- portRangeMin
- protocol
- remoteGroupID
- remoteIPPrefix
- securityGroupID
type: object
type: array
required:
- id
- name
- rules
type: object
disableAPIServerFloatingIP:
description: DisableAPIServerFloatingIP determines whether or not
to attempt to attach a floating IP to the API server. This allows
Expand Down Expand Up @@ -4364,6 +4418,59 @@ spec:
type: string
type: array
x-kubernetes-list-type: set
workerSecurityGroup:
description: WorkerSecurityGroup contains all the information about
the OpenStack Security Group that needs to be applied to worker
nodes. By default, we will create a security group with rules that
allow the Kubelet to function correctly.
properties:
id:
type: string
name:
type: string
rules:
items:
description: SecurityGroupRule represent the basic information
of the associated OpenStack Security Group Role.
properties:
description:
type: string
direction:
type: string
etherType:
type: string
name:
type: string
portRangeMax:
type: integer
portRangeMin:
type: integer
protocol:
type: string
remoteGroupID:
type: string
remoteIPPrefix:
type: string
securityGroupID:
type: string
required:
- description
- direction
- etherType
- name
- portRangeMax
- portRangeMin
- protocol
- remoteGroupID
- remoteIPPrefix
- securityGroupID
type: object
type: array
required:
- id
- name
- rules
type: object
type: object
status:
description: OpenStackClusterStatus defines the observed state of OpenStackCluster.
Expand Down
107 changes: 107 additions & 0 deletions config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2027,6 +2027,60 @@ spec:
plane nodes, allowing the Nova scheduler to make a decision
on which az to use based on other scheduling constraints
type: boolean
controlPlaneSecurityGroup:
description: ControlPlaneSecurityGroup contains all the information
about the OpenStack Security Group that needs to be applied
to control plane nodes. By default, we will create a security
group with rules that allow the Kubelet, etcd and the Kubernetes
API server to function correctly.
properties:
id:
type: string
name:
type: string
rules:
items:
description: SecurityGroupRule represent the basic information
of the associated OpenStack Security Group Role.
properties:
description:
type: string
direction:
type: string
etherType:
type: string
name:
type: string
portRangeMax:
type: integer
portRangeMin:
type: integer
protocol:
type: string
remoteGroupID:
type: string
remoteIPPrefix:
type: string
securityGroupID:
type: string
required:
- description
- direction
- etherType
- name
- portRangeMax
- portRangeMin
- protocol
- remoteGroupID
- remoteIPPrefix
- securityGroupID
type: object
type: array
required:
- id
- name
- rules
type: object
disableAPIServerFloatingIP:
description: DisableAPIServerFloatingIP determines whether
or not to attempt to attach a floating IP to the API server.
Expand Down Expand Up @@ -2231,6 +2285,59 @@ spec:
type: string
type: array
x-kubernetes-list-type: set
workerSecurityGroup:
description: WorkerSecurityGroup contains all the information
about the OpenStack Security Group that needs to be applied
to worker nodes. By default, we will create a security group
with rules that allow the Kubelet to function correctly.
properties:
id:
type: string
name:
type: string
rules:
items:
description: SecurityGroupRule represent the basic information
of the associated OpenStack Security Group Role.
properties:
description:
type: string
direction:
type: string
etherType:
type: string
name:
type: string
portRangeMax:
type: integer
portRangeMin:
type: integer
protocol:
type: string
remoteGroupID:
type: string
remoteIPPrefix:
type: string
securityGroupID:
type: string
required:
- description
- direction
- etherType
- name
- portRangeMax
- portRangeMin
- protocol
- remoteGroupID
- remoteIPPrefix
- securityGroupID
type: object
type: array
required:
- id
- name
- rules
type: object
type: object
required:
- spec
Expand Down
10 changes: 10 additions & 0 deletions controllers/openstackmachine_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,16 @@ func machineToInstanceSpec(openStackCluster *infrav1.OpenStackCluster, machine *
ID: managedSecurityGroup,
})
}
if openStackCluster.Spec.ControlPlaneSecurityGroup != nil && util.IsControlPlaneMachine(machine) && openStackCluster.Status.ControlPlaneSecurityGroup != nil {
instanceSpec.SecurityGroups = append(instanceSpec.SecurityGroups, infrav1.SecurityGroupFilter{
ID: openStackCluster.Status.ControlPlaneSecurityGroup.ID,
})
}
if openStackCluster.Spec.WorkerSecurityGroup != nil && !util.IsControlPlaneMachine(machine) && openStackCluster.Status.WorkerSecurityGroup != nil {
instanceSpec.SecurityGroups = append(instanceSpec.SecurityGroups, infrav1.SecurityGroupFilter{
ID: openStackCluster.Status.WorkerSecurityGroup.ID,
})
}

instanceSpec.Ports = openStackMachine.Spec.Ports

Expand Down
4 changes: 4 additions & 0 deletions pkg/cloud/services/networking/securitygroups.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ const (
// ReconcileSecurityGroups reconcile the security groups.
func (s *Service) ReconcileSecurityGroups(openStackCluster *infrav1.OpenStackCluster, clusterName string) error {
s.scope.Logger().Info("Reconciling security groups")

// When using the new API:
// Here we want to reconcile ControlPlane & Workers separately as they are optional

if !openStackCluster.Spec.ManagedSecurityGroups {
s.scope.Logger().V(4).Info("No need to reconcile security groups")
return nil
Expand Down

0 comments on commit df38c23

Please sign in to comment.