[occm] Add SG to node ensure the different node's pods can access eac…

…h other Introduce a node security group, bind to every nodes and add rules to allow traffic from other nodes (From the node self or the node's pod) enter into the node that the security group bind to
kubernetes · Dec 13, 2023 · d639248 · d639248
1 parent f3e92a2
commit d639248
Show file tree

Hide file tree

Showing 3 changed files with 332 additions and 63 deletions.
diff --git a/pkg/openstack/loadbalancer.go b/pkg/openstack/loadbalancer.go
@@ -431,15 +431,6 @@ func getSecurityGroupName(service *corev1.Service) string {
 	return securityGroupName
 }
 
-func getSecurityGroupRules(client *gophercloud.ServiceClient, opts rules.ListOpts) ([]rules.SecGroupRule, error) {
-	mc := metrics.NewMetricContext("security_group_rule", "list")
-	page, err := rules.List(client, opts).AllPages()
-	if mc.ObserveRequest(err) != nil {
-		return nil, err
-	}
-	return rules.ExtractRules(page)
-}
-
 func getListenerProtocol(protocol corev1.Protocol, svcConf *serviceConfig) listeners.Protocol {
 	// Make neutron-lbaas code work
 	if svcConf != nil {
@@ -2338,7 +2329,7 @@ func (lbaas *LbaasV2) ensureAndUpdateOctaviaSecurityGroup(clusterName string, ap
 		cidrs = svcConf.allowedCIDR
 	}
 
-	existingRules, err := getSecurityGroupRules(lbaas.network, rules.ListOpts{SecGroupID: lbSecGroupID})
+	existingRules, err := openstackutil.GetSecurityGroupRules(lbaas.network, rules.ListOpts{SecGroupID: lbSecGroupID})
 	if err != nil {
 		return fmt.Errorf(
 			"failed to find security group rules in %s: %v", lbSecGroupID, err)