Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Group support for OpenStack Load Balancers #31921

Merged
merged 2 commits into from
Oct 14, 2016
Merged

Security Group support for OpenStack Load Balancers #31921

merged 2 commits into from
Oct 14, 2016

Conversation

grahamhayes
Copy link
Contributor

@grahamhayes grahamhayes commented Sep 1, 2016
edited
Loading

Add Security Group Support for OpenStack Load Balancers:

fixes #29745
adds OpenStack support to the work done in #20392

Release note:

This allows security groups to be created and attached to the neutron
port that the load balancer is using on the subnet.

The security group ID that is assigned to the nodes needs to be
provided, to allow for traffic from the load balancer to the nodePort
to be reflected in the rules.

This adds two config items to the LoadBalancer options -

ManageSecurityGroups (bool)
NodeSecurityGroupID  (string)

This change is Reviewable

@k8s-ci-robot
Copy link
Contributor

Can a kubernetes member verify that this patch is reasonable
to test? If so, please reply "ok to test".

Regular contributors should join the org to skip this step.

@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. release-note-label-needed labels Sep 1, 2016
@grahamhayes grahamhayes force-pushed the openstack-loadbalancer-security-groups branch 3 times, most recently from ddbe005 to 2334c44 Compare September 5, 2016 02:07
@grahamhayes grahamhayes changed the title WIP: Security Group support for OpenStack Load Balancers Security Group support for OpenStack Load Balancers Sep 6, 2016
@xsgordon
Copy link

xsgordon commented Sep 6, 2016

/cc @kubernetes/sig-openstack

@grahamhayes grahamhayes force-pushed the openstack-loadbalancer-security-groups branch from 2334c44 to b7b4cce Compare September 6, 2016 18:43
@k8s-github-robot k8s-github-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 6, 2016
@grahamhayes grahamhayes force-pushed the openstack-loadbalancer-security-groups branch 2 times, most recently from 59f1ec2 to cb39b80 Compare September 6, 2016 23:48
@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Sep 6, 2016
@grahamhayes grahamhayes force-pushed the openstack-loadbalancer-security-groups branch from cb39b80 to 19fcb91 Compare September 7, 2016 00:28
anguslees
anguslees reviewed Sep 7, 2016
View reviewed changes
pkg/cloudprovider/providers/openstack/openstack_loadbalancer.go
return false, err
}

for _, rule := range ruleList {
Copy link
Member

@anguslees anguslees Sep 7, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extremely minor point, but you can append lists with:

securityRules = append(securityRules, ruleList...)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 8, 2016
@grahamhayes @dagnello
Add new vendored code OpenStack Security Groups
2d02feb 
To deal with Security Groups in kubernetes we need the gophercloud
code for groups and rules.

This adds the required vendored code
@dagnello dagnello force-pushed the openstack-loadbalancer-security-groups branch from e5c1b1e to 79523c3 Compare October 11, 2016 17:06
@dagnello
Copy link
Contributor

@anguslees this pr has been rebased and is ready to merge. thanks

@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 11, 2016
@chrislovecnm
Copy link
Contributor

@k8s-bot gci gce e2e test this

@mikedanese mikedanese added lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Oct 12, 2016
@k8s-github-robot
Copy link

ok to test
@k8s-bot test this

pr builder appears to be missing, activating due to 'lgtm' label.

1 similar comment
@k8s-github-robot
Copy link

ok to test
@k8s-bot test this

pr builder appears to be missing, activating due to 'lgtm' label.

@k8s-ci-robot
Copy link
Contributor

Jenkins verification failed for commit 79523c3. Full PR test history.

The magic incantation to run this job again is @k8s-bot verify test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

@k8s-ci-robot
Copy link
Contributor

Jenkins GKE smoke e2e failed for commit 79523c3. Full PR test history.

The magic incantation to run this job again is @k8s-bot cvm gke e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

@grahamhayes @dagnello
Security Group support for OpenStack Load Balancers
ac20518 
This allows security groups to be created and attached to the neutron
port that the loadbalancer is using on the subnet.

The security group ID that is assigned to the nodes needs to be
provided, to allow for traffic from the loadbalancer to the nodePort
to be refelected in the rules.

This adds two config items to the LoadBalancer options -

ManageSecurityGroups (bool)
NodeSecurityGroupID  (string)
@dagnello dagnello force-pushed the openstack-loadbalancer-security-groups branch from 79523c3 to ac20518 Compare October 13, 2016 22:42
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 13, 2016
@anguslees
Copy link
Member

/lgtm

@k8s-github-robot k8s-github-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 14, 2016
@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 95ccabd into kubernetes:master Oct 14, 2016
@grahamhayes grahamhayes deleted the openstack-loadbalancer-security-groups branch November 2, 2016 13:16
dims pushed a commit to dims/kubernetes that referenced this pull request Feb 8, 2018
Merge pull request kubernetes#31921 from grahamhayes/openstack-loadba…
98d0a47 
…lancer-security-groups

Automatic merge from submit-queue

Security Group support for OpenStack Load Balancers

<!--  Thanks for sending a pull request!  Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md
2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md
3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes
-->

**Add Security Group Support for OpenStack Load Balancers**:

fixes kubernetes#29745
adds OpenStack support to the work done in kubernetes#20392

**Release note**:

```
This allows security groups to be created and attached to the neutron
port that the load balancer is using on the subnet.

The security group ID that is assigned to the nodes needs to be
provided, to allow for traffic from the load balancer to the nodePort
to be reflected in the rules.

This adds two config items to the LoadBalancer options -

ManageSecurityGroups (bool)
NodeSecurityGroupID  (string)
```
@kayrus kayrus mentioned this pull request Nov 20, 2019
Closed
stefannica added a commit to stefannica/skuba that referenced this pull request Jun 22, 2020
@stefannica
Enable security group management in OpenStack cloud provider
e1b7284 
When the OpenStack cloud provider is enabled, all cloud load
balancer instances created to reflect LoadBalancer type services
are automatically associated with the default security group in
the OpenStack project specified in the cloud provider configuration.
There is a cloud provider setting, manage-security-groups [1],
that can be enabled to allow the kubernetes OpenStack cloud provider
to manage load balancer security group rules automatically to match
the service ports.

The node-security-group setting has been deprecated [2] and is not
required anymore.

[1] kubernetes/kubernetes#31921
[2] kubernetes/kubernetes#58145
stefannica added a commit to stefannica/skuba that referenced this pull request Jun 22, 2020
@stefannica
[terraform] Enable security group management in CPI config
f62277c 
When the OpenStack cloud provider is enabled, all cloud load
balancer instances created to reflect LoadBalancer type services
are automatically associated with the default security group in
the OpenStack project specified in the cloud provider configuration.
There is a cloud provider setting, manage-security-groups [1],
that can be enabled to allow the kubernetes OpenStack cloud provider
to manage load balancer security group rules automatically to match
the service ports.

The node-security-group setting has been deprecated [2] and is not
required anymore.

[1] kubernetes/kubernetes#31921
[2] kubernetes/kubernetes#58145

Signed-off-by: Stefan Nica <snica@suse.com>
@stefannica stefannica mentioned this pull request Jun 22, 2020
Merged
stefannica added a commit to stefannica/catapult that referenced this pull request Jun 23, 2020
@stefannica
[caasp4os] Enable security group management in CPI config
9c76088 
When the OpenStack cloud provider is enabled, all cloud load
balancer instances created to reflect LoadBalancer type services
are automatically associated with the default security group in
the OpenStack project specified in the cloud provider configuration.
There is a cloud provider setting, manage-security-groups [1],
that can be enabled to allow the kubernetes OpenStack cloud provider
to manage load balancer security group rules automatically to match
the service ports.

The node-security-group setting has been deprecated [2] and is not
required anymore.

[1] kubernetes/kubernetes#31921
[2] kubernetes/kubernetes#58145

Signed-off-by: Stefan Nica <snica@suse.com>
@stefannica stefannica mentioned this pull request Jun 23, 2020
Merged
c3y1huang pushed a commit to SUSE/skuba that referenced this pull request Jun 29, 2020
@stefannica
[terraform] Enable security group management in CPI config (#1182)
20e781c 
When the OpenStack cloud provider is enabled, all cloud load
balancer instances created to reflect LoadBalancer type services
are automatically associated with the default security group in
the OpenStack project specified in the cloud provider configuration.
There is a cloud provider setting, manage-security-groups [1],
that can be enabled to allow the kubernetes OpenStack cloud provider
to manage load balancer security group rules automatically to match
the service ports.

The node-security-group setting has been deprecated [2] and is not
required anymore.

[1] kubernetes/kubernetes#31921
[2] kubernetes/kubernetes#58145

Signed-off-by: Stefan Nica <snica@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@anguslees anguslees

Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenStack LBaaS integration missing Security Group Configuration