-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Group support for OpenStack Load Balancers #31921
Security Group support for OpenStack Load Balancers #31921
Conversation
Can a kubernetes member verify that this patch is reasonable Regular contributors should join the org to skip this step. |
ddbe005
to
2334c44
Compare
/cc @kubernetes/sig-openstack |
2334c44
to
b7b4cce
Compare
59f1ec2
to
cb39b80
Compare
cb39b80
to
19fcb91
Compare
return false, err | ||
} | ||
|
||
for _, rule := range ruleList { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extremely minor point, but you can append lists with:
securityRules = append(securityRules, ruleList...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
To deal with Security Groups in kubernetes we need the gophercloud code for groups and rules. This adds the required vendored code
e5c1b1e
to
79523c3
Compare
@anguslees this pr has been rebased and is ready to merge. thanks |
@k8s-bot gci gce e2e test this |
ok to test pr builder appears to be missing, activating due to 'lgtm' label. |
1 similar comment
ok to test pr builder appears to be missing, activating due to 'lgtm' label. |
Jenkins verification failed for commit 79523c3. Full PR test history. The magic incantation to run this job again is |
Jenkins GKE smoke e2e failed for commit 79523c3. Full PR test history. The magic incantation to run this job again is |
This allows security groups to be created and attached to the neutron port that the loadbalancer is using on the subnet. The security group ID that is assigned to the nodes needs to be provided, to allow for traffic from the loadbalancer to the nodePort to be refelected in the rules. This adds two config items to the LoadBalancer options - ManageSecurityGroups (bool) NodeSecurityGroupID (string)
79523c3
to
ac20518
Compare
/lgtm |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
…lancer-security-groups Automatic merge from submit-queue Security Group support for OpenStack Load Balancers <!-- Thanks for sending a pull request! Here are some tips for you: 1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md 2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md 3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes --> **Add Security Group Support for OpenStack Load Balancers**: fixes kubernetes#29745 adds OpenStack support to the work done in kubernetes#20392 **Release note**: ``` This allows security groups to be created and attached to the neutron port that the load balancer is using on the subnet. The security group ID that is assigned to the nodes needs to be provided, to allow for traffic from the load balancer to the nodePort to be reflected in the rules. This adds two config items to the LoadBalancer options - ManageSecurityGroups (bool) NodeSecurityGroupID (string) ```
When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automatically associated with the default security group in the OpenStack project specified in the cloud provider configuration. There is a cloud provider setting, manage-security-groups [1], that can be enabled to allow the kubernetes OpenStack cloud provider to manage load balancer security group rules automatically to match the service ports. The node-security-group setting has been deprecated [2] and is not required anymore. [1] kubernetes/kubernetes#31921 [2] kubernetes/kubernetes#58145
When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automatically associated with the default security group in the OpenStack project specified in the cloud provider configuration. There is a cloud provider setting, manage-security-groups [1], that can be enabled to allow the kubernetes OpenStack cloud provider to manage load balancer security group rules automatically to match the service ports. The node-security-group setting has been deprecated [2] and is not required anymore. [1] kubernetes/kubernetes#31921 [2] kubernetes/kubernetes#58145 Signed-off-by: Stefan Nica <snica@suse.com>
When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automatically associated with the default security group in the OpenStack project specified in the cloud provider configuration. There is a cloud provider setting, manage-security-groups [1], that can be enabled to allow the kubernetes OpenStack cloud provider to manage load balancer security group rules automatically to match the service ports. The node-security-group setting has been deprecated [2] and is not required anymore. [1] kubernetes/kubernetes#31921 [2] kubernetes/kubernetes#58145 Signed-off-by: Stefan Nica <snica@suse.com>
When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automatically associated with the default security group in the OpenStack project specified in the cloud provider configuration. There is a cloud provider setting, manage-security-groups [1], that can be enabled to allow the kubernetes OpenStack cloud provider to manage load balancer security group rules automatically to match the service ports. The node-security-group setting has been deprecated [2] and is not required anymore. [1] kubernetes/kubernetes#31921 [2] kubernetes/kubernetes#58145 Signed-off-by: Stefan Nica <snica@suse.com>
Add Security Group Support for OpenStack Load Balancers:
fixes #29745
adds OpenStack support to the work done in #20392
Release note:
This change is