New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1834858: Kuryr: Remove old SG rules on upgrade #637
Bug 1834858: Kuryr: Remove old SG rules on upgrade #637
Conversation
This commit ensures the security group are limiting access to the minimum required.
Some of the prometheus metrics endpoints we have in the cluster are running on the host networking. Those endpoints need to be accessible from the pod subnet. This means that we should add some more security group rules on the masters and workers SGs to allow prometheus pods to reach those endpoints. This commit does so, while doing some refactoring to make increasing numer of SG rules more manageable in Kuryr bootstrap code.
In order to support updates in the SG rules added on Kuryr bootstrap we need to make sure the security groups that got replaced by others are removed. This commit, by maintaing list of "decommissioned" SG rules, will make sure we delete them on upgrade.
@dulek: This pull request references Bugzilla bug 1834858, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dulek: This pull request references Bugzilla bug 1834858, which is valid. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold This needs to wait for #621 to be merged as it includes commits of it. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dulek, MaysaMacedo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retitle Bug 1834858: Kuryr: Remove old SG rules on upgrade |
#621 has merged |
@dulek: All pull requests linked via external trackers have merged: openshift/cluster-network-operator#637. Bugzilla bug 1834858 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In order to support updates in the SG rules added on Kuryr bootstrap we
need to make sure the security groups that got replaced by others are
removed. This commit, by maintaing list of "decommissioned" SG rules,
will make sure we delete them on upgrade.