Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1834858: Kuryr: Remove old SG rules on upgrade #637

Merged
merged 3 commits into from May 14, 2020
Merged

Bug 1834858: Kuryr: Remove old SG rules on upgrade #637

merged 3 commits into from May 14, 2020

Conversation

dulek
Copy link
Contributor

@dulek dulek commented May 12, 2020
edited

In order to support updates in the SG rules added on Kuryr bootstrap we
need to make sure the security groups that got replaced by others are
removed. This commit, by maintaing list of "decommissioned" SG rules,
will make sure we delete them on upgrade.

MaysaMacedo and others added 3 commits May 7, 2020 15:32
@MaysaMacedo @dulek
Tighten security groups
3266a46 
This commit ensures the security group are limiting access
to the minimum required.
@dulek
Kuryr: Open metric endpoint ports from pod subnets
c12c578 
Some of the prometheus metrics endpoints we have in the cluster are
running on the host networking. Those endpoints need to be accessible
from the pod subnet. This means that we should add some more security
group rules on the masters and workers SGs to allow prometheus pods to
reach those endpoints.

This commit does so, while doing some refactoring to make increasing
numer of SG rules more manageable in Kuryr bootstrap code.
@dulek
Kuryr: Remove old SG rules on upgrade
6830526 
In order to support updates in the SG rules added on Kuryr bootstrap we
need to make sure the security groups that got replaced by others are
removed. This commit, by maintaing list of "decommissioned" SG rules,
will make sure we delete them on upgrade.
@openshift-ci-robot openshift-ci-robot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels May 12, 2020
@openshift-ci-robot
Copy link
Contributor

@dulek: This pull request references Bugzilla bug 1834858, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.3.z) matches configured target release for branch (4.3.z)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 1832899 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
  • dependent Bugzilla bug 1832899 targets the "4.4.z" release, which is one of the valid target releases: 4.4.0, 4.4.z
  • bug has dependents

In response to this:

[release-4.3] Bug 1834858: Kuryr remove sgr upgrade 4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 12, 2020
@openshift-ci-robot
Copy link
Contributor

@dulek: This pull request references Bugzilla bug 1834858, which is valid.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.3.z) matches configured target release for branch (4.3.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 1832899 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
  • dependent Bugzilla bug 1832899 targets the "4.4.z" release, which is one of the valid target releases: 4.4.0, 4.4.z
  • bug has dependents

In response to this:

[release-4.3] Bug 1834858: Kuryr remove sgr upgrade 4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dulek dulek changed the title [release-4.3] Bug 1834858: Kuryr remove sgr upgrade 4.3 [release-4.3] Bug 1834858: Kuryr: Remove old SG rules on upgrade May 12, 2020
@dulek
Copy link
Contributor Author

dulek commented May 12, 2020

/hold

This needs to wait for #621 to be merged as it includes commits of it.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 12, 2020
@dulek dulek mentioned this pull request May 12, 2020
Merged
@MaysaMacedo
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 12, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dulek, MaysaMacedo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sdodson
Copy link
Member

sdodson commented May 13, 2020

/retitle Bug 1834858: Kuryr: Remove old SG rules on upgrade

@openshift-ci-robot openshift-ci-robot changed the title [release-4.3] Bug 1834858: Kuryr: Remove old SG rules on upgrade Bug 1834858: Kuryr: Remove old SG rules on upgrade May 13, 2020
@sdodson sdodson added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label May 13, 2020
@sdodson
Copy link
Member

sdodson commented May 13, 2020

#621 has merged
/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 13, 2020
@openshift-merge-robot openshift-merge-robot merged commit a4299ed into openshift:release-4.3 May 14, 2020
@openshift-ci-robot
Copy link
Contributor

@dulek: All pull requests linked via external trackers have merged: openshift/cluster-network-operator#637. Bugzilla bug 1834858 has been moved to the MODIFIED state.

In response to this:

Bug 1834858: Kuryr: Remove old SG rules on upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@celebdor celebdor Awaiting requested review from celebdor

@luis5tb luis5tb Awaiting requested review from luis5tb

Assignees

@MaysaMacedo MaysaMacedo

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dulek @openshift-ci-robot @MaysaMacedo @sdodson @openshift-merge-robot