Skip to content

Commit

Permalink
openstack UPI: Replace remote_group_id in SGs
Browse files Browse the repository at this point in the history 
OpenStack with OVS has an issue where security groups using
remote_group_id can be very slow, leading to OVS dropping packets.

https://bugzilla.redhat.com/show_bug.cgi?id=1703947

Use remote_ip_prefix instead to work around the issue.
  • Loading branch information
@pierreprinetti
pierreprinetti authored and openshift-cherrypick-robot committed Apr 17, 2020
1 parent da76129 commit b8b95a0
Showing 1 changed file with 19 additions and 155 deletions.
174 changes: 19 additions & 155 deletions upi/openstack/01_security-groups.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,167 +81,87 @@
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
port_range_min: 4789
port_range_max: 4789

- name: 'Create master-sg rule "VXLAN from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4789
port_range_max: 4789

- name: 'Create master-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
port_range_min: 6081
port_range_max: 6081

- name: 'Create master-sg rule "Geneve from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6081
port_range_max: 6081

- name: 'Create master-sg rule "ovndb"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
port_range_min: 6641
port_range_max: 6642

- name: 'Create master-sg rule "ovndb from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6641
port_range_max: 6642

- name: 'Create master-sg rule "master ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create master-sg rule "master ingress internal from worker (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create master-sg rule "master ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create master-sg rule "master ingress internal from worker (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create master-sg rule "kube scheduler"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
port_range_min: 10259
port_range_max: 10259

- name: 'Create master-sg rule "kube scheduler from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10259
port_range_max: 10259

- name: 'Create master-sg rule "kube controller manager"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
port_range_min: 10257
port_range_max: 10257

- name: 'Create master-sg rule "kube controller manager from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10257
port_range_max: 10257

- name: 'Create master-sg rule "master ingress kubelet secure"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
port_range_min: 10250
port_range_max: 10250

- name: 'Create master-sg rule "master ingress kubelet secure from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10250
port_range_max: 10250

- name: 'Create master-sg rule "etcd"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 2379
port_range_max: 2380

- name: 'Create master-sg rule "master ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
port_range_min: 30000
port_range_max: 32767

- name: 'Create master-sg rule "master ingress services (TCP) from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767

- name: 'Create master-sg rule "master ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
port_range_min: 30000
port_range_max: 32767

- name: 'Create master-sg rule "master ingress services (UDP) from worker"'
os_security_group_rule:
security_group: "{{ os_sg_master }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767

Expand Down Expand Up @@ -298,111 +218,55 @@
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
port_range_min: 4789
port_range_max: 4789

- name: 'Create worker-sg rule "VXLAN from master"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 4789
port_range_max: 4789

- name: 'Create worker-sg rule "Geneve"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
port_range_min: 6081
port_range_max: 6081

- name: 'Create worker-sg rule "Geneve from master"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 6081
port_range_max: 6081

- name: 'Create worker-sg rule "worker ingress internal (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create worker-sg rule "worker ingress internal from master (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create worker-sg rule "worker ingress internal (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create worker-sg rule "worker ingress internal from master (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 9000
port_range_max: 9999

- name: 'Create worker-sg rule "worker ingress kubelet secure"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
port_range_min: 10250
port_range_max: 10250

- name: 'Create worker-sg rule "worker ingress kubelet secure from master"'
- name: 'Create worker-sg rule "worker ingress kubelet insecure"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 10250
port_range_max: 10250

- name: 'Create worker-sg rule "worker ingress services (TCP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_group: "{{ os_sg_worker }}"
port_range_min: 30000
port_range_max: 32767

- name: 'Create worker-sg rule "worker ingress services (TCP) from master"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: tcp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767

- name: 'Create worker-sg rule "worker ingress services (UDP)"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_worker }}"
port_range_min: 30000
port_range_max: 32767

- name: 'Create worker-sg rule "worker ingress services (UDP) from master"'
os_security_group_rule:
security_group: "{{ os_sg_worker }}"
protocol: udp
remote_group: "{{ os_sg_master }}"
remote_ip_prefix: "{{ os_subnet_range }}"
port_range_min: 30000
port_range_max: 32767

Expand Down

0 comments on commit b8b95a0

Please sign in to comment.