elenz97
commented
2 years ago Hello, could anyone give me an update on the above?
Open elenz97 opened 2 years ago
elenz97
commented
2 years ago Hello, could anyone give me an update on the above?
gardener-robot
commented
2 years ago @SvenMW Command /add is not available to you but only to a Maintainer, Member, Author.
How to categorize this issue?
/area networking /kind enhancement /platform openstack
What would you like to be added:
A configuration option to specify custom OpenStack SecurityGroups using this extension. From what i know, customizing OpenStack SecurityGroups should only be possible by specifying the desired configuration in the templates inside ./pkg/internal/infrastructure/templates. As of now, the rules specified in main.tpl.tf are static and use
openstack_networking_secgroup_v2.cluster.[id|name]to bind to the desired cluster.Why is this needed:
Apparently, the OpenStack SecurityGroups that are deployed via this extension cannot be configured externally, as they are statically baked into the template - Please correct me if i'm wrong on this. However, the default rules created are undesirable in production use-cases, since they enable all TCP/UDP traffic from/to any network source.
I'd be glad on getting any hint to support the above using this extension. If there is a chance of implementing this in a reasonable way, i'd also be ready to prepare a PR for it.
Since the project seems to be transitioning off of the usage of Terraform (https://github.com/gardener/gardener-extension-provider-openstack/issues/362), the implementation of this doesn't have to be in form of extending the existing templates. This might rather be seen as a good occasion to migrate logic into a go package using the
gophercloudSDK instead.