search

kubernetes / cloud-provider-openstack

Apache License 2.0
615 stars 601 forks source link

[occm] Apply security groups #2554

Open framctr opened 7 months ago

framctr commented 7 months ago

/kind feature

What happened: Actually the security groups can be managed by OCCM just for load balancers.

What you expected to happen: To enhance security, manage security groups for all Service resources when they are created.

In other words, when a new Service resource is created, depending if it is a ClusterNode, ClusterIP or LoadBalancer type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.

Environment:

dulek commented 6 months ago

What's the exact use case here? Allowing kube-proxy without allowing all in-cluster traffic? That might make sense, but it would require you to create a new controller. Current LoadBalancer interface will only be fed by LoadBalancer Services and there's no way to change that in the cloud-provider controller.

Another way to solve your concern is to make ClusterIP traffic tunneled by the CNI which would allow you to set up a single SG for that traffic. ovn-kubernetes is doing that.

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

framctr commented 3 months ago

/remove-lifecycle stale

mdbooth commented 3 months ago

If implemented, we would need to consider how this interacts with CAPO managed security groups.

k8s-triage-robot commented 2 weeks ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale