Open framctr opened 7 months ago
What's the exact use case here? Allowing kube-proxy without allowing all in-cluster traffic? That might make sense, but it would require you to create a new controller. Current LoadBalancer interface will only be fed by LoadBalancer Services and there's no way to change that in the cloud-provider controller.
Another way to solve your concern is to make ClusterIP traffic tunneled by the CNI which would allow you to set up a single SG for that traffic. ovn-kubernetes is doing that.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
If implemented, we would need to consider how this interacts with CAPO managed security groups.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/kind feature
What happened: Actually the security groups can be managed by OCCM just for load balancers.
What you expected to happen: To enhance security, manage security groups for all
Service
resources when they are created.In other words, when a new
Service
resource is created, depending if it is aClusterNode
,ClusterIP
orLoadBalancer
type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.Environment: