[occm] Apply security groups

[framctr]

/kind feature

What happened:
Actually the security groups can be managed by OCCM just for load balancers.

What you expected to happen:
To enhance security, manage security groups for all Service resources when they are created.

In other words, when a new Service resource is created, depending if it is a ClusterNode, ClusterIP or LoadBalancer type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.

Environment:

• openstack-cloud-controller-manager version: any
• OpenStack version: any

[dulek]

What's the exact use case here? Allowing kube-proxy without allowing all in-cluster traffic? That might make sense, but it would require you to create a new controller. Current LoadBalancer interface will only be fed by LoadBalancer Services and there's no way to change that in the cloud-provider controller.

Another way to solve your concern is to make ClusterIP traffic tunneled by the CNI which would allow you to set up a single SG for that traffic. ovn-kubernetes is doing that.