You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
Actually the security groups can be managed by OCCM just for load balancers.
What you expected to happen:
To enhance security, manage security groups for all Service resources when they are created.
In other words, when a new Service resource is created, depending if it is a ClusterNode, ClusterIP or LoadBalancer type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.
Environment:
openstack-cloud-controller-manager version: any
OpenStack version: any
The text was updated successfully, but these errors were encountered:
What's the exact use case here? Allowing kube-proxy without allowing all in-cluster traffic? That might make sense, but it would require you to create a new controller. Current LoadBalancer interface will only be fed by LoadBalancer Services and there's no way to change that in the cloud-provider controller.
Another way to solve your concern is to make ClusterIP traffic tunneled by the CNI which would allow you to set up a single SG for that traffic. ovn-kubernetes is doing that.
/kind feature
What happened:
Actually the security groups can be managed by OCCM just for load balancers.
What you expected to happen:
To enhance security, manage security groups for all
Service
resources when they are created.In other words, when a new
Service
resource is created, depending if it is aClusterNode
,ClusterIP
orLoadBalancer
type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.Environment:
The text was updated successfully, but these errors were encountered: