Bug 1691025
Summary: | [RFE] Add an ACL API to the load balancer API | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Carlos Goncalves <cgoncalves> |
Component: | openstack-octavia | Assignee: | Carlos Goncalves <cgoncalves> |
Status: | CLOSED ERRATA | QA Contact: | Bruna Bonguardo <bbonguar> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 16.0 (Train) | CC: | atragler, bbonguar, ccopello, dcadzow, gregraka, ihrachys, jschluet, lpeer, majopela, nlevinki, scohen, shrjoshi, tfreger |
Target Milestone: | Upstream M3 | Keywords: | FutureFeature, Triaged |
Target Release: | 16.0 (Train on RHEL 8.1) | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openstack-octavia-5.0.1-0.20191126050550.3d28fd5.el8ost | Doc Type: | Enhancement |
Doc Text: |
You can now use the Octavia API to create a VIP access control list (ACL) to limit incoming traffic to a listener to a set of allowed source IP addresses (CIDRs). Any other incoming traffic is rejected. For more information, see "Secure a load balancer with an access control list" in the "Networking Guide."
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-06 14:39:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1757961 |
Description
Carlos Goncalves
2019-03-20 16:37:35 UTC
Hi Carlos, Is it possible to add a scenario tempest test during development cycle of this feature? It will helps us a lot since amount of qe work during OSP16 cycle is huge. I cannot commit to having a tempest scenario it time for GA as work to implement this feature hasn't started yet. We'll do our best. Tests from kuryr/ShiftOnStack could also validate this work as this originally came as a request from their side. RFE patches merged upstream for Train. Verification steps: 1. Create a load balancer with listener and members. 2. Assert traffic can be reached between user and members. 3. Update listener with --allowed-cidr 99.99.99.99/24. Verify user cannot reach to members. 4. Update listener with --allowed-cidr <CIDR_THAT_INCLUDES_USER_CIDR>. Verify user can reach to members. [stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed 16-trunk -p RHOS_TRUNK-16.0-RHEL-8-20191126.n.2 [2019-12-09 13:55:30] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-12-09T12:58:08 | | default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 | | default_tls_container_ref | None | | description | | | id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | | insert_headers | None | | l7policies | | | loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 | | name | lbtreevmshttp-listener-22lnuixpbb2a | | operating_status | ONLINE | | project_id | a1bb2bbd90a3443baeaed24a2b253a53 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2019-12-09T12:59:57 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | None | +-----------------------------+--------------------------------------+ [2019-12-09 14:39:36] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener list +--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+ | id | default_pool_id | name | project_id | protocol | protocol_port | admin_state_up | +--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+ | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | eb5fd630-fdc8-4a68-ac7d-aef160293038 | lbtreevmshttp-listener-22lnuixpbb2a | a1bb2bbd90a3443baeaed24a2b253a53 | HTTP | 80 | True | +--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+ [2019-12-09 14:39:45] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:39:46] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:39:47] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener set --allowed-cidr 99.99.99.99/24 497e7a42-920c-47e8-b40c-bfa2887d6d32 [2019-12-09 14:40:00] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-12-09T12:58:08 | | default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 | | default_tls_container_ref | None | | description | | | id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | | insert_headers | None | | l7policies | | | loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 | | name | lbtreevmshttp-listener-22lnuixpbb2a | | operating_status | ONLINE | | project_id | a1bb2bbd90a3443baeaed24a2b253a53 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2019-12-09T14:40:04 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 99.99.99.0/24 | +-----------------------------+--------------------------------------+ [2019-12-09 14:40:56] (tester) [stack@undercloud-0 ~]$ req='curl 10.0.0.226'; for i in {1..10}; do $req; echo; done curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out ^C [2019-12-09 14:55:51] (tester) [stack@undercloud-0 ~]$ ^C [2019-12-09 14:55:52] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener set --allowed-cidr 10.0.0.44/24 497e7a42-920c-47e8-b40c-bfa2887d6d32 [2019-12-09 14:56:13] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:56:14] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:56:14] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-12-09T12:58:08 | | default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 | | default_tls_container_ref | None | | description | | | id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | | insert_headers | None | | l7policies | | | loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 | | name | lbtreevmshttp-listener-22lnuixpbb2a | | operating_status | ONLINE | | project_id | a1bb2bbd90a3443baeaed24a2b253a53 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2019-12-09T14:56:17 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 10.0.0.0/24 | +-----------------------------+--------------------------------------+ [2019-12-09 14:56:20] (tester) [stack@undercloud-0 ~]$ req='curl 10.0.0.226'; for i in {1..10}; do $req; echo; done lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs [2019-12-09 14:56:23] (tester) [stack@undercloud-0 ~]$ Moving to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283 |