Bug 1777934

Summary: [RFE] Create SG and SG rules at once
Product: Red Hat OpenStack Reporter: Luis Tomas Bolivar <ltomasbo>
Component: openstack-neutronAssignee: OSP Team <rhos-maint>
Status: CLOSED MIGRATED QA Contact: Eran Kuris <ekuris>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16.0 (Train)CC: amoralej, cgoncalves, chrisw, mtomaska, scohen, skaplons
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-20 19:16:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luis Tomas Bolivar 2019-11-28 17:50:33 UTC 
Kubernetes allows to fine-tune the access to the pods/containers by using Network Policies. When using Kuryr and running OpenShift on top of OpenStack, Network Policies are implemented through Neutron security groups and security group rules. Each Network Policy creates one security group. And depending on the Network Policy spec, as well as the existing pods, namespaces and their labels, more or less security group rules will be added to that security group.

It imposes extra load on Neutron (as well as time waste) to have to call the Neutron API to create first the SG and then the SG rules. It would be great to be able to create the SG with the rules in a single call.
Comment 1 Carlos Goncalves 2021-03-04 11:32:45 UTC 
This feature would be very helpful in Octavia and would ultimately improve the experience of Kuryr users as Kuryr makes extensive use of the Octavia listener allowed CIDRs feature.
A story opened upstream contains some performance evaluation: https://storyboard.openstack.org/#!/story/2008565