Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2018596

Summary: OVN Octavia provider driver should implement allowed_cidrs to enforce security groups on LB ports
Product: Red Hat OpenStack Reporter: Nate Johnston <njohnston>
Component: python-ovn-octavia-providerAssignee: OSP Team <rhos-maint>
Status: CLOSED NOTABUG QA Contact: Eran Kuris <ekuris>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17.0 (Wallaby)CC: atragler, egarciar, lmartins, ltomasbo, njohnston
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-31 13:23:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nate Johnston 2021-10-29 19:37:48 UTC 
Octavia can use OVN as a provider driver using it's driver framework. The OVN Octavia provider driver, part of ML2/OVN, does not implement all of the functionality of the Octavia API [1]. One feature that should be supported is allowed_cidrs.

The Octavia allowed_cidrs functionality allows Octavia to manage and communicate the CIDR blocks allowed to address an Octavia load balancer. Implementing this in the OVN provider driver would allow load balancers to be only accessible from specific CIDR blocks, a requirement for customer security ina number of scenarios.

[1] https://docs.openstack.org/octavia/latest/user/feature-classification/index.html#listener-api-features
Comment 5 Luis Tomas Bolivar 2022-01-31 13:23:05 UTC 
In ovn-octavia-provider the SGs being applied are the one of the members. So there is no need for using allowed-cidrs to restrict the traffic to the members, this can be done by having the desired security group rules on the members.