This restriction was introduced in fixing this bug:

https://bugs.launchpad.net/nova/+bug/1252410

Looks like a fix was proposed here:

https://review.openstack.org/#/c/59578/

From reading the review history this had excellent traction, but the author walked away from it.

Upstream master still applies the default security group:

https://github.com/openstack/nova/blob/00cfb0b45432bccadfb3775ccfbe2214a440a2f1/nova/compute/api.py#L1062

A TL;DR of Aaron's abandoned patch:

At boot time, if a network doesn't have port_security_enabled and the only security group is 'default', remove the default security group.

The approach variously had +2 from Joe Gordon, Matt Dietz, and Jay Pipes. Aaron seemed to abandon with only outstanding nits from Matt Riedemann. AFAICT there were no design objections. My take is that the approach is probably sound and ideally it should have landed at the time. The patch would require a rewrite rather than a backport at this stage, but the approach can still be applied to the current code.

This looks interesting: https://review.openstack.org/#/c/533249/

TL;DR: Neutron ports can be tagged with ip_allocation='none'. Don't fail for those ports.

I don't understand why it doesn't hit the default security group problem, though. Also doesn't seem to have the any traction yet, but it's much newer.

Opinion from team discussion was that this is probably a reasonable request, but we should run it past Matt Riedemann upstream.