Bug 1626377 - loadbalancer listener requires security group customization
Summary: loadbalancer listener requires security group customization
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: async
: 14.0 (Rocky)
Assignee: Luis Tomas Bolivar
QA Contact: Alexander Stafeyev
URL:
Whiteboard:
: 1623855 (view as bug list)
Depends On:
Blocks: 1623855 1635892
TreeView+ depends on / blocked
 
Reported: 2018-09-07 07:58 UTC by Luis Tomas Bolivar
Modified: 2019-09-10 14:11 UTC (History)
9 users (show)

Fixed In Version: openstack-octavia-3.0.1-0.20181009115733.c57ae8d.el7ost
Doc Type: Enhancement
Doc Text:
Octavia previously assigned the Octavia project-id to the security group associated with the VIP and VRRP Amphora ports. This prevented the user from restricting access to the load-balancer. This fix adds the option to change SG ownership to belong to the user project (for certain whitelisted projects), which enables the user to refine access policies for the load-balancers.
Clone Of:
: 1635892 (view as bug list)
Environment:
Last Closed: 2019-01-24 14:02:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack Storyboard 2003686 0 None None None 2019-06-27 08:04:19 UTC
OpenStack gerrit 602564 0 None ABANDONED Enabling SG customization on loadbalancer listerners 2021-01-15 10:53:31 UTC
OpenStack gerrit 625044 0 None ABANDONED Enabling SG customization on loadbalancer listerners 2021-01-15 10:53:31 UTC
Red Hat Product Errata RHBA-2019:0152 0 None None None 2019-01-24 14:02:38 UTC

Description Luis Tomas Bolivar 2018-09-07 07:58:44 UTC 
When creating a listener for an octavia loadbalancer, for example opening port 80, it opens that port for accessing from everywhere by creating a security group that allows that traffic from 0.0.0.0/0.

However, it may be needed to just enable access to that port from a given subnet or from pods with a given security group, similarly how it is done with VMs. Currently it is not possible to do so, as the security group generated for the listener/loadbalancer does not belong to the tenant that created the loadbalancer but to the admin.

There are several ways in which this could be fix:
- Creating loadbalancer resources within the tenant instead (perhaps only the VIP port and the associated security group will be enough).
- Extending listener creation API to include extra options similar to what security groups has.
- Add the option in Octavia to add extra security groups to the amphora by the tenant who created it, that will allow extra customization on the access to the loadbalancer.
Comment 7 Luis Tomas Bolivar 2019-01-17 12:48:56 UTC 
*** Bug 1623855 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2019-01-24 14:02:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0152
Note You need to log in before you can comment on or make changes to this bug.