Bug 1691025
| Summary: | [RFE] Add an ACL API to the load balancer API | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Carlos Goncalves <cgoncalves> |
| Component: | openstack-octavia | Assignee: | Carlos Goncalves <cgoncalves> |
| Status: | CLOSED ERRATA | QA Contact: | Bruna Bonguardo <bbonguar> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 16.0 (Train) | CC: | atragler, bbonguar, ccopello, dcadzow, gregraka, ihrachys, jschluet, lpeer, majopela, nlevinki, scohen, shrjoshi, tfreger |
| Target Milestone: | Upstream M3 | Keywords: | FutureFeature, Triaged |
| Target Release: | 16.0 (Train on RHEL 8.1) | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-octavia-5.0.1-0.20191126050550.3d28fd5.el8ost | Doc Type: | Enhancement |
| Doc Text: |
You can now use the Octavia API to create a VIP access control list (ACL) to limit incoming traffic to a listener to a set of allowed source IP addresses (CIDRs). Any other incoming traffic is rejected. For more information, see "Secure a load balancer with an access control list" in the "Networking Guide."
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-06 14:39:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1757961 | ||
|
Description
Carlos Goncalves
2019-03-20 16:37:35 UTC
Hi Carlos, Is it possible to add a scenario tempest test during development cycle of this feature? It will helps us a lot since amount of qe work during OSP16 cycle is huge. I cannot commit to having a tempest scenario it time for GA as work to implement this feature hasn't started yet. We'll do our best. Tests from kuryr/ShiftOnStack could also validate this work as this originally came as a request from their side. RFE patches merged upstream for Train. Verification steps:
1. Create a load balancer with listener and members.
2. Assert traffic can be reached between user and members.
3. Update listener with --allowed-cidr 99.99.99.99/24. Verify user cannot reach to members.
4. Update listener with --allowed-cidr <CIDR_THAT_INCLUDES_USER_CIDR>. Verify user can reach to members.
[stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed
16-trunk -p RHOS_TRUNK-16.0-RHEL-8-20191126.n.2
[2019-12-09 13:55:30] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| admin_state_up | True |
| connection_limit | -1 |
| created_at | 2019-12-09T12:58:08 |
| default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 |
| default_tls_container_ref | None |
| description | |
| id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 |
| insert_headers | None |
| l7policies | |
| loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 |
| name | lbtreevmshttp-listener-22lnuixpbb2a |
| operating_status | ONLINE |
| project_id | a1bb2bbd90a3443baeaed24a2b253a53 |
| protocol | HTTP |
| protocol_port | 80 |
| provisioning_status | ACTIVE |
| sni_container_refs | [] |
| timeout_client_data | 50000 |
| timeout_member_connect | 5000 |
| timeout_member_data | 50000 |
| timeout_tcp_inspect | 0 |
| updated_at | 2019-12-09T12:59:57 |
| client_ca_tls_container_ref | None |
| client_authentication | NONE |
| client_crl_container_ref | None |
| allowed_cidrs | None |
+-----------------------------+--------------------------------------+
[2019-12-09 14:39:36] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener list
+--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+
| id | default_pool_id | name | project_id | protocol | protocol_port | admin_state_up |
+--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+
| 497e7a42-920c-47e8-b40c-bfa2887d6d32 | eb5fd630-fdc8-4a68-ac7d-aef160293038 | lbtreevmshttp-listener-22lnuixpbb2a | a1bb2bbd90a3443baeaed24a2b253a53 | HTTP | 80 | True |
+--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+
[2019-12-09 14:39:45] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:39:46] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:39:47] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener set --allowed-cidr 99.99.99.99/24 497e7a42-920c-47e8-b40c-bfa2887d6d32
[2019-12-09 14:40:00] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| admin_state_up | True |
| connection_limit | -1 |
| created_at | 2019-12-09T12:58:08 |
| default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 |
| default_tls_container_ref | None |
| description | |
| id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 |
| insert_headers | None |
| l7policies | |
| loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 |
| name | lbtreevmshttp-listener-22lnuixpbb2a |
| operating_status | ONLINE |
| project_id | a1bb2bbd90a3443baeaed24a2b253a53 |
| protocol | HTTP |
| protocol_port | 80 |
| provisioning_status | ACTIVE |
| sni_container_refs | [] |
| timeout_client_data | 50000 |
| timeout_member_connect | 5000 |
| timeout_member_data | 50000 |
| timeout_tcp_inspect | 0 |
| updated_at | 2019-12-09T14:40:04 |
| client_ca_tls_container_ref | None |
| client_authentication | NONE |
| client_crl_container_ref | None |
| allowed_cidrs | 99.99.99.0/24 |
+-----------------------------+--------------------------------------+
[2019-12-09 14:40:56] (tester) [stack@undercloud-0 ~]$ req='curl 10.0.0.226'; for i in {1..10}; do $req; echo; done
curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out
curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out
curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out
curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out
curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out
curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out
^C
[2019-12-09 14:55:51] (tester) [stack@undercloud-0 ~]$ ^C
[2019-12-09 14:55:52] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener set --allowed-cidr 10.0.0.44/24 497e7a42-920c-47e8-b40c-bfa2887d6d32
[2019-12-09 14:56:13] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:56:14] (tester) [stack@undercloud-0 ~]$
[2019-12-09 14:56:14] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| admin_state_up | True |
| connection_limit | -1 |
| created_at | 2019-12-09T12:58:08 |
| default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 |
| default_tls_container_ref | None |
| description | |
| id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 |
| insert_headers | None |
| l7policies | |
| loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 |
| name | lbtreevmshttp-listener-22lnuixpbb2a |
| operating_status | ONLINE |
| project_id | a1bb2bbd90a3443baeaed24a2b253a53 |
| protocol | HTTP |
| protocol_port | 80 |
| provisioning_status | ACTIVE |
| sni_container_refs | [] |
| timeout_client_data | 50000 |
| timeout_member_connect | 5000 |
| timeout_member_data | 50000 |
| timeout_tcp_inspect | 0 |
| updated_at | 2019-12-09T14:56:17 |
| client_ca_tls_container_ref | None |
| client_authentication | NONE |
| client_crl_container_ref | None |
| allowed_cidrs | 10.0.0.0/24 |
+-----------------------------+--------------------------------------+
[2019-12-09 14:56:20] (tester) [stack@undercloud-0 ~]$ req='curl 10.0.0.226'; for i in {1..10}; do $req; echo; done
lbtreevmshttp-server1-2ocje7i7mfi6
lbtreevmshttp-server2-e67rv43equcs
lbtreevmshttp-server1-2ocje7i7mfi6
lbtreevmshttp-server2-e67rv43equcs
lbtreevmshttp-server1-2ocje7i7mfi6
lbtreevmshttp-server2-e67rv43equcs
lbtreevmshttp-server1-2ocje7i7mfi6
lbtreevmshttp-server2-e67rv43equcs
lbtreevmshttp-server1-2ocje7i7mfi6
lbtreevmshttp-server2-e67rv43equcs
[2019-12-09 14:56:23] (tester) [stack@undercloud-0 ~]$
Moving to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283 |