When creating a listener for an octavia loadbalancer, for example opening port 80, it opens that port for accessing from everywhere by creating a security group that allows that traffic from 0.0.0.0/0. However, it may be needed to just enable access to that port from a given subnet or from pods with a given security group, similarly how it is done with VMs. Currently it is not possible to do so, as the security group generated for the listener/loadbalancer does not belong to the tenant that created the loadbalancer but to the admin. This RFE requests extending the API to allow setting a list of CIDRs and/or remote_group_ids per listener.
Hi Carlos, Is it possible to add a scenario tempest test during development cycle of this feature? It will helps us a lot since amount of qe work during OSP16 cycle is huge.
I cannot commit to having a tempest scenario it time for GA as work to implement this feature hasn't started yet. We'll do our best. Tests from kuryr/ShiftOnStack could also validate this work as this originally came as a request from their side.
RFE patches merged upstream for Train.
Verification steps: 1. Create a load balancer with listener and members. 2. Assert traffic can be reached between user and members. 3. Update listener with --allowed-cidr 99.99.99.99/24. Verify user cannot reach to members. 4. Update listener with --allowed-cidr <CIDR_THAT_INCLUDES_USER_CIDR>. Verify user can reach to members. [stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed 16-trunk -p RHOS_TRUNK-16.0-RHEL-8-20191126.n.2 [2019-12-09 13:55:30] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-12-09T12:58:08 | | default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 | | default_tls_container_ref | None | | description | | | id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | | insert_headers | None | | l7policies | | | loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 | | name | lbtreevmshttp-listener-22lnuixpbb2a | | operating_status | ONLINE | | project_id | a1bb2bbd90a3443baeaed24a2b253a53 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2019-12-09T12:59:57 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | None | +-----------------------------+--------------------------------------+ [2019-12-09 14:39:36] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener list +--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+ | id | default_pool_id | name | project_id | protocol | protocol_port | admin_state_up | +--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+ | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | eb5fd630-fdc8-4a68-ac7d-aef160293038 | lbtreevmshttp-listener-22lnuixpbb2a | a1bb2bbd90a3443baeaed24a2b253a53 | HTTP | 80 | True | +--------------------------------------+--------------------------------------+-------------------------------------+----------------------------------+----------+---------------+----------------+ [2019-12-09 14:39:45] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:39:46] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:39:47] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener set --allowed-cidr 99.99.99.99/24 497e7a42-920c-47e8-b40c-bfa2887d6d32 [2019-12-09 14:40:00] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:40:01] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-12-09T12:58:08 | | default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 | | default_tls_container_ref | None | | description | | | id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | | insert_headers | None | | l7policies | | | loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 | | name | lbtreevmshttp-listener-22lnuixpbb2a | | operating_status | ONLINE | | project_id | a1bb2bbd90a3443baeaed24a2b253a53 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2019-12-09T14:40:04 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 99.99.99.0/24 | +-----------------------------+--------------------------------------+ [2019-12-09 14:40:56] (tester) [stack@undercloud-0 ~]$ req='curl 10.0.0.226'; for i in {1..10}; do $req; echo; done curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out curl: (7) Failed to connect to 10.0.0.226 port 80: Connection timed out ^C [2019-12-09 14:55:51] (tester) [stack@undercloud-0 ~]$ ^C [2019-12-09 14:55:52] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener set --allowed-cidr 10.0.0.44/24 497e7a42-920c-47e8-b40c-bfa2887d6d32 [2019-12-09 14:56:13] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:56:14] (tester) [stack@undercloud-0 ~]$ [2019-12-09 14:56:14] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer listener show 497e7a42-920c-47e8-b40c-bfa2887d6d32 +-----------------------------+--------------------------------------+ | Field | Value | +-----------------------------+--------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2019-12-09T12:58:08 | | default_pool_id | eb5fd630-fdc8-4a68-ac7d-aef160293038 | | default_tls_container_ref | None | | description | | | id | 497e7a42-920c-47e8-b40c-bfa2887d6d32 | | insert_headers | None | | l7policies | | | loadbalancers | 7c723d2f-bda9-4e6f-afb2-76bfc7d3eaf8 | | name | lbtreevmshttp-listener-22lnuixpbb2a | | operating_status | ONLINE | | project_id | a1bb2bbd90a3443baeaed24a2b253a53 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2019-12-09T14:56:17 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 10.0.0.0/24 | +-----------------------------+--------------------------------------+ [2019-12-09 14:56:20] (tester) [stack@undercloud-0 ~]$ req='curl 10.0.0.226'; for i in {1..10}; do $req; echo; done lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs lbtreevmshttp-server1-2ocje7i7mfi6 lbtreevmshttp-server2-e67rv43equcs [2019-12-09 14:56:23] (tester) [stack@undercloud-0 ~]$ Moving to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283