1693268 – loadbalancer listener requires security group customization

Bug 1693268 - loadbalancer listener requires security group customization

Summary: loadbalancer listener requires security group customization

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	z1
Target Release:	15.0 (Stein)
Assignee:	Carlos Goncalves
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:	1724480
Blocks:
TreeView+	depends on / blocked

Reported:	2019-03-27 12:28 UTC by Carlos Goncalves
Modified:	2019-10-03 08:42 UTC (History)
CC List:	15 users (show)
Fixed In Version:	openstack-octavia-4.0.2-0.20190918090429.f556b84.el8ost
Doc Type:	Enhancement
Doc Text:	The Load Balancing service (octavia) now provides the capability to refine access policies for its load balancers, by allowing you to change security group ownership to a security group associated with a user project. (The user project must be on the whitelist.) In previous RHOSP releases, you could not restrict access to the load balancer, because octavia exclusively assigned the project ID to the security group associated with the VIP and VRRP ports on the load balancing agent (amphora).
Clone Of:
Environment:
Last Closed:	2019-10-03 08:42:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack Storyboard	2003686	None	None	None	2019-03-27 12:28:51 UTC
OpenStack gerrit	648069	None	ABANDONED	Enabling SG customization on loadbalancer listerners	2021-01-15 10:53:41 UTC
Red Hat Product Errata	RHBA-2019:2957	None	None	None	2019-10-03 08:42:29 UTC

Description Carlos Goncalves 2019-03-27 12:28:51 UTC

+++ This bug was initially created as a clone of Bug #1626377 +++

When creating a listener for an octavia loadbalancer, for example opening port 80, it opens that port for accessing from everywhere by creating a security group that allows that traffic from 0.0.0.0/0.

However, it may be needed to just enable access to that port from a given subnet or from pods with a given security group, similarly how it is done with VMs. Currently it is not possible to do so, as the security group generated for the listener/loadbalancer does not belong to the tenant that created the loadbalancer but to the admin.

There are several ways in which this could be fix:
- Creating loadbalancer resources within the tenant instead (perhaps only the VIP port and the associated security group will be enough).
- Extending listener creation API to include extra options similar to what security groups has.
- Add the option in Octavia to add extra security groups to the amphora by the tenant who created it, that will allow extra customization on the access to the loadbalancer.

Comment 32 Shelley Dunne 2019-09-19 18:29:52 UTC

Re-setting Target Milestone z1 to --- to begin the 15z1 Maintenance Release.

Comment 44 errata-xmlrpc 2019-10-03 08:42:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2957

Note You need to log in before you can comment on or make changes to this bug.