1777934 – [RFE] Create SG and SG rules at once

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 1777934 - [RFE] Create SG and SG rules at once

Summary: [RFE] Create SG and SG rules at once

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	16.0 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	OSP Team
QA Contact:	Eran Kuris
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-28 17:50 UTC by Luis Tomas Bolivar
Modified:	2023-10-20 19:16 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-10-20 19:16:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-2370	None	None	None	2022-03-24 13:36:43 UTC
Red Hat Issue Tracker	OSP-29927	None	None	None	2023-10-20 19:16:37 UTC
Red Hat Issue Tracker	OSPRH-509	None	None	None	2023-10-20 19:16:02 UTC

Description Luis Tomas Bolivar 2019-11-28 17:50:33 UTC

Kubernetes allows to fine-tune the access to the pods/containers by using Network Policies. When using Kuryr and running OpenShift on top of OpenStack, Network Policies are implemented through Neutron security groups and security group rules. Each Network Policy creates one security group. And depending on the Network Policy spec, as well as the existing pods, namespaces and their labels, more or less security group rules will be added to that security group.

It imposes extra load on Neutron (as well as time waste) to have to call the Neutron API to create first the SG and then the SG rules. It would be great to be able to create the SG with the rules in a single call.

Comment 1 Carlos Goncalves 2021-03-04 11:32:45 UTC

This feature would be very helpful in Octavia and would ultimately improve the experience of Kuryr users as Kuryr makes extensive use of the Octavia listener allowed CIDRs feature.
A story opened upstream contains some performance evaluation: https://storyboard.openstack.org/#!/story/2008565

Note You need to log in before you can comment on or make changes to this bug.