Bug 2018596 - OVN Octavia provider driver should implement allowed_cidrs to enforce security groups on LB ports
Summary: OVN Octavia provider driver should implement allowed_cidrs to enforce securit...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-ovn-octavia-provider
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: OSP Team
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-29 19:37 UTC by Nate Johnston
Modified: 2022-02-08 19:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-31 13:23:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1949230 0 None None None 2021-10-29 19:37:48 UTC
Red Hat Issue Tracker OSP-10605 0 None None None 2021-11-18 14:57:41 UTC

Description Nate Johnston 2021-10-29 19:37:48 UTC 
Octavia can use OVN as a provider driver using it's driver framework. The OVN Octavia provider driver, part of ML2/OVN, does not implement all of the functionality of the Octavia API [1]. One feature that should be supported is allowed_cidrs.

The Octavia allowed_cidrs functionality allows Octavia to manage and communicate the CIDR blocks allowed to address an Octavia load balancer. Implementing this in the OVN provider driver would allow load balancers to be only accessible from specific CIDR blocks, a requirement for customer security ina number of scenarios.

[1] https://docs.openstack.org/octavia/latest/user/feature-classification/index.html#listener-api-features
Comment 5 Luis Tomas Bolivar 2022-01-31 13:23:05 UTC 
In ovn-octavia-provider the SGs being applied are the one of the members. So there is no need for using allowed-cidrs to restrict the traffic to the members, this can be done by having the desired security group rules on the members.
Note You need to log in before you can comment on or make changes to this bug.