[occm] Manage Security Groups for Octavia Load Balancer

[shaardie]

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug /kind feature

What happened:

According to the documentation the configuration option manage-security-groups does not work with Octavia. But we tried it, since we do not want to open all Node Ports and it works for most cases.

What you expected to happen:

Obviously it would be nice to use manage-security-groups with Octavia load balancer.

How to reproduce it:

Enable manage-security-groups with Octavia load balancer.

Anything else we need to know?:

It would be nice to have this as a fully working feature and I would be willing to implement this (In fact I already started with https://github.com/kubernetes/cloud-provider-openstack/pull/1972).

As far as I can see the only part not working properly is the updateSecurityGroup which adds the security rules to every security group on the nodes. But this could be fixed using a similar logic than in ensureSecurityGroup.

Also I want to note that there were some attempts to implement this and you can still see this in the code. E.g. ensureSecurityGroup already has the distinction between octavia and non octavia load balancer, see https://github.com/kubernetes/cloud-provider-openstack/blob/d1196878af7af85bc2aea06c8fa37d27ba4a1f37/pkg/openstack/loadbalancer.go#L2576

If this is something you want to have upstream, maybe we can discuss how to submit this.

Environment:

• openstack-cloud-controller-manager(or other related binary) version: Current master (d1196878af7af85bc2aea06c8fa37d27ba4a1f37)
• OpenStack version:
• Others:

[shaardie]

I know this issue (and the corresponding PR) are not open for very long, but I would be interested, if by itself this is something you consider or if the handling of security groups out of scope for this project?