[occm] Apply security groups

[framctr]

/kind feature

What happened: Actually the security groups can be managed by OCCM just for load balancers.

What you expected to happen: To enhance security, manage security groups for all Service resources when they are created.

In other words, when a new Service resource is created, depending if it is a ClusterNode, ClusterIP or LoadBalancer type, add a security group to OpenStack instances to allow access to that service. It could be managed by existing OCCM component or a new one.

Environment:

• openstack-cloud-controller-manager version: any
• OpenStack version: any

[dulek]

What's the exact use case here? Allowing kube-proxy without allowing all in-cluster traffic? That might make sense, but it would require you to create a new controller. Current LoadBalancer interface will only be fed by LoadBalancer Services and there's no way to change that in the cloud-provider controller.

Another way to solve your concern is to make ClusterIP traffic tunneled by the CNI which would allow you to set up a single SG for that traffic. ovn-kubernetes is doing that.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[framctr]

/remove-lifecycle stale

[mdbooth]

If implemented, we would need to consider how this interacts with CAPO managed security groups.