oci-cloud-controller-manager icon indicating copy to clipboard operation
oci-cloud-controller-manager copied to clipboard

Published 20 hours ago verified publisher icon oracle

Use LB seclist from LB subnet

Open MPV opened this issue 3 years ago • 4 comments

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

CCM Version: (whichever version OKE uses today)

Environment:

  • Kubernetes version (use kubectl version): 
    Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.8", 
GitCommit:"50317190d44dbdb51ae7ff430917b32ba96188b5", GitTreeState:"clean", BuildDate:"2021-06-30T14:20:31Z", GoVersion:"go1.15.13 BoringCrypto", Compiler:"gc", Platform:"linux/amd64"}
  • OS (e.g. from /etc/os-release): N/A
  • Kernel (e.g. uname -a): N/A
  • Others: N/A

What happened?

  1. Followed this guide:
    https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfigexample.htm#example-privatek8sapi-privateworkers-privatelb
    • Private VCN
    • Separate subnet for private LBs (with it's own seclist)
    • Private OKE cluster, configured to use private LB subnet
  2. Create "internal LB" (using annotation)
  3. OCI CCM created seclist rules in the default VCN seclist, instead of the LB subnet seclist.

What you expected to happen?

  1. OCI CCM creating rules in the seclist attached to the LB subnet.

How to reproduce it (as minimally and precisely as possible)?

Steps are in the guide above.

Anything else we need to know?

We'd love not having to manually set OCIDs in our kube services (i.e. which seclist to update, or which subnet to use for LBs).

MPV avatar Sep 14 '21 15:09 MPV

https://github.com/oracle/oci-cloud-controller-manager/blob/master/manifests/provider-config-example.yaml#L56-L58 Can you please check this?

mrunalpagnis avatar Sep 15 '21 05:09 mrunalpagnis

@mrunalpagnis We've seen that, but (as I mentioned in my last sentence) we'd love not having to provide user/developer-unfriendly OCIDs in each kube LB service.

MPV avatar Sep 15 '21 05:09 MPV

Oh my bad, I thought you were referring to either of these annotations on the kube service:

  • service.beta.kubernetes.io/oci-load-balancer-subnet1
  • service.beta.kubernetes.io/oci-load-balancer-subnet2
  • service.beta.kubernetes.io/oci-network-security-groups

I see now that you mean configurations of the CCM itself.

However, I'm not sure we're able to make such adaptations to the built-in CCM in OKE? If there is, please let us know.

MPV avatar Sep 15 '21 06:09 MPV

@MPV This repo has CCM that works on a self-managed k8s clusters. If you want the above one in OKE which is OCI managed kubernetes cluster, please raise a request in the OKE queue and we can share more details there.

mrunalpagnis avatar Sep 16 '21 10:09 mrunalpagnis