✨ Add support for symmetric allowed address pairs#400
✨ Add support for symmetric allowed address pairs#400trihoangvo wants to merge 1 commit intoopenshift:release-0.9from
Conversation
* In the current implementation, when a network port of the server is created, we can set the 'allowed_address_pairs' to the IP address of the VIP port so that the VM allows the traffic destinated for the VIP port to go through. * Some OpenStack deployments require symmetric allowed address pairs on VIP ports due to stricter Neutron port security configurations (stricter reverse path validation). * In such a case, this commit adds the following config "symmetricAllowedAddressPairs", If set to true, also updates the allowed_address_pairs of the VIP port with the IP address of the VM port for bidirectional security.
openshift-ci
Bot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
needs-ok-to-test
|
Hi @trihoangvo. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi @trihoangvo. I suspect you have the wrong repo. This is an OpenShift fork of https://github.com/kubernetes-sigs/cluster-api-provider-openstack that only exists for things like CVE tracking. You likely want to open your PR against the upstream repo at https://github.com/kubernetes-sigs/cluster-api-provider-openstack instead. |
|
@stephenfin OpenShift uses upstream CAPO (https://github.com/kubernetes-sigs/cluster-api-provider-openstack) but has stayed at the branch If we create a PR to |
Oh, so you're attempting to add something to MAPO? Would it be possible to file an RFE or bug in Red Hat Jira and link it here so we can assess on that basis?
What you've done here is likely correct if we opt to do this in MAPO (which is a discussion we still need to have: see above request to file a Jira ticket). However, all MAPI providers will eventually be replaced by CAPI providers (see e.g. https://github.com/openshift/cluster-capi-operator) so this feature will need to exist upstream in any case to prevent regressions when the migration happens. Does this feature already exist upstream? If not, it probably makes sense to get it merged there first since we will have to carry the feature forward otherwise, which is not something we typically do. This can happen in parallel with the discussion on Jira. |
2 participants
What this PR does / why we need it:
allowed_address_pairsto the IP address of the VIP port so that the underlying network (OVS/Bridge) unconditionally trusts all traffic originating from the VM port with the VIP as the source address.symmetricAllowedAddressPairs, if set to true, when the VM port is newly created with the allowed address pairs of the VIP, we also update theallowed_address_pairsof the corresponding VIP port with the IP address of the VM port for bi-directional security.Special notes for your reviewer:
Set to draft for internal discussion with Red Hat on the 18th of March.
TODOs:
/hold