Created
August 13, 2019 12:42
-
-
Save infinitydon/7d27767c6650520a5395703be1b1cf58 to your computer and use it in GitHub Desktop.
Openstack LB SG update with Port addtion
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1.) First all create a LB svc: | |
kind: Service | |
apiVersion: v1 | |
metadata: | |
name: ingress-nginx | |
namespace: ingress-nginx | |
labels: | |
app.kubernetes.io/name: ingress-nginx | |
spec: | |
type: LoadBalancer | |
selector: | |
app.kubernetes.io/name: ingress-nginx | |
ports: | |
- name: https | |
port: 443 | |
targetPort: https | |
- name: http | |
port: 80 | |
targetPort: http | |
2.) Then update the same svc by adding another port | |
kind: Service | |
apiVersion: v1 | |
metadata: | |
name: ingress-nginx | |
namespace: ingress-nginx | |
labels: | |
app.kubernetes.io/name: ingress-nginx | |
spec: | |
type: LoadBalancer | |
selector: | |
app.kubernetes.io/name: ingress-nginx | |
ports: | |
- name: https | |
port: 443 | |
targetPort: https | |
- name: http | |
port: 80 | |
targetPort: http | |
- name: ssh | |
port: 22 | |
targetPort: 22 | |
The Openstack SG does not reflect the new port that was added to the svc, so traffic to this port will fail. |
OK, seems like you are still using neutron-lbaas, unfortunately, I don't have experience of using neutron-lbaas since it has been deprecated a while ago and doesn't have some advanced features for us.
The supported LB solution now is only Octavia?
it should work for most of the scenarios but not for this case, I'm not 100% sure because i'm not a neutron-lbaas user. Octavia is using a different deployment model with neutron-lbaas and takes good care of sgs for the lb.
Ok.. Could please kindly try the scenario on Octavia, I currently don't have access to an Octavia based Openstack cluster.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1.) Create a test svc:
Openstack objects that relates to the LB:
SG that is created by the openstack-provider:
SG rules that was created for the LB:
2.) Now update the LB:
Kubernetes service :
Openstack SG rules remains the same, port 22 was not added to the rules:
N.B -- I have tested this same scenario on AWS and the SG is always updated when a new port is added or removed