However, the problem is that sometimes this additional rule gets deleted. I have no clue yet what removes it but it's happened a few times. Might be a coincidence but the last time it was after all cluster machines were shut down.
Also - what is the expected behavior of the integrator with manage-security-groups=True? I can see the group created by the integrator but it only contains an ingress rule for kubeapi (6443:6443)
I'm also affected by this.
Environment is Ussuri on 18.04. Everything deployed on a tenant network.
Security group rules in the SG shared between all worker nodes don't contain a rule to allow amphora instances to talk to worker nodes.
A workaround is to add this to the shared SG:
openstack --os-cloud $cloud security group rule create --dst-port 30000:32767 --protocol tcp --description "access fix" --ingress --ethertype ipv4 $security_group
However, the problem is that sometimes this additional rule gets deleted. I have no clue yet what removes it but it's happened a few times. Might be a coincidence but the last time it was after all cluster machines were shut down.
Also - what is the expected behavior of the integrator with manage- security- groups= True? I can see the group created by the integrator but it only contains an ingress rule for kubeapi (6443:6443)