Comment 16 for bug 1884995

I'm also affected by this.

Environment is Ussuri on 18.04. Everything deployed on a tenant network.

Security group rules in the SG shared between all worker nodes don't contain a rule to allow amphora instances to talk to worker nodes.

A workaround is to add this to the shared SG:

openstack --os-cloud $cloud security group rule create --dst-port 30000:32767 --protocol tcp --description "access fix" --ingress --ethertype ipv4 $security_group

However, the problem is that sometimes this additional rule gets deleted. I have no clue yet what removes it but it's happened a few times. Might be a coincidence but the last time it was after all cluster machines were shut down.

Also - what is the expected behavior of the integrator with manage-security-groups=True? I can see the group created by the integrator but it only contains an ingress rule for kubeapi (6443:6443)