Canonical Juju

Security group rules prevent deployed machines from pinging the controllers

Bug #1841855 reported by Andrea Ieri
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Medium
Unassigned

Bug Description

I have deployed k8s in an OpenStack cloud and I'm encountering issues in monitoring the controllers from a deployed nagios unit.

This appears to be because the security group rules attached to the controllers only allow icmp traffic among the controllers themselves:

$ openstack security group show beecf6d8-7597-44ab-a8bc-58a665a5b302 -crules -fvalue | grep icmp
created_at='2019-08-23T20:16:39.909497', direction='ingress', ethertype='IPv6', id='627300fb-5a75-4a72-99c3-91cbb5f32123', protocol='icmp', remote_group_id='beecf6d8-7597-44ab-a8bc-58a665a5b302', updated_at='2019-08-23T20:16:39.909497'
created_at='2019-08-23T20:19:22.312491', direction='ingress', ethertype='IPv4', id='baafd3f0-4594-4237-98d7-49cf6695468f', protocol='icmp', remote_group_id='beecf6d8-7597-44ab-a8bc-58a665a5b302', updated_at='2019-08-23T20:19:22.312491'

Considering that ssh is allowed from anywhere, I think this restriction could be relaxed:

$ openstack security group show beecf6d8-7597-44ab-a8bc-58a665a5b302 -crules -fvalue | grep port_range_min=\'22\'
created_at='2019-08-23T20:16:40.076019', direction='ingress', ethertype='IPv6', id='5938fa69-60d2-49f7-ba81-61587c7318c6', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='::/0', updated_at='2019-08-23T20:16:40.076019'
created_at='2019-08-23T20:19:22.651660', direction='ingress', ethertype='IPv4', id='1adc8e56-800b-4558-9d40-5b149e129bcf', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='0.0.0.0/0', updated_at='2019-08-23T20:19:22.651660'

Alvaro Uria (aluria)
tags: added: canonical-bootstack
Tim Penhey (thumper)
tags: added: openstack-provider
Changed in juju:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Canonical Juju QA Bot (juju-qa-bot) wrote :

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance: Medium → Low
tags: added: expirebugs-bot
Haw Loeung (hloeung)
Changed in juju:
importance: Low → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.