Security group rules prevent deployed machines from pinging the controllers

Bug #1841855 reported by Andrea Ieri on 2019-08-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

I have deployed k8s in an OpenStack cloud and I'm encountering issues in monitoring the controllers from a deployed nagios unit.

This appears to be because the security group rules attached to the controllers only allow icmp traffic among the controllers themselves:

$ openstack security group show beecf6d8-7597-44ab-a8bc-58a665a5b302 -crules -fvalue | grep icmp
created_at='2019-08-23T20:16:39.909497', direction='ingress', ethertype='IPv6', id='627300fb-5a75-4a72-99c3-91cbb5f32123', protocol='icmp', remote_group_id='beecf6d8-7597-44ab-a8bc-58a665a5b302', updated_at='2019-08-23T20:16:39.909497'
created_at='2019-08-23T20:19:22.312491', direction='ingress', ethertype='IPv4', id='baafd3f0-4594-4237-98d7-49cf6695468f', protocol='icmp', remote_group_id='beecf6d8-7597-44ab-a8bc-58a665a5b302', updated_at='2019-08-23T20:19:22.312491'

Considering that ssh is allowed from anywhere, I think this restriction could be relaxed:

$ openstack security group show beecf6d8-7597-44ab-a8bc-58a665a5b302 -crules -fvalue | grep port_range_min=\'22\'
created_at='2019-08-23T20:16:40.076019', direction='ingress', ethertype='IPv6', id='5938fa69-60d2-49f7-ba81-61587c7318c6', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='::/0', updated_at='2019-08-23T20:16:40.076019'
created_at='2019-08-23T20:19:22.651660', direction='ingress', ethertype='IPv4', id='1adc8e56-800b-4558-9d40-5b149e129bcf', port_range_max='22', port_range_min='22', protocol='tcp', remote_ip_prefix='', updated_at='2019-08-23T20:19:22.651660'

Alvaro Uria (aluria) on 2019-08-29
tags: added: canonical-bootstack
Tim Penhey (thumper) on 2019-08-29
tags: added: openstack-provider
Changed in juju:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers