kuryr-kubernetes

Loadbalancer service type fails to create due to subnet access policy

Bug #1749921 reported by Antoni Segura Puimedon on 2018-02-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kuryr-kubernetes	Fix Released	Critical	Yossi Boaron	kuryr-kubernetes queens-rc-final "q-rc-final"

Bug Description

It is very, very common for production environments to only allow access to the public network and not the associated public subnets. In that case, we fail to allocate a floating IP to the Loadbalancer service type.

The reason why we fail is because our configuration revolves around passing the subnet id and retrieving the network id from that. It makes sense since in this way we get rid of the ambiguity of which of the public subnets were intended to be used. In practice this presents cloud policy issues.

In order to fix it, we need to add a required option for specifying the network id instead and switch the subnet config option to being optional.

Tags:

Revision history for this message

Antoni Segura Puimedon (celebdor) wrote on 2018-02-16:

This should most definitely have a tempest test!

Changed in kuryr-kubernetes:
assignee:	nobody → Antoni Segura Puimedon (celebdor)
importance:	Undecided → Critical
status:	New → In Progress
milestone:	none → queens-rc-final

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-16: Fix proposed to kuryr-kubernetes (master)

Fix proposed to branch: master
Review: https://review.openstack.org/545270

OpenStack Infra (hudson-openstack) on 2018-02-18

Changed in kuryr-kubernetes:
assignee:	Antoni Segura Puimedon (celebdor) → Yossi Boaron (yossi-boaron-1234)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-20: Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.openstack.org/545270
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=20bc89ff87952d53249ea213d149ba315d97644f
Submitter: Zuul
Branch: master

commit 20bc89ff87952d53249ea213d149ba315d97644f
Author: Antoni Segura Puimedon <email address hidden>
Date: Fri Feb 16 12:13:17 2018 +0100

Make ext subnet config optional

    It is common for Neutron deployment's policy to forbid GETs to the
    public subnet, only allowing GETs for the public net. Since the only
    required field of those two for creating a FIP is the public net, let's
    change public net to be the only required config option and have the
    subnet stick around as optional.

    Change-Id: I31c3c51ad2dc12f8f560cbab01c86d04aabb754e
    Closes-Bug: 1749921
    Signed-off-by: Antoni Segura Puimedon <email address hidden>

Changed in kuryr-kubernetes:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-20: Fix proposed to kuryr-kubernetes (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/546182

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-21: Fix merged to kuryr-kubernetes (stable/queens)

Reviewed: https://review.openstack.org/546182
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=b9be59ed0b04ec95fefcd907c96cd9b01ea92035
Submitter: Zuul
Branch: stable/queens

commit b9be59ed0b04ec95fefcd907c96cd9b01ea92035
Author: Antoni Segura Puimedon <email address hidden>
Date: Fri Feb 16 12:13:17 2018 +0100

Make ext subnet config optional

    Change-Id: I31c3c51ad2dc12f8f560cbab01c86d04aabb754e
    Closes-Bug: 1749921
    Signed-off-by: Antoni Segura Puimedon <email address hidden>
    (cherry picked from commit 20bc89ff87952d53249ea213d149ba315d97644f)