services backed by neutron-lbaas do not work with native ovs firewall

Fix proposed to branch: master
Review: https://review.openstack.org/545363

Hi Toni,
Is this bug relevant only for for both clusterip and loadbalancer service
types?
Does it duplication of :

https://bugs.launchpad.net/kuryr-kubernetes/+bug/1723938. ?

Yossi

בתאריך 16 בפבר׳ 2018 4:45 אחה״צ,‏ "Antoni Segura Puimedon" <
<email address hidden>> כתב:

> Public bug reported:
>
> When we use neutron-lbaas (deprecated by Octavia but still very much in
> use) we do not set the appropriate security groups we get from the
> service sg driver. We did not catch this due to the fact that with the
> hybrid driver, lbaasv2 is done with an internal ovs port that bypasses
> the SGs. Octavia does the rules according to the listeners and does not
> present this issue, so that's why we did not notice it there either.
>
> We should check the LB provider and if it is haproxy we should deal with
> the SGs ourselves from the default driver.
>
> ** Affects: kuryr-kubernetes
> Importance: Critical
> Assignee: Antoni Segura Puimedon (celebdor)
> Status: Triaged
>
> ** Changed in: kuryr-kubernetes
> Status: New => Triaged
>
> ** Changed in: kuryr-kubernetes
> Importance: Undecided => Critical
>
> ** Changed in: kuryr-kubernetes
> Assignee: (unassigned) => Antoni Segura Puimedon (celebdor)
>
> ** Changed in: kuryr-kubernetes
> Milestone: None => queens-rc-final
>
> --
> You received this bug notification because you are subscribed to kuryr-
> kubernetes.
> Matching subscriptions: yboaron
> https://bugs.launchpad.net/bugs/1749968
>
> Title:
> services backed by neutron-lbaas do not work with native ovs firewall
>
> Status in kuryr-kubernetes:
> Triaged
>
> Bug description:
> When we use neutron-lbaas (deprecated by Octavia but still very much
> in use) we do not set the appropriate security groups we get from the
> service sg driver. We did not catch this due to the fact that with the
> hybrid driver, lbaasv2 is done with an internal ovs port that bypasses
> the SGs. Octavia does the rules according to the listeners and does
> not present this issue, so that's why we did not notice it there
> either.
>
> We should check the LB provider and if it is haproxy we should deal
> with the SGs ourselves from the default driver.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/kuryr-kubernetes/+bug/1749968/+subscriptions
>

Reviewed: https://review.openstack.org/545363
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=c9041d6979928c0690f8dd913facab8ae3dcc0fd
Submitter: Zuul
Branch: master

commit c9041d6979928c0690f8dd913facab8ae3dcc0fd
Author: Antoni Segura Puimedon <email address hidden>
Date: Fri Feb 16 16:09:56 2018 +0100

    Services: Set missing SGs for haproxy provider

    Since we started using Octavia we never got around to setting the
    security groups for the legacy haproxy provider. This only affects when
    using the native firewall as otherwise the haproxy internal ovs port
    bypasses the SGs

    Change-Id: Ie4a53dedf54472394f92fdfacddf0632e33f1f5b
    Closes-Bug: 1749968
    Co-Authored-By: Michał Dulko <email address hidden>
    Signed-off-by: Antoni Segura Puimedon <email address hidden>

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/546640

Related fix proposed to branch: master
Review: https://review.openstack.org/546777

Reviewed: https://review.openstack.org/546640
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=b9006ce30f29488511e5c962447a056a73f9f9be
Submitter: Zuul
Branch: stable/queens

commit b9006ce30f29488511e5c962447a056a73f9f9be
Author: Antoni Segura Puimedon <email address hidden>
Date: Fri Feb 16 16:09:56 2018 +0100

    Services: Set missing SGs for haproxy provider

    Since we started using Octavia we never got around to setting the
    security groups for the legacy haproxy provider. This only affects when
    using the native firewall as otherwise the haproxy internal ovs port
    bypasses the SGs

    Change-Id: Ie4a53dedf54472394f92fdfacddf0632e33f1f5b
    Closes-Bug: 1749968
    Co-Authored-By: Michał Dulko <email address hidden>
    Signed-off-by: Antoni Segura Puimedon <email address hidden>
    (cherry picked from commit c9041d6979928c0690f8dd913facab8ae3dcc0fd)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/547090

Reviewed: https://review.openstack.org/546777
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=731d36eccc68fec3eeb0b99f821ae875334464c4
Submitter: Zuul
Branch: master

commit 731d36eccc68fec3eeb0b99f821ae875334464c4
Author: Michał Dulko <email address hidden>
Date: Wed Feb 21 18:57:14 2018 +0100

    Services: Set SGs for N-S with haproxy provider

    This is continuation of Ie4a53dedf54472394f92fdfacddf0632e33f1f5b and
    aims to orchestrate security groups and rules creation to make sure
    listeners are available for each LoadBalancer Service. This is done
    on-demand in LBaaS v2 driver.

    Related-Bug: 1749968
    Change-Id: Ie6b3783eff7a21ad602923c32bacc37356664e82

Reviewed: https://review.openstack.org/547090
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=71a8a603c018c1ffa8dbcc2937afa7b810fc7dbb
Submitter: Zuul
Branch: stable/queens

commit 71a8a603c018c1ffa8dbcc2937afa7b810fc7dbb
Author: Michał Dulko <email address hidden>
Date: Wed Feb 21 18:57:14 2018 +0100

    Services: Set SGs for N-S with haproxy provider

    This is continuation of Ie4a53dedf54472394f92fdfacddf0632e33f1f5b and
    aims to orchestrate security groups and rules creation to make sure
    listeners are available for each LoadBalancer Service. This is done
    on-demand in LBaaS v2 driver.

    Related-Bug: 1749968
    Change-Id: Ie6b3783eff7a21ad602923c32bacc37356664e82
    (cherry picked from commit 731d36eccc68fec3eeb0b99f821ae875334464c4)

This issue was fixed in the openstack/kuryr-kubernetes 0.4.1 release.

This issue was fixed in the openstack/kuryr-kubernetes 0.5.0 release.