neutron

[RFE] Allow binding SecurityGroups to Network

Bug #2075955 reported by David Pineau on 2024-08-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Wishlist	Unassigned

Bug Description

In the context of my work, I'm looking to "enforce" some security groups settings onto all ports of a Network.

For a bit more context, we're configuring a network as external, so that it may provide network access to a service which is not managed by Openstack. We wanted, through this network, to allow only specific projects to access said service, with the following specificities:
- Open access to said service by default (behind a VIP, so essentially allowing traffic for a specific CIDR/mask)
- Prevent Each VM on this network from seeing each other, so that "exposing" the service to the VM does not inadvertently provide connectivity between the VMs (see RFE https://bugs.launchpad.net/neutron/+bug/2075958)

Opening traffic by default means that we need to somehow enforce the association of a SecurityGroup with all ports from a Network. As there is currently no such concept in Neutron, we thought of creating a SecurityGroupNetworkBinding, which would be included in all security-group related operations affecting a port (such as listing rules, listing security groups, etc); but could not be removed through the port.

As we have no existing mastery of the neutron code, from a bit of reading, we can surmise that this would invovle at least:
- Adding a new DB model and object for this new concept: SecurityGroupNetworkBinding
- Adding a new API to allow creating such binding
- Updating existing network APIs, where relevant for updates/removal of the SecurityGroupNetworkBindings
- Updating the ports APIs to include resolution of the network's bound SecurityGroups wherever useful (for listing security groups, rules, etc.; as we imagine that some of these are used by the agents to apply the flow controls reflecting the security group rules)
- Updating the client Libraries to expose new APIs
- Updating the client CLI plugin to expose new commands for this additional feature
- Updating whatever plugin which exposes the security-group and network bindings onto Horizon, and allows to control them

Of course, we're going to put in the work for this, as it's part of our priority items, hopefully as part of a neutron contribution, if we find a solution to this issue we can agree on.

See original description

Tags:

David Pineau (dav-pineau) on 2024-08-02

description:	updated
description:	updated

Elvira García Ruiz (elviragr) on 2024-08-05

tags:	added: rfe
Changed in neutron:
importance:	Undecided → Wishlist

Revision history for this message

Brian Haley (brian-haley) wrote on 2024-08-08:

Hi David,

Are you able to come to tomorrow's Neutron Drivers meeting to discuss this further? [0]
If so please add an item to the agenda.

My initial question was, "so this is like an admin setting a network SG that cannot be removed by tenants?"

[0] https://wiki.openstack.org/wiki/Meetings/NeutronDrivers

tags:

added: rfe-triaged

Revision history for this message

David Pineau (dav-pineau) wrote on 2024-08-09:

Hi Brian,

Sorry, I missed the email during the day, and noticed your message one hour too late !
I'd be happy to come to the next meeting I'd be available for, which is 2 weeks from now (thus on friday 23/08).

To answer your question, yes, that's the idea.

We want to provide an "External service" only for selected projects, and this seemed like the best way to integrate the concept properly within openstack/neutron (at least for our user's projects standpoint), and avoid hacks all around.

I also believe this could be used to enforce "default security groups" on all ports of a specific network, which might be a practical feature ?

I hope it makes sense.

Revision history for this message

Brian Haley (brian-haley) wrote on 2024-08-16:

Hi David,

I will put it on the agenda for August 23rd, thanks.

-Brian

Revision history for this message

David Pineau (dav-pineau) wrote on 2024-08-28:

As discussed in the meeting of August, 23rd, I will soon provide a spec to further discuss the proposed design.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-29: Related fix proposed to neutron-specs (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-specs/+/927520

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-02-04: Change abandoned on neutron-specs (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-specs/+/927520
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.