Octavia is not handling VIPs on the same subnet as the lb-mgmt-net
Bug #1659488 reported by
Michael Johnson
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
octavia |
Fix Released
|
Medium
|
Lubosz Kosnik |
Bug Description
Now that we have the network namespace in the amphora, we need to properly handle the case where a user enters the lb-mgmt-net (config setting) subnet as the VIP subnet.
Currently this does not work and the lb-mgmt port on the amp gets mis-configured.
We have two options:
1. Return an error from the API if the user specifies the lb-mgmt-net subnet as the VIP subnet.
2. Update octavia to allow a VIP on the lb-mgmt-net but enabling an alternate port inside the network namespace.
Changed in octavia: | |
assignee: | Adam Harwell (adam-harwell) → Lubosz Kosnik (diltram) |
To post a comment you must log in.
Hi, michael.
I think allow to create VIP in lb-mgmt-net is terrible, even though it is not a tech issue. As we use lb-mgmt-net to access control layer already, in this view, user can see lb-mgmt-net and he/her will see the related lb-mgmt-sg, also make an assumption that user know the node IP and health-manage IP, they can access our nodes directly through some simple routes. So I think we can not allow this operation for avoiding other security risk in the future. Do you agree?