Kuryr support for Octavia ACLs

Registered by Luis Tomas Bolivar on 2020-01-10

Since Train, Octavia has a new API to restrict listeners access. This is important when enforcing Network Policies on services. Before, Kuryr required either admin priviledges to be able to change the security group associated to the loadbalancer, or use the ovn-octavia loadbalancer that does not require modifications on the loadbalancer security groups as the source IP is not changed when passing through the LoadBalancer VIP.

By adopting the new Octavia ACL API, there is no need for admin priviledges to limit the access to the loadbalancers

Blueprint information

Status:
Complete
Approver:
Antoni Segura Puimedon
Priority:
High
Drafter:
Luis Tomas Bolivar
Direction:
Approved
Assignee:
Luis Tomas Bolivar
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Luis Tomas Bolivar on 2020-01-10
Completed by
Luis Tomas Bolivar on 2020-01-15

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.opendev.org/#/q/topic:octavia-acl

Addressed by: https://review.opendev.org/700918
    Add support to Octavia ACLs

Gerrit topic: https://review.opendev.org/#/q/topic:ovn-acls

Addressed by: https://review.opendev.org/703074
    Ensure lb SG is not updated on member creation

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.