Kuryr support for Octavia ACLs
Since Train, Octavia has a new API to restrict listeners access. This is important when enforcing Network Policies on services. Before, Kuryr required either admin priviledges to be able to change the security group associated to the loadbalancer, or use the ovn-octavia loadbalancer that does not require modifications on the loadbalancer security groups as the source IP is not changed when passing through the LoadBalancer VIP.
By adopting the new Octavia ACL API, there is no need for admin priviledges to limit the access to the loadbalancers
Blueprint information
- Status:
- Complete
- Approver:
- Antoni Segura Puimedon
- Priority:
- High
- Drafter:
- Luis Tomas Bolivar
- Direction:
- Approved
- Assignee:
- Luis Tomas Bolivar
- Definition:
- Approved
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Luis Tomas Bolivar
- Completed by
- Luis Tomas Bolivar
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add support to Octavia ACLs
Gerrit topic: https:/
Addressed by: https:/
Ensure lb SG is not updated on member creation