Security group rules for worker nodes when octavia_provider is OVN

[gabriel-samfira]

Hi folks,

According to https://cluster-api-openstack.sigs.k8s.io/clusteropenstack/configuration.html#security-groups, when OVN is used as a load balancer, the following spec needs to be used:

managedSecurityGroups:
  workerNodesSecurityGroupRules:
  - remoteIPPrefix: 0.0.0.0/0
    direction: ingress
    etherType: IPv4
    name: Node Port (TCP, anywhere)
    portRangeMin: 30000
    portRangeMax: 32767
    protocol: tcp
  - remoteIPPrefix: 0.0.0.0/0
    direction: ingress
    etherType: IPv4
    name: Node Port (UDP, anywhere)
    portRangeMin: 30000
    portRangeMax: 32767
    protocol: udp

Right now, there is no connectivity when using OVN as a load balancer.

[gabriel-samfira]

gah. This seems to only have been made available in the main branch of the openstack provider on the 8th of January 😅.

[gabriel-samfira]

It seems that in the current stable release only allNodesSecurityGroupRules is available adding the above rules there makes the ovn load balancer work, but it applies these rules on all nodes. in theory that shouldn't be a problem if an isolated network is used. the load balancer only exposes 6443 on the control plane node and nothing really listens on 30000-32767 if scheduling is disabled on control plane nodes.