yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2075955] [NEW] [RFE] Allow binding SecurityGroups to Network

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Pineau <2075955@xxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Aug 2024 14:08:58 -0000
Reply-to: Bug 2075955 <2075955@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

In the context of my work, I'm looking to "enforce" some security groups
settings onto all ports of a Network.

For a bit more context, we're configuring a network as external, so that it may provide network access to a service which is not managed by Openstack. We wanted, through this network, to allow only specific projects to access said service, with the following specificities:
 - Open access to said service by default (behind a VIP, so essentially allowing traffic for a specific CIDR/mask)
 - Prevent Each VM on this network from seeing each other, so that "exposing" the service to the VM does not inadvertently provide connectivity between the VMs (another RFE may address this, to be created)

Opening traffic by default means that we need to somehow enforce the
association of a SecurityGroup with all ports from a Network. As there
is currently no such concept in Neutron, we thought of creating a
SecurityGroupNetworkBinding, which would be included in all security-
group related operations affecting a port (such as listing rules,
listing security groups, etc); but could not be removed through the
port.

As we have no existing mastery of the neutron code, from a bit of reading, we can surmise that this would invovle at least:
 - Adding a new DB model and object for this new concept: SecurityGroupNetworkBinding
 - Adding a new API to allow creating such binding
 - Updating existing network APIs, where relevant for updates/removal of the SecurityGroupNetworkBindings
 - Updating the ports APIs to include resolution of the network's bound SecurityGroups wherever useful (for listing security groups, rules, etc.; as we imagine that some of these are used by the agents to apply the flow controls reflecting the security group rules)
 - Updating the client Libraries to expose new APIs
 - Updating the client CLI plugin to expose new commands for this additional feature
 - Updating whatever plugin which exposes the security-group and network bindings onto Horizon, and allows to control them


Of course, we're going to put in the work for this, as it's part of our priority items, hopefully as part of a neutron contribution, if we find a solution to this issue we can agree on.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2075955

Title:
  [RFE] Allow binding SecurityGroups to Network

Status in neutron:
  New

Bug description:
  In the context of my work, I'm looking to "enforce" some security
  groups settings onto all ports of a Network.

  For a bit more context, we're configuring a network as external, so that it may provide network access to a service which is not managed by Openstack. We wanted, through this network, to allow only specific projects to access said service, with the following specificities:
   - Open access to said service by default (behind a VIP, so essentially allowing traffic for a specific CIDR/mask)
   - Prevent Each VM on this network from seeing each other, so that "exposing" the service to the VM does not inadvertently provide connectivity between the VMs (another RFE may address this, to be created)

  Opening traffic by default means that we need to somehow enforce the
  association of a SecurityGroup with all ports from a Network. As there
  is currently no such concept in Neutron, we thought of creating a
  SecurityGroupNetworkBinding, which would be included in all security-
  group related operations affecting a port (such as listing rules,
  listing security groups, etc); but could not be removed through the
  port.

  As we have no existing mastery of the neutron code, from a bit of reading, we can surmise that this would invovle at least:
   - Adding a new DB model and object for this new concept: SecurityGroupNetworkBinding
   - Adding a new API to allow creating such binding
   - Updating existing network APIs, where relevant for updates/removal of the SecurityGroupNetworkBindings
   - Updating the ports APIs to include resolution of the network's bound SecurityGroups wherever useful (for listing security groups, rules, etc.; as we imagine that some of these are used by the agents to apply the flow controls reflecting the security group rules)
   - Updating the client Libraries to expose new APIs
   - Updating the client CLI plugin to expose new commands for this additional feature
   - Updating whatever plugin which exposes the security-group and network bindings onto Horizon, and allows to control them

  
  Of course, we're going to put in the work for this, as it's part of our priority items, hopefully as part of a neutron contribution, if we find a solution to this issue we can agree on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2075955/+subscriptions