Public bug reported:
Currently when default security group rule is created for every new project,
there are hardcoded 4 rules added to it. Those rules allows:
1. IPv4 egress traffic from port,
2. IPv6 egress traffic from port,
3 IPv4 ingress traffic to port incoming from other ports which are using same
security group,
4. IPv6 ingress traffic to port incoming from other ports which are using same
security group.
There is couple of issues with that:
1. it is known fact that SG rules with remote_group_id (rule 3. and 4. above)
don't scale well e.g. with neutron-openvswitch-agent,
2. Some operators would like to define different rules to be created by default
for each new project.
So this RFE propose to add possibility to define for operators (admin user
maybe) SG rules which will be added by default for default security group for
each project.
To keep backward compatybility with what we have now and what is working like
that since many years, by default we may have configure those 4 rules mentioned
above as default SG rules but operator (admin user) will have possibility to
change it.
I mentioned that it can be defined by operator or admin user as we may
implement it as new API which will be available for admins only or e.g.
by some special config file (something similar to policy.yaml) and then
it can be possible to modify it by clouds operator.
** Affects: neutron
Importance: Wishlist
Assignee: Slawek Kaplonski (slaweq)
Status: New
** Tags: rfe
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1983053
Title:
Add possibility to define default security group rules
Status in neutron:
New
Bug description:
Currently when default security group rule is created for every new project,
there are hardcoded 4 rules added to it. Those rules allows:
1. IPv4 egress traffic from port,
2. IPv6 egress traffic from port,
3 IPv4 ingress traffic to port incoming from other ports which are using
same security group,
4. IPv6 ingress traffic to port incoming from other ports which are using
same security group.
There is couple of issues with that:
1. it is known fact that SG rules with remote_group_id (rule 3. and 4. above)
don't scale well e.g. with neutron-openvswitch-agent,
2. Some operators would like to define different rules to be created by
default for each new project.
So this RFE propose to add possibility to define for operators (admin user
maybe) SG rules which will be added by default for default security group for
each project.
To keep backward compatybility with what we have now and what is working like
that since many years, by default we may have configure those 4 rules mentioned
above as default SG rules but operator (admin user) will have possibility to
change it.
I mentioned that it can be defined by operator or admin user as we may
implement it as new API which will be available for admins only or
e.g. by some special config file (something similar to policy.yaml)
and then it can be possible to modify it by clouds operator.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1983053/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
