✨ Manage Security Groups using OpenStackClusterTemplate (#138)

* Add security rules for Cilium Signed-off-by: michal.gubricky <michal.gubricky@dnation.cloud> * Remove the patch for allowAllInClusterTraffic when security groups are used Signed-off-by: michal.gubricky <michal.gubricky@dnation.cloud> --------- Signed-off-by: michal.gubricky <michal.gubricky@dnation.cloud>
SovereignCloudStack · Jul 19, 2024 · a516c90 · a516c90
1 parent 5553546
commit a516c90
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/providers/openstack/scs/cluster-class/templates/cluster-class.yaml b/providers/openstack/scs/cluster-class/templates/cluster-class.yaml
@@ -582,15 +582,6 @@ cre ate group names like oidc:engineering and oidc:infra."
             path: "/spec/template/spec/securityGroups"
             valueFrom:
               template: {{ `"[ {{ range .openstack_security_groups }} { filter: { name: {{ . }}}}, {{ end }} ]"` }}
-        - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
-            kind: OpenStackClusterTemplate
-            matchResources:
-              infrastructureCluster: true
-          jsonPatches:
-          - op: replace
-            path: "/spec/template/spec/managedSecurityGroups/allowAllInClusterTraffic"
-            value: false
     - name: cloud_name
       description: "Sets the name of the cloud to use from the clouds secret."
       enabledIf: {{ `'{{ ne .cloud_name "" }}'` }}

diff --git a/providers/openstack/scs/cluster-class/templates/openstack-cluster-template.yaml b/providers/openstack/scs/cluster-class/templates/openstack-cluster-template.yaml
@@ -14,7 +14,37 @@ spec:
         allowedCIDRs: {{ .Values.restrict_kubeapi }}
 {{- end }}
       managedSecurityGroups:
-        allowAllInClusterTraffic: true
+        allNodesSecurityGroupRules:
+        - remoteManagedGroups:
+          - controlplane
+          - worker
+          direction: ingress
+          etherType: IPv4
+          name: VXLAN (Cilium)
+          portRangeMin: 8472
+          portRangeMax: 8472
+          protocol: udp
+          description: "Allow VXLAN traffic for Cilium"
+        - remoteManagedGroups:
+          - controlplane
+          - worker
+          direction: ingress
+          etherType: IPv4
+          name: HealthCheck (Cilium)
+          portRangeMin: 4240
+          portRangeMax: 4240
+          protocol: tcp
+          description: "Allow HealthCheck traffic for Cilium"
+        - remoteManagedGroups:
+          - controlplane
+          - worker
+          direction: ingress
+          etherType: IPv4
+          name: Hubble (Cilium)
+          portRangeMin: 4244
+          portRangeMax: 4244
+          protocol: tcp
+          description: "Allow Hubble traffic for Cilium"
       managedSubnets:
         - cidr: {{ .Values.node_cidr }}
           dnsNameservers: