Goal

• Enable, fix and validate manage-security-groups=true in cloud-provider-openstack.
• Fix removal of SG rules
• Fix adding SGs to new nodes
• Add support for loadBalancerSourceRanges into the SGs management code.
• Remove SG rules opening all the NodePorts range by default on masters and workers in the installer.

Why is this important?

Right now we blindly open all the NodePorts range for masters and workers in the main security groups created for them. For Amphora we could keep set the nodes subnet CIDR there, as Amphora hides original client IP, but for OVN the CIDR got to be 0.0.0.0/0. This poses potential security threat as we should open only as little ports as possible.

Another problem is that in case of OVN LBs we cannot use allowed_cidrs to implement support for LoadBalancerSourceRanges. In order for that to work we need to manipulate the SGs on the members, effectively requiring manageSecurityGroups to be on.

Scenarios

1. Remove the SG rules opening full access to NodePort range on masters and workers.
2. Make sure access to NodePorts is only opened selectively by the cloud-provider itself.
3. Support LoadBalancerSourceRanges when OVN Octavia provider is configured.

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement
• No more SG rules opening full access.
• NodePorts are opened selectively. Removal of SG rules is added to cloud-provider.
• LoadBalancerSourceRanges supported with OVN Octavia provider.
• Documentation explaining how to remove SG rules created by previous version of the installer after an upgrade to a version configuring manageSecurityGroups.

Dependencies (internal and external)

1. Upstream PR fixing the issue of SG rules removal: https://github.com/kubernetes/cloud-provider-openstack/pull/2033
2. Upstream issue regarding making sure SGs are applied to new nodes too: https://github.com/kubernetes/cloud-provider-openstack/issues/2058

Previous Work (Optional):

1. This bug investigation: https://issues.redhat.com/browse/OCPBUGS-2789

Open questions:

1. Will increasing the number of SGs attached to masters and workers affect performance of Neutron? This has to be consulted with Neutron team.

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Technical Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>