Kubernetes allows to fine-tune the access to the pods/containers by using Network Policies. When using Kuryr and running OpenShift on top of OpenStack, Network Policies are implemented through Neutron security groups and security group rules. Each Network Policy creates one security group. And depending on the Network Policy spec, as well as the existing pods, namespaces and their labels, more or less security group rules will be added to that security group.

It imposes extra load on Neutron (as well as time waste) to have to call the Neutron API to create first the SG and then the SG rules. It would be great to be able to create the SG with the rules in a single call.