Open
Description
The flight controller is ensuring a couple of entries to the security group that is configured for the cluster.
At the moment the controller reconciles:
- the cluster security group is assigned to every cluster node
- that the ingress for the cluster CIDR is allowed within the security group (is this even necessary?)
We are not reconciling certain assumptions that we probably should in the future to avoid support load.
- egress
- ntp
- dns
- docker hub (maybe not needed anymore)
- regional keppel + swift (for kubelet, kube-proxy, wormhole, dns)
- swift eu-de-1 (rkt download)
Two open questions:
- Do we really need the cluster CIDR security group? I'm not sure its required as I believe that cloud controller manager also configures the pod CIDR ranges on the instance port as "allowed address pairs": https://github.com/kubernetes/cloud-provider-openstack/blob/9b8de65448e7872ac4e83c7342e498127155253b/pkg/openstack/routes.go#L332
If that works reliable we may not need the security group rule to get pod to pod communication working - What is with communication settings for the loadbalancer <-> backend? Can we ensure a rule there as well to make it work? There is also a "manage security groups" option in the cloud controller manager that we don't use atm.