-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenStack LBaaS fix: must use ID, not name, of the node security group #65373
OpenStack LBaaS fix: must use ID, not name, of the node security group #65373
Conversation
Hi @multi-io. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -570,7 +570,12 @@ func getNodeSecurityGroupIDForLB(compute *gophercloud.ServiceClient, nodes []*v1 | |||
// case 2: node1:SG1,SG2 node2:SG3,SG4 return SG1,SG3 | |||
// case 3: node1:SG1,SG2 node2:SG2,SG3 return SG1,SG2 | |||
securityGroupName := srv.SecurityGroups[0]["name"] | |||
nodeSecurityGroupIDs.Insert(securityGroupName.(string)) | |||
secGroupID, err := groups.IDFromName(network, securityGroupName.(string)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
groups.IDFromName
does an API lookup. Given that almost all uses of this loop are going to be performing many lookups for a very small (almost always 1) number of names, it would be nice to do this lookup after de-duplication...
iow: something like:
Assuming s/nodeSecurityGroupIDs/sgNames/g
for _, node := range nodes {
...
sgNames.Insert(securityGroupName.(string))
}
ids := make([]string, sgNames.Len())
for i, name := range sgNames.List() {
var err error
ids[i], err = groups.IDFromName(network, name)
if err != nil {
return []string{}, err
}
}
return ids, nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, thanks. Fix applied. (force push -- is that OK?)
What do you think about turning the function into a method?
940306d
to
e9b08b6
Compare
e9b08b6
to
8ed735d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
(and yes, force pushing is fine - it's the github way. For long/controversial PRs it's sometimes nice to build up incremental commits to make the review easier, and then squash the whole lot after you get a "verbal" lgtm.)
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anguslees, multi-io The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cc @hogepodge - this looks like an important gap in our testing (Service type=LoadBalancer + lbaas without explicit node security group config), if you're looking for a motivational example... |
Automatic merge from submit-queue (batch tested with PRs 65449, 65373, 49410). If you want to cherry-pick this change to another branch, please follow the instructions here. |
If the previous code was broken, then it was broken in 1.9-1.11, and we should backport this to (at least) 1.11 imo. I hesitate to suggest this code has been non-functional for that long however, so more testing reports from people with/without this patch would be useful to help inform that backport discussion. (tagging @dims to track backporting - if required) |
We can verify this issue with 1.9.7 as well as 1.10.3. |
Thanks @bashofmann @anguslees. i've filed reverts. |
…onfig for Kubernetes versions that support it The issue that this setting is not working was fixed with kubernetes/kubernetes#65373 and is available in versions >=1.9.10, 1.10.6, 1.11.1 The setting should not be applied to older Kubernetes versions since it breaks creating LoadBalancers completely. Fixes #1717
* Sets OpenStack LoadBalancer manage-security-groups setting in cloud-config for Kubernetes versions that support it The issue that this setting is not working was fixed with kubernetes/kubernetes#65373 and is available in versions >=1.9.10, 1.10.6, 1.11.1 The setting should not be applied to older Kubernetes versions since it breaks creating LoadBalancers completely. Fixes #1717 * Update test fixtures that were broken because of rebase
This is a bugfix for the OpenStack LBaaS cloud provider security group management.
A bit of context: When creating a load balancer for a given
type: LoadBalancer
service, the provider will try to:(see
pkg/cloudprovider/providers/openstack/openstack_loadbalancer.go
/EnsureLoadBalancer
)If
manage-security-groups
is enabled in controller-manager's cloud.conf:In the current upstream master, steps 1 through 3 work fine, step 4 fails, leading to a service that's not accessible via the LB without further manual intervention.
The bug is in the "pick an existing security group" operation (func
getNodeSecurityGroupIDForLB
), which, contrary to its name, will return the security group's name rather than its ID (actually it returns a list of names rather than IDs, apparently to cover some corner cases where you might have more than one node security group, but anyway). This will then be used when trying to add the ingress rules to the group, which the Openstack API will reject with a 404 (at least on our (fairly standard) Openstack Ocata installation) because we're giving it a name where it expects an ID.The PR adds a "get ID given a name" lookup to the
getNodeSecurityGroupIDForLB
function, so it actually returns IDs. That's it. I'm not sure if the upstream code wasn't really tested, or maybe other people use other Openstacks with more lenient APIs. The bug and the fix is always reproducible on our installation.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #58145
Special notes for your reviewer:
Should we turn
getNodeSecurityGroupIDForLB
into a method with the lbaas as its receiver because it now requires two of the lbaas's attributes? I'm not sure what the conventions are here, if any.Release note: