Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade OCCM to latest patch releases to mitigate critical issue with managed security groups #3472

Closed
judge-red opened this issue Nov 25, 2024 · 0 comments · Fixed by #3484
Closed

Upgrade OCCM to latest patch releases to mitigate critical issue with managed security groups #3472

judge-red opened this issue Nov 25, 2024 · 0 comments · Fixed by #3484
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management.

Comments

@judge-red
Copy link

judge-red commented Nov 25, 2024
edited
Loading

Description of the feature you would like to add

A month ago, we discovered a critical issue (to be clear: functionally critical, not in terms of security) in the OpenStack Cloud Controller Manager (OCCM): kubernetes/cloud-provider-openstack#2699 (see use case below for a summary).

This was addressed in a patch 2 weeks ago: kubernetes/cloud-provider-openstack#2705

Now the patch for this has finally landed in new releases (although the project has not created GitHub releases yet):

Unfortunately it came just too late to be considered for 1.9.0 but we would appreciate a new patch release ASAP.

Solution details

  • upgrade the OCCM to the latest patch releases for v1.30 and v1.31
  • maybe tell people on Kubernetes v1.29 that they need to upgrade to v1.30+, if they use the OVN provider and the feature to let the OCCM manage the security groups

Alternative approaches

We need to manually patch the OCCM pods to use the new images :(

Use cases

Long story short, the manage-security-groups feature malfunctioned and deleted required security group rules in situations when it shouldn't. All users of OpenStack Octavia (Load Balancers as a Service) opting for the OVN provider (i.e. not the Amphora provider) and choosing to enable the manage-security-groups feature (which is pretty much required).

Additional information

manage-security-groups=true is the option that needs to be set in the cloud config to enable this feature, that's why I'm calling the feature manage-seucirty-groups, not sure if there's another official name for it.

Edit: there are now proper GitHub releases with release notes as well:
@judge-red judge-red added kind/feature Categorizes issue or PR as related to a new feature. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. labels Nov 25, 2024
This was referenced Dec 13, 2024
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management.
Projects
None yet
Milestone
No milestone
1 participant
@judge-red