|
| 1 | +.. |
| 2 | + This work is licensed under a Creative Commons Attribution 3.0 Unported |
| 3 | + License. |
| 4 | +
|
| 5 | + http://creativecommons.org/licenses/by/3.0/legalcode |
| 6 | + |
| 7 | +================================================ |
| 8 | +Support for Custom Security Groups for VIP Ports |
| 9 | +================================================ |
| 10 | + |
| 11 | +This specification describes how Octavia can allow users to provide their own |
| 12 | +Neutron Security Groups for the VIP Port of a load balancer. |
| 13 | + |
| 14 | + |
| 15 | +Problem description |
| 16 | +=================== |
| 17 | + |
| 18 | +Many users have requested a method for customizing the security groups of the |
| 19 | +VIP ports of a load balancer in Octavia. There are some benefits from using |
| 20 | +custom security groups: |
| 21 | + |
| 22 | +* Allowing incoming connections only from specific remote group IDs. |
| 23 | + |
| 24 | +* Having a unique API (The networking Security Groups API) to configure the |
| 25 | + network security for all the users' resources. |
| 26 | + |
| 27 | +Note: The specification is not about Security Groups for the member ports, this |
| 28 | +feature could be the subject of another spec. |
| 29 | + |
| 30 | + |
| 31 | +Proposed change |
| 32 | +=============== |
| 33 | + |
| 34 | +A user will be able to provide a ``vip_sg_ids`` parameter when creating a load |
| 35 | +balancer. |
| 36 | + |
| 37 | +This parameter will be optional and defaulted to None. When set, it contains a |
| 38 | +list of Neutron Security Group IDs. When it's not set, the behavior of the VIP |
| 39 | +port would not change. |
| 40 | +In this document, these security groups are called Custom security |
| 41 | +groups, as opposed to the existing Octavia-managed security groups. |
| 42 | + |
| 43 | +If the parameter is set, Octavia would apply these Custom security |
| 44 | +groups to the VIP and Amphora ports (known as VRRP ports internally). Then |
| 45 | +Octavia would create and manage a security group (Octavia-managed security |
| 46 | +group) with rules for its internal communication (haproxy peering, VRRP |
| 47 | +communication). Thus the VIP port would have more than one Neutron security |
| 48 | +group. |
| 49 | + |
| 50 | +No rules based on the port or the protocol of the listeners would be managed by |
| 51 | +Octavia, for each new listener, the user would have to add their own rules to |
| 52 | +their Custom security groups. |
| 53 | + |
| 54 | + |
| 55 | +Alternatives |
| 56 | +------------ |
| 57 | + |
| 58 | +An alternative method would be to implement an ``allowed_remote_group_ids`` |
| 59 | +parameter when creating a load balancer. Users would have a feature that covers |
| 60 | +the first point described in "Problem Description". |
| 61 | + |
| 62 | + |
| 63 | +Data model impact |
| 64 | +----------------- |
| 65 | + |
| 66 | +This feature requires some changes in the data model, a new table |
| 67 | +``VipSecurityGroup`` is added, it contains: |
| 68 | + |
| 69 | +* ``load_balancer_id``: the UUID of the load balancer (which also represents a |
| 70 | + Vip) |
| 71 | + |
| 72 | +* ``sg_id``: the UUID of a Custom Security Group |
| 73 | + |
| 74 | +A load balancer (identified by its ID) or a VIP are linked to one or more |
| 75 | +Custom Security Groups. |
| 76 | + |
| 77 | +It also requires an update of the data model in octavia-lib. |
| 78 | + |
| 79 | + |
| 80 | +REST API impact |
| 81 | +--------------- |
| 82 | + |
| 83 | +The POST /v2/lbaas/loadbalancers endpoint is updated to accept an optional |
| 84 | +``vip_sg_ids`` parameter (a list of UUIDs that represents Custom Security |
| 85 | +Groups). |
| 86 | + |
| 87 | +If the parameter is set, Octavia checks that the Custom security groups exist |
| 88 | +and that the user is allowed to use them, then Octavia creates new |
| 89 | +VIPSecurityGroup objects with these new parameters. |
| 90 | + |
| 91 | +The PUT /v2/lbaas/loadbalancers endpoint is also updated, allowing to update |
| 92 | +the list of Custom Security Groups. |
| 93 | + |
| 94 | +The ``vip_sg_ids`` parameter is also added to the reply of the GET method. |
| 95 | + |
| 96 | +Using ``vip_sg_ids`` is incompatible with some existing features in Octavia, |
| 97 | +like ``allowed_cidrs`` in the listeners. Setting ``allowed_cidrs`` in a load |
| 98 | +balancer with ``vip_sg_ids`` should be denied, updating the ``vip_sg_ids`` of a |
| 99 | +load balancer that includes listeners with ``allowed_cidrs`` too. |
| 100 | + |
| 101 | +``vip_sg_ids`` is also incompatible with SR-IOV enabled load balancers and |
| 102 | +other provider drivers. |
| 103 | + |
| 104 | + |
| 105 | +Security impact |
| 106 | +--------------- |
| 107 | + |
| 108 | +When this feature is enabled, Octavia no longer handles the security of the VIP |
| 109 | +port, the users are responsible of the configuration of the Custom Security |
| 110 | +Groups. |
| 111 | + |
| 112 | +A RBAC policy is added to Octavia, an administrator can limit the access to |
| 113 | +this feature to a specific role. |
| 114 | + |
| 115 | + |
| 116 | +Notifications impact |
| 117 | +-------------------- |
| 118 | + |
| 119 | +None. |
| 120 | + |
| 121 | + |
| 122 | +Other end user impact |
| 123 | +--------------------- |
| 124 | + |
| 125 | +The impact for the end user is that they are responsible for allowing the |
| 126 | +incomming traffic to their load balancer. The creation of a new listener would |
| 127 | +request at least 2 API calls, one for creating the listener in Octavia, one for |
| 128 | +adding a new security group rule to the Custom security group. |
| 129 | + |
| 130 | + |
| 131 | +Performance Impact |
| 132 | +------------------ |
| 133 | + |
| 134 | +Performance could be impacted if the user adds too many rules to the |
| 135 | +Custom security group, but this issue is outside the scope of Octavia. |
| 136 | + |
| 137 | + |
| 138 | +Other deployer impact |
| 139 | +--------------------- |
| 140 | + |
| 141 | +None. |
| 142 | + |
| 143 | + |
| 144 | +Developer impact |
| 145 | +---------------- |
| 146 | + |
| 147 | +Impact is minimal, a few changes in the API and in the DB, only a few new |
| 148 | +conditionals in the allowed_address_pairs module. |
| 149 | + |
| 150 | +It could have a more significant impact if this feature is added to the |
| 151 | +octavia-dashboard. |
| 152 | + |
| 153 | + |
| 154 | +Implementation |
| 155 | +============== |
| 156 | + |
| 157 | +Assignee(s) |
| 158 | +----------- |
| 159 | + |
| 160 | +Primary assignee: |
| 161 | + gthiemonge |
| 162 | + |
| 163 | + |
| 164 | +Work Items |
| 165 | +---------- |
| 166 | + |
| 167 | +1. Update the data model of the VIP port in octavia_lib and octavia. |
| 168 | +2. Update the API to handle the new ``vip_sg_id`` parameter. |
| 169 | +3. Update the allowed_address_pairs module to handle this new feature. |
| 170 | +4. Update the api-ref and the user guide. |
| 171 | +5. Add required unit and functional tests. |
| 172 | +6. Add support to python-octaviaclient and openstacksdk |
| 173 | +7. Add tempest tests for this feature. |
| 174 | + |
| 175 | + |
| 176 | +Dependencies |
| 177 | +============ |
| 178 | + |
| 179 | +None. |
| 180 | + |
| 181 | + |
| 182 | +Testing |
| 183 | +======= |
| 184 | + |
| 185 | +The feature can easily be tested with tempest tests. |
| 186 | + |
| 187 | +- creation of a load balancer and its Custom security groups, check that |
| 188 | + it's reachable |
| 189 | +- update the list of Custom security groups, check that the connectivity |
| 190 | + to the load balancer is impacted. |
| 191 | + |
| 192 | + |
| 193 | +Documentation Impact |
| 194 | +==================== |
| 195 | + |
| 196 | +The feature will be included in the cookbook. |
| 197 | +The api-ref and feature matrix will be also updated. |
| 198 | + |
| 199 | + |
| 200 | +References |
| 201 | +========== |
| 202 | + |
| 203 | +None. |
0 commit comments