0e581caa2d
Since Train, Octavia has a new API to restrict lbs access on listeners. This is important when enforcing Network Policies on services. Before this patch, Kuryr required either admin priviledges to change the security group rules associated to the loadbalancer, or use the ovn-octavia loadbalancer that does not require those rules as the source IP is not changed when passing through the LoadBalancer VIP. By adopting the new Octavia ACL API, there is no need for admin priviledges to limit the access to the loadbalancers. Implements: blueprint octavia-acls Change-Id: I8f6bae00413aa181e9c2cac72c87bd93161796bc
10 lines
459 B
YAML
10 lines
459 B
YAML
---
|
|
features:
|
|
- |
|
|
Added support for Octavia VIP access control list. This new Octavia API
|
|
allows users to limit incomming traffic to a set of allowed CIDRs. Kuryr
|
|
uses this to enforce Network Policies on services, changing the security
|
|
group associated to the Load Balancer through this new API instead of
|
|
directly. Thanks to it, Kuryr no longer needs admin priviledges to
|
|
restrict the access to the loadbalancers VIPs some details.
|