[WIP] ✨Disable/enable PortSecurity at port level

[Xenwar]

This PR adds the capability of enabling/disabling PortSecurity at the port level.

Example Manifest

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
kind: OpenStackCluster
metadata:
  name: basic-8
  namespace: default
spec:
  disablePortSecurity: false

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4
kind: OpenStackMachineTemplate
metadata:
  name: basic-8-control-plane
  namespace: default
spec:
  template:
    spec:
      ports:
      - description: "primary with PortSecurity enabled, required for proper k8s cluster"
        disablePortSecurity: false
        allowedAddressPairs:
        - macAddress: "a4:b8:34:2b:ab:01"
          ipAddress: "10.10.10.10/24"
      - description: "secondary with PortSecurity disabled"
        disablePortSecurity: true
        allowedAddressPairs:
        - macAddress: "a4:b8:34:2b:ab:02"
          ipAddress: "20.20.20.20/24"

Example output:
`

(openstack) port show primary-port
+-----------------------+--------------------------------------------------------------------+
| Field                 | Value                                                              |
+-----------------------+--------------------------------------------------------------------+
| allowed_address_pairs | ip_address='10.10.10.10/24', mac_address='a4:b8:34:2b:ab:01'       |
| description           | primary with PortSecurity enabled, required for proper k8s cluster |
| port_security_enabled | True                                                               |
| security_group_ids    | 37e42488-1417-4e2c-980f-d2ef71ffbacc                               |
+-----------------------+--------------------------------------------------------------------+
(openstack) port show secondary-port
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| allowed_address_pairs |                                      |
| description           | secondary with PortSecurity disabled |
| port_security_enabled | False                                |
| security_group_ids    |                                      |
+-----------------------+--------------------------------------+

`

Fixes #911
Signed-off-by: Anwar Hassen [email protected]

[k8s-ci-robot]

Hi @Xenwar. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Xenwar]

/assign @sbueringer

[hidekazuna]

Where this description come from? Description should be auto generated from a comment in api/v1alpha4/types.go.

[Xenwar]

You are right. I did not re-generate the yaml files after removing the comment.
Will add the comment back.

[hidekazuna]

Can't we create port with/without port security not updating after creating port?

[Xenwar]

no, we cannot.
At the port level, PortSecurity is immutable.
For the network level, there is a bug reporter (#913)

[hidekazuna]

I think it is possible from gophercloud docs.

[Xenwar]

Indeed. The link you provided is more efficient as it does not need retrieving the port to update it, I will update my PR accordingly.

[Xenwar]

Thanks a lot

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Xenwar
To complete the pull request process, please ask for approval from sbueringer after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hidekazuna]

@Xenwar I think we need to discuss motivation and spec more. Please see #911 #913

[Xenwar]

@Xenwar I think we need to discuss motivation and spec more. Please see #911 #913

Thanks, I will try it again and update the issue accordingly.

[Xenwar]

@hidekazuna
Having difficulty combining these two options.
The ports.Create(s.networkClient, takes only one of them. Option2 does not allow setting HostID, VNICType and Profile properties.
Any idea if combining them is possible ?

	option1 := portsbinding.CreateOptsExt{
		CreateOptsBuilder: createOpts,
		HostID:            portOpts.HostID,
		VNICType:          portOpts.VNICType,
		Profile:           nil,

	}
	option2 := portsecurity.PortCreateOptsExt{
		CreateOptsBuilder:   createOpts,
		PortSecurityEnabled: &enablePortSecurity,
	}

[hidekazuna]

@hidekazuna
Having difficulty combining these two options.
The ports.Create(s.networkClient, takes only one of them. Option2 does not allow setting HostID, VNICType and Profile properties.
Any idea if combining them is possible ?

	option1 := portsbinding.CreateOptsExt{
		CreateOptsBuilder: createOpts,
		HostID:            portOpts.HostID,
		VNICType:          portOpts.VNICType,
		Profile:           nil,

	}
	option2 := portsecurity.PortCreateOptsExt{
		CreateOptsBuilder:   createOpts,
		PortSecurityEnabled: &enablePortSecurity,
	}

@Xenwar Thanks investigating. I have no idea to combine them as of now.

[Xenwar]

@hidekazuna Thanks.

[jichenjc]

/ok-to-test

[iamemilio]

I just made a similar PR not realizing this was already out there. Lets combine efforts and share homework: #921

Rather than inheriting the port security settings from the cluster spec, I think its better to just inherit them from the network (which openstack does automatically on create) since these ports can be created on any network in theory. This is why I chose to make it *bool.

[iamemilio]

Another thing to watch out for is that because we typically set the security groups at the instance level, OpenStack will apply that security group to all port interfaces of that instance. This will cause ugly bugs when setting the port security on those ports.

[Xenwar]

I just made a similar PR not realizing this was already out there. Lets combine efforts and share homework: #921

Rather than inheriting the port security settings from the cluster spec, I think its better to just inherit them from the network (which openstack does automatically on create) since these ports can be created on any network in theory. This is why I chose to make it *bool.

Thanks, we can combine efforts.
On inheriting portSecurity from the network, my reasoning was there should be a single source of truth for the setting. So, if one changes the setting at the OSCluster spec, then it is propagated to the the Network.

Also, Network level setting is relevant when PortSecurity is disabled at the network level so the setting is disabled for each port. i.e. Ports do not inherit the setting from the network in all cases.

[Xenwar]

Another thing to watch out for is that because we typically set the security groups at the instance level, OpenStack will apply that security group to all port interfaces of that instance. This will cause ugly bugs when setting the port security on those ports.

We have a use case to enable/disable PortSecurity at the port(s) level. I am not quite sure yet at what point the bug you mentioned could show up, during Port creation or during an update as we have the option of specifying security groups at the port level.

We could probably open a discussion on slack on the this and the other comment.

[iamemilio]

/assign @iamemilio
going to assign myself to this so that I get notifications :)

[Xenwar]

/hold alternatives ways under discussion, #921

[Xenwar]

/unhold

[hidekazuna]

@Xenwar hold/unfold does not mean ready for review. If PR is not ready for review, rename title starting with WIP, please.

[Xenwar]

/test pull-cluster-api-provider-openstack-e2e-test

[hidekazuna]

This is in "Accessing nodes through the bastion host via SSH" section, not security group section. How about moving to Ports?

[Xenwar]

Thanks, moved

[Xenwar]

/test pull-cluster-api-provider-openstack-e2e-test

[Xenwar]

/test pull-cluster-api-provider-openstack-e2e-test

[Xenwar]

/test pull-cluster-api-provider-openstack-e2e-test

[k8s-ci-robot]

@Xenwar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Rerun command
pull-cluster-api-provider-openstack-e2e-test	3537479	link	/test pull-cluster-api-provider-openstack-e2e-test

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[Xenwar]

This PR is no longer needed.
Feature is merged by #921

[k8s-ci-robot]

@Xenwar: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.