| *** feld8 is now known as feld | 01:52 | |
| servagem | Hello | 11:39 |
|---|---|---|
| servagem | I've been reviewing the specification for custom security groups for VIP ports (https://review.opendev.org/c/openstack/octavia/+/915114/1/specs/version14.0/custom-security-groups-for-VIP-ports.rst). | 11:39 |
| servagem | I am interested in understanding whether the new custom SG will be available for use in the project (tenant) of the members. Specifically, can the new SG be created and utilized as a remote SG for the LB members?! | 11:40 |
| servagem | The goal is to restrict LB members so they only accept traffic from the LB IPs. This is a security measure intended to prevent other VMs from directly accessing the LB backends. AFAIK, currently, I must allow access on the LB backends from the entire subnet CIDR of the VIP. | 11:40 |
| gthiemon1e | servagem: Hi, IMHO the custom SG belongs to the user/tenant that created the LB | 12:05 |
| gthiemon1e | servagem: it could be used as a remote_group_id of the members only in case of a one-arm LB (only subnets of the same network for the VIP and members) | 12:06 |
| gthiemon1e | servagem: we will discuss it tomorrow during the PTG, see line 70-77 https://etherpad.opendev.org/p/apr2024-ptg-octavia | 12:07 |
| gthiemon1e | servagem: I wrote "potential followup feature: SGs for member ports (shared readonly to allow their use as remote_group_id in users' SGs)", so anyways, for the backend, I think it will be another RFE | 12:07 |
| *** gthiemon1e is now known as gthiemonge | 12:08 | |
| servagem | gthiemonge: Understood. In my opinion, this feature significantly enhances security design for applications. It's a common architectural approach in cloud environments | 12:18 |
| gthiemonge | servagem: ack, please leave a comment in gerrit | 12:20 |
| servagem | I not sure I got you. You mean in the spec or etherpad? | 12:25 |
| gthiemonge | servagem: the spec | 12:57 |
| gthiemonge | servagem: it's always good to get feedback in the reviews | 12:58 |
| servagem | gthiemonge: sure. Thank you | 13:11 |
| opendevreview | NickKush proposed openstack/octavia-lib master: Add support for 'X-Client-IP', 'X-Forwarded-IP', 'X-Real-IP' headers. https://review.opendev.org/c/openstack/octavia-lib/+/915282 | 15:12 |
| opendevreview | NickKush proposed openstack/octavia master: Add support for 'X-Client-IP', 'X-Forwarded-IP', 'X-Real-IP' headers. https://review.opendev.org/c/openstack/octavia/+/915283 | 15:13 |
| opendevreview | NickKush proposed openstack/octavia-lib master: Add support for 'X-Client-IP', 'X-Forwarded-IP', 'X-Real-IP' headers. https://review.opendev.org/c/openstack/octavia-lib/+/915282 | 15:22 |
| opendevreview | NickKush proposed openstack/octavia master: Add support for 'X-Client-IP', 'X-Forwarded-IP', 'X-Real-IP' headers. https://review.opendev.org/c/openstack/octavia/+/915283 | 15:22 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!