Über Open CoDE Software Wiki Diskussionen GitLab

Skip to content

Non-prefixed security groups `allow-ssh` and `allow-icmp` may cause unwanted behavior when two CAPI clusters (with different names) want to share one OpenStack project

Created by: matofeder

Security groups allow-ssh and allow-icmp are created by the terraform script here and then referenced in cluster template here and here.

In a special case when e.g. two management nodes and then two CAPI clusters (with different names) want to share one OpenStack project the allow-ssh and allow-icmp are created two times. These sec. groups have the same names but have different IDs. As the CAPI provider looks for sec. group by its name, not by ID, the cluster node could have the following "doubled" sec. groups association:

| security_groups             | name='allow-icmp' 
|                             | name='allow-icmp'
|                             | name='allow-ssh'   
|                             | name='allow-ssh'

This is an unwanted behavior that may break e.g. cleanup process, where the terraform wants to remove sec. group used by another cluster.

Steps to reproduce this issue:

  1. Create two management nodes and two k8s clusters with a custom prefix and testcluster_name. Bundles have to share one OpenStack project, i.e. cloud_provider "test1" and "test2" should point to the same OS project.

test1 env. file

cat >terraform/environments/environment-test1.tfvars <<EOF
prefix            = "test1"
cloud_provider    = "test1"

availability_zone = "nova"
external          = "ext01"
kind_flavor       = "SCS-2V:4:20"
controller_flavor = "SCS-2V:4:20"
worker_flavor     = "SCS-2V:4:20"

testcluster_name  = "test1"
EOF

test2 env. file

cat >terraform/environments/environment-test2.tfvars <<EOF
prefix            = "test2"
cloud_provider    = "test2"

availability_zone = "nova"
external          = "ext01"
kind_flavor       = "SCS-2V:4:20"
controller_flavor = "SCS-2V:4:20"
worker_flavor     = "SCS-2V:4:20"

testcluster_name  = "test2"
EOF

make create

OS_CLOUD=test1 make create
OS_CLOUD=test2 make create
  1. Check k8s cluster node sec. groups:
$ openstack server show  <worker-node-name> -f json | jq '.security_groups'
[
  {
    "name": "allow-icmp"
  },
  {
    "name": "allow-icmp"
  },
  {
    "name": "allow-ssh"
  },
  {
    "name": "allow-ssh"
  },
  {
    "name": "k8s-cluster-default-test1-secgroup-worker"
  }
]

Suggested solution: Mentioned sec. groups cloud be prefixed with the "prefix" variable