Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use LB seclist from LB subnet #361

Open
MPV opened this issue Sep 14, 2021 · 4 comments
Open

Use LB seclist from LB subnet #361

MPV opened this issue Sep 14, 2021 · 4 comments
Labels
feature

Comments

@MPV
Copy link

MPV commented Sep 14, 2021
edited

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

CCM Version: (whichever version OKE uses today)

Environment:

  • Kubernetes version (use kubectl version): 
    Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.8", 
GitCommit:"50317190d44dbdb51ae7ff430917b32ba96188b5", GitTreeState:"clean", BuildDate:"2021-06-30T14:20:31Z", GoVersion:"go1.15.13 BoringCrypto", Compiler:"gc", Platform:"linux/amd64"}
  • OS (e.g. from /etc/os-release): N/A
  • Kernel (e.g. uname -a): N/A
  • Others: N/A

What happened?

  1. Followed this guide:
    https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengnetworkconfigexample.htm#example-privatek8sapi-privateworkers-privatelb
    • Private VCN
    • Separate subnet for private LBs (with it's own seclist)
    • Private OKE cluster, configured to use private LB subnet
  2. Create "internal LB" (using annotation)
  3. OCI CCM created seclist rules in the default VCN seclist, instead of the LB subnet seclist.

What you expected to happen?

  1. OCI CCM creating rules in the seclist attached to the LB subnet.

How to reproduce it (as minimally and precisely as possible)?

Steps are in the guide above.

Anything else we need to know?

We'd love not having to manually set OCIDs in our kube services (i.e. which seclist to update, or which subnet to use for LBs).
@mrunalpagnis
Copy link
Member

https://github.com/oracle/oci-cloud-controller-manager/blob/master/manifests/provider-config-example.yaml#L56-L58
Can you please check this?

@MPV
Copy link
Author

MPV commented Sep 15, 2021

@mrunalpagnis We've seen that, but (as I mentioned in my last sentence) we'd love not having to provide user/developer-unfriendly OCIDs in each kube LB service.

@MPV
Copy link
Author

MPV commented Sep 15, 2021

Oh my bad, I thought you were referring to either of these annotations on the kube service:

  • service.beta.kubernetes.io/oci-load-balancer-subnet1
  • service.beta.kubernetes.io/oci-load-balancer-subnet2
  • service.beta.kubernetes.io/oci-network-security-groups

I see now that you mean configurations of the CCM itself.

However, I'm not sure we're able to make such adaptations to the built-in CCM in OKE?
If there is, please let us know.

@mrunalpagnis
Copy link
Member

@MPV This repo has CCM that works on a self-managed k8s clusters. If you want the above one in OKE which is OCI managed kubernetes cluster, please raise a request in the OKE queue and we can share more details there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MPV @mrunalpagnis