[openstack-dev] [neutron] Cloud Provider Security Groups

Gary Kotton gkotton at vmware.com
Tue Nov 1 12:59:22 UTC 2016


Hi,
This is actually something that we have implemented within the VMware NSX plugins(s). We actually called it provider rules. This was done as an extension to the plugin. We have seen a large number of people ask for this functionality. It basically gives an admin the option of having ‘deny’ rules which override the tenant ones. It is on the port level.
One of the options that we took into account was the FWaaS option. Sadly, for us this was not a model that worked with the platform so we went to use the extension route. As far as I understand that is still in discussion there.
Thanks
Gary


From: Kevin Benton <kevin at benton.pub>
Reply-To: OpenStack List <openstack-dev at lists.openstack.org>
Date: Monday, October 31, 2016 at 11:59 PM
To: OpenStack List <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [neutron] Cloud Provider Security Groups

I believe the FWaaS v2 work is attempting to capture this concept of provider-set rules to address this very use-case.

One of the items from the spec[1] sounds closely related:

'Adds an explicit action attribute to rules so that "deny" and "reject" actions can be specified in addition to the existing "allow" action. This is particularly important for tenant or service provider network admins that specify firewall policies meant to apply to all of a tenant's or service provider's instances, regardless of application.'

1. https://github.com/openstack/neutron-specs/blob/master/specs/newton/fwaas-api-2.0.rst<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_neutron-2Dspecs_blob_master_specs_newton_fwaas-2Dapi-2D2.0.rst&d=CwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=VlZxHpZBmzzkWT5jqz9JYBk8YTeq9N3-diTlNj4GyNc&m=YhLOoKUyhqMU9YigP_T0rft7pH3rgPYfBYjj5wPtnnM&s=0nvFFveAWcm1IMEE2kYE7L4qJt2J9X8uNjy365xegsM&e=>

On Mon, Oct 31, 2016 at 5:28 PM, David G. Bingham <dbingham at godaddy.com<mailto:dbingham at godaddy.com>> wrote:
Yo Neutron devs :-)

I was wondering if something like the following subject has come up:  "Cloud-provider Security Groups”.

*Goal of this email*: Gauge the community’s need and see if this has come up in past.
*Requirement*: Apply a provider-managed global set of network flows to all instances.
*Use Case*: For our private cloud, have need to dynamically allow network traffic flows from other internal network sources across all instances.
*Basic Idea*: Provide an *admin-only* accessible security group ruleset that would persist and apply these "cloud-provider" security group rules to all instances of a cloud. This *may* be in the form of new "provider" API or an extension to existing API only accessible via "admin". When instances are created, this global SG ruleset would be applied to each VM/ironic instance. This feature likely should be capable of being enabled/disabled depending on the provider's need.

*Real example*: Company security team wants to audit consistent security software installations (i.e. HIPS) across our entire fleet of servers for compliance reporting. Each vm/ironic instance is required to have this software installed and up to date. Security audit team actually audits each and every server to ensure it is running, patched and up to date. These auditing tools source from a narrow set of internal IPs/ports and each instance must allow access to these auditing tools.

--- What we do today to hack a "cloud-provider" flow in a private cloud ---
1) We've locked down the default rules (only admins can modify which makes effectively kills a lot of canned neutron tools).
2) We've written an external script that iterates over all projects in our private cloud (~10k projects)
3) For each project:
3a) Fetch default SGs for that project and do a comparison of its default rules against *target* default rules
3b) Create any new missing rules, delete any removed rules
3c) Next project
This process is cumbersome, takes 20+ hours to run (over ~10k projects) and has to be throttled such that it doesn't over-hammer neutron while its still serving production traffic.

--- What we'd like to do in future ---
1) Call Security Group API that would modify a "cloud-provider" ruleset.
2) When updated, agents on HVs detect the "cloud-provider" change and then apply the rules across all instances.
Naturally there are going to be a lot of technical hurdles to make this happen while a cloud is currently in-flight.

Other uses for “Provider SGs":
* We want to enable new shared features (i.e. monitoring aaS) that all our internal projects can take advantage of. When the monitoring team adds/modifies IPs to scale, we'd apply these cloud-provider rules on behalf of all projects in the private cloud without users having concern themselves about the monitoring team's changes.
* We want to allow access to some internal sites to our VPN users on specific ports. These VPN ranges are dynamically changed by the VPN team. Our teams should not need to go into individual projects to add a new rule when VPN team changes ranges.
* This list could go on and on and naturally makes much more sense in a *private cloud* scenario, but there may be cases for public providers.

I’d be happy to create a spec.

Seen this before? Thoughts? Good, Bad or Ugly? :-)

Thanks,
David Bingham (wwriverrat on irc)
GoDaddy

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161101/b96de3bb/attachment.html>


More information about the OpenStack-dev mailing list