Fix POD to POD networking with ML2/OVN

mnasiadka · mnasiadka · commit 76e500666108 · 2022-01-21T09:15:35.000Z
In ML2/OVN POD to POD networking does not work due to different result of using network CIDRs in allowed_address_pairs. The situation is explained in the bug and mailing list thread [1]. [1]: http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019442.html Related-Bug: #https://bugs.launchpad.net/neutron/+bug/1908382 Closes-Bug: #1908382 Change-Id: I659285048c4acb01eaa9d0e5e78e87269ab197b0
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
@@ -1127,6 +1127,25 @@ resources:
       port_range_max: 65535
       security_group: {get_resource: secgroup_kube_minion}
       remote_group: {get_resource: secgroup_kube_minion}
+  # allow traffic between PODs for ML2/OVN
+  secgroup_rule_tcp_kube_minion_pods_cidr:
+    condition: create_cluster_resources
+    type: OS::Neutron::SecurityGroupRule
+    properties:
+      protocol: tcp
+      port_range_min: 1
+      port_range_max: 65535
+      remote_ip_prefix: {get_param: pods_network_cidr}
+      security_group: {get_resource: secgroup_kube_minion}
+  secgroup_rule_udp_kube_minion_pods_cidr:
+    condition: create_cluster_resources
+    type: OS::Neutron::SecurityGroupRule
+    properties:
+      protocol: udp
+      port_range_min: 1
+      port_range_max: 65535
+      remote_ip_prefix: {get_param: pods_network_cidr}
+      security_group: {get_resource: secgroup_kube_minion}
 
   ######################################################################
   #
