Ibmcloud: improve security group management #2704
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pacho20
force-pushed
the
ibmcloud-security-groups
branch
2 times, most recently
from
6a9dfa8 to
21bef26
Compare
Member
|
I don't know enough about the IBM Cloud SDK to tell if this is definitely the right approach, but it seems reasonably and isolated to the ibmcloud provider, so if it passes the build and unit tests then it's probably good enough. I think it will need a rebase to re-trigger the CI though. |
Pacho20
force-pushed
the
ibmcloud-security-groups
branch
from
7a24023 to
8be71ed
Compare
Pacho20
force-pushed
the
ibmcloud-security-groups
branch
2 times, most recently
from
cae27ad to
a0c1c13
Compare
Add ClusterV2 service for retrieving security groups. Implements a temporary service using the IBM Cloud Cluster v2 API to fetch a cluster's security group, which can serve as the default. This workaround is needed because current IBM Cloud SDKs lack endpoints for security groups. The plan is to add this functionalityto one of the SDKs in the future and use that instead. Signed-off-by: Patrik Fodor <[email protected]>
Introduce the Cluster v2 interface and retrieve the cluster's security group using it instead of the VPC's. Signed-off-by: Patrik Fodor <[email protected]>
Instead of attaching a single security group to VSIs, allow specifying multiple security groups. Signed-off-by: Patrik Fodor <[email protected]>
Update README and ROKS_SETUP to reflect recent changes in security group configuration. Signed-off-by: Patrik Fodor <[email protected]>
Pacho20
force-pushed
the
ibmcloud-security-groups
branch
from
a0c1c13 to
54e4033
Compare
stevenhorsman
approved these changes
Jan 13, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By default, the ibmcloud provider uses the VPC's default Security Group, which does not allow connections to the cluster by default, but it can expose the VSIs to other services unnecessarily. With this change, CAA will use the cluster's security group as the default and always attach it to the VSIs. This ensures that the VSIs can always access the cluster and CAA.
The PR also introduces the ability to define multiple security groups instead of just one, and all of them will be attached to the VSI during creation. The
IBMCLOUD_VPC_SG_IDvariable is replaced byIBMCLOUD_SECURITY_GROUP_IDS. This field accepts a comma-separated list of security group IDs.Example: