Lots of them are bogus, since most do not need to be accessed from outside the project at all.
Description
Related Objects
Event Timeline
Yes, but is the intra-project "accept all" policy a dependable promise or a bug in OpenStack that might disappear in the future? In general, it would certainly be preferable to just use ferm in Labs as well (use as in: "default deny all").
We can't use ferm for per project rules because our network topology isn't
really segregated by project and IP assignment is random...
That's right, but it only means that someone must manually enter the 10 IPs a project typically has at best :-).
Tricky to figure out which ones are in use or not due to T222414: Nova policy does not permit novaobserver to view an instance's security groups
#!/usr/bin/python import mwopenstackclients clients = mwopenstackclients.clients() nova = clients.novaclient() instances = clients.allinstances(projectid='tools', allregions=True) allgroups = {} for instance in instances: for group in instance.security_groups: if group['name'] not in allgroups: allgroups[group['name']] = [] allgroups[group['name']].append(instance.name) for group in sorted(allgroups.keys()): print("%s: %s" % (group, len(allgroups[group])))
MTA: 1
bastion: 2
checker: 1
default: 171
docker-registry: 2
elasticsearch: 3
etcd: 6
execnode: 71
gridmaster: 2
k8s-master: 1
k8s-worker: 39
letsencrypt: 1
paws: 12
paws-master: 1
prometheus: 2
puppetmaster: 1
redis: 2
tools-new-k8s-full-connectivity: 8
webproxy: 4
webserver: 33
Mentioned in SAL (#wikimedia-cloud) [2019-12-09T11:06:34Z] <andrewbogott> deleting unused security groups: catgraph, devpi, MTA, mysql, syslog, test T91619