Merge "Default SG rules template - Update related docs and add release note"

2023-08-31 19:05:54 +00:00 · 2023-08-31 19:05:54 +00:00 · 1bb9fe1b21
parent 9dceb760df 5c2f54ca03
commit 1bb9fe1b21
2 changed files with 38 additions and 6 deletions
--- a/doc/source/admin/intro-os-networking.rst
+++ b/doc/source/admin/intro-os-networking.rst
@ -234,12 +234,17 @@ or more security groups in an additive fashion. The firewall driver
 translates security group rules to a configuration for the underlying packet
 filtering technology such as ``iptables``.

-Each project contains a ``default`` security group that allows all egress
-traffic and denies all ingress traffic. You can change the rules in the
-``default`` security group. If you launch an instance without specifying a
-security group, the ``default`` security group automatically applies to it.
-Similarly, if you create a port without specifying a security group, the
-``default`` security group automatically applies to it.
+Each project contains a ``default`` security group that by default allows all
+egress traffic and denies all ingress traffic. You can change the rules in the
+``default`` security group. Admin user can also define own set of security group
+rules which will be added by default to each new ``default`` and each new non
+default (custom) security group created for every project in the cloud. There is
+``security-group-default-rules`` API extension which allows to define such own
+set of the default security group rules.
+If you launch an instance without specifying a security group, the ``default``
+security group automatically applies to it.  Similarly, if you create a port
+without specifying a security group, the ``default`` security group
+automatically applies to it.

 .. note::

@ -278,6 +283,10 @@ anti-spoofing rules that perform the following actions:
  instance and any additional MAC addresses in ``allowed-address-pairs`` on
  the port for the instance.

+Those rules mentioned above are added automatically by neutron and cannot be
+changed using ``default security group rules`` API provided by the
+``security-group-default-rules`` extensions.
+
 Although non-IP traffic, security groups do not implicitly allow all ARP
 traffic. Separate ARP filtering rules prevent instances from using ARP
 to intercept traffic for another instance. You cannot disable or remove
--- a/releasenotes/notes/Default-security-group-rules-added-94a9ac6cdd1c538e.yaml
+++ b/releasenotes/notes/Default-security-group-rules-added-94a9ac6cdd1c538e.yaml
@ -0,0 +1,23 @@
+---
+features:
+  - |
+    New API which allows to define own set of the security group rules used
+    automatically in every new ``default`` and/or custom security group created
+    for projects.
+upgrade:
+  - |
+    During upgrade process set of 4 default security group rules will be created
+    in the Neutron database. Those rules are the same as default rules added to
+    every new security group up to now:
+
+      * rule to allow all egress IPv4 traffic (for all default and custom
+        Security groups),
+      * rule to allow all egress IPv6 traffic (for all default and custom
+        Security groups),
+      * rule to allow all ingress IPv4 traffic from the same security group
+        (for default security group in each project),
+      * rule to allow all ingress IPv6 traffic from the same security group
+        (for default security group in each project).
+
+    Those rules can now be modified by cloud administrator using
+    ``default-security-group-rules`` API.