Default SG rules template - Update related docs and add release note

This patch updates docs related to the Security Groups to add info about possibility to change default set of rules created in every new security group. It also adds release note about this new API in Neutron. Closes-Bug: #1983053 Change-Id: I0f6ecc5cf374a0090930e9786834ed7a1be3dc0b
2023-07-05 12:09:06 +02:00 · 2023-07-05 12:09:06 +02:00 · 5c2f54ca03
parent a4c8392209
commit 5c2f54ca03
2 changed files with 38 additions and 6 deletions
--- a/doc/source/admin/intro-os-networking.rst
+++ b/doc/source/admin/intro-os-networking.rst
@ -234,12 +234,17 @@ or more security groups in an additive fashion. The firewall driver
 translates security group rules to a configuration for the underlying packet
 filtering technology such as ``iptables``.

-Each project contains a ``default`` security group that allows all egress
-traffic and denies all ingress traffic. You can change the rules in the
-``default`` security group. If you launch an instance without specifying a
-security group, the ``default`` security group automatically applies to it.
-Similarly, if you create a port without specifying a security group, the
-``default`` security group automatically applies to it.
+Each project contains a ``default`` security group that by default allows all
+egress traffic and denies all ingress traffic. You can change the rules in the
+``default`` security group. Admin user can also define own set of security group
+rules which will be added by default to each new ``default`` and each new non
+default (custom) security group created for every project in the cloud. There is
+``security-group-default-rules`` API extension which allows to define such own
+set of the default security group rules.
+If you launch an instance without specifying a security group, the ``default``
+security group automatically applies to it.  Similarly, if you create a port
+without specifying a security group, the ``default`` security group
+automatically applies to it.

 .. note::

@ -278,6 +283,10 @@ anti-spoofing rules that perform the following actions:
  instance and any additional MAC addresses in ``allowed-address-pairs`` on
  the port for the instance.

+Those rules mentioned above are added automatically by neutron and cannot be
+changed using ``default security group rules`` API provided by the
+``security-group-default-rules`` extensions.
+
 Although non-IP traffic, security groups do not implicitly allow all ARP
 traffic. Separate ARP filtering rules prevent instances from using ARP
 to intercept traffic for another instance. You cannot disable or remove
--- a/releasenotes/notes/Default-security-group-rules-added-94a9ac6cdd1c538e.yaml
+++ b/releasenotes/notes/Default-security-group-rules-added-94a9ac6cdd1c538e.yaml
@ -0,0 +1,23 @@
+---
+features:
+  - |
+    New API which allows to define own set of the security group rules used
+    automatically in every new ``default`` and/or custom security group created
+    for projects.
+upgrade:
+  - |
+    During upgrade process set of 4 default security group rules will be created
+    in the Neutron database. Those rules are the same as default rules added to
+    every new security group up to now:
+
+      * rule to allow all egress IPv4 traffic (for all default and custom
+        Security groups),
+      * rule to allow all egress IPv6 traffic (for all default and custom
+        Security groups),
+      * rule to allow all ingress IPv4 traffic from the same security group
+        (for default security group in each project),
+      * rule to allow all ingress IPv6 traffic from the same security group
+        (for default security group in each project).
+
+    Those rules can now be modified by cloud administrator using
+    ``default-security-group-rules`` API.