CCM should have a "Backend" mode for oci-load-balancer-security-list-management-mode

[saintarian]

Is this a BUG REPORT or FEATURE REQUEST?

FEATURE REQUEST

Choose one: BUG REPORT or FEATURE REQUEST

I'd like to have a loadbalancer with whitelisted ingress IPs. This is not currently possible with CCM without choosing oci-load-balancer-security-list-management-mode = "None", which leaves me to manage the egress rules on the LB security lists. If I choose oci-load-balancer-security-list-management-mode = "All" or "Frontend", CCM adds a 0.0.0.0/0 ingress rule which overrides any IP whitelist I may have set up. Instead, I'd like the ability to pick oci-load-balancer-security-list-management-mode = "Backend", where CCM manages the egress rules, but not the ingress rules.

Versions

CCM Version:

Environment:

• Kubernetes version (use kubectl version):
• OS (e.g. from /etc/os-release):
• Kernel (e.g. uname -a):
• Others:

What happened?

What you expected to happen?

How to reproduce it (as minimally and precisely as possible)?

Anything else we need to know?

[prydie]

Hi @saintarian,

We certainly want to implement a Backend management mode, however, for your specific issue I think setting .spec.loadBalancerSourceRanges to the CIDR range(s) that you wish to allow ingress traffic from should suffice (see: Kubernetes docs).

[rgmccaw]

This is a duplicate of what I was asking for in this issue (https://github.com/oracle/oci-cloud-controller-manager/issues/227) however I was unaware of .spec.loadBalancerSourceRanges. I just tested .spec.loadBalancerSourceRanges and it is a solution to my usecase. If you would like I can close issue 227