IPs in k8s api / ssh is not cleaned if removed from config

[zetaab]

1. What kops version are you running? The command kops version, will display
this information. master

2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.

kops master, kubectl 1.14.1

3. What cloud provider are you using?

openstack

4. What commands did you run? What is the simplest way to reproduce this issue?

I had following (just for test) in kops config:

  kubernetesApiAccess:
  - 0.0.0.0/0
  - 8.8.8.8/32
  sshAccess:
  - 0.0.0.0/0
  - 8.8.8.8/32

I modified it to:

  kubernetesApiAccess:
  - 0.0.0.0/0
  sshAccess:
  - 0.0.0.0/0

and executed kops update cluster (does not print any changes, and when running with --yes it does not update anything)

5. What happened after the commands executed?

Nothing, it did not remove anything

6. What did you expect to happen?

I expect that rules that are removed from config, are removed from openstack as well.

/sig openstack

[zetaab]

@drekle do you have idea how we could do this? I tried to find something from AWS part but could not find how this is handled in AWS. However, at least in AWS k8s api (elb) this works - it will remove the rule if not anymore in config.

[drekle]

@zetaab We will have to think of an update to the find function in upup/pkg/fi/cloudup/openstacktasks/securitygrouprule.go. It doesn't seem to be finding the old SGR so it will simply create a new one.

I would have like to see the securityGroupRule createOpts struct in gophercloud support a name member which appears to exist in openstack. It does have a description member. We might be able to find old rules by such a name, such as NodePortAccess, and update rules that way.