OpenStack networks and security group considerations for Kubernetes

jmarhee profile image Joseph D. Marhee ・3 min read

The OpenStack cloud provider for Kubernetes allows on-prem provisioning of resources like Cinder volumes and LBaaS to provide Kubernetes persistent storage and LoadBalancer services.

If you run Kubernetes on OpenStack-provided cloud services, and have API access in your project, as I do, the following configuration allows you to create a cluster-only network, with an appropriate Security Group.

If you do not currently have the OpenStack CLI tools installed on your machine, you can use the following:

pip install --upgrade --requirement \
http://raw.githubusercontent.com/platform9/support-locker/master/openstack-clients/requirements.txt \
--constraint \

to install them.

I make the following assumption for your network configuration: if you have a physical upstream network-connected IPv4 subnet provided to you by your infrastructure provider (or your infra team if you operate OpenStack yourself), this will be configured as a Floating IP pool, and we'll call that subnet public_subnet in the public network object. I also make the assumption that you are using Neutron networking.

Create a router, which we'll use for, both the above Floating IP pool, and your private network:

neutron router-create router-name

and set it as the default gateway for your public network:

neutron router-gateway-set router-name public

We'll create a private network that we'll use for the Kubernetes nodes, and as the anchor for the floating IP pool we'll create shortly:

neutron net-create kube_private_network && \
neutron subnet-create --name private_subnet kube_private_network && \
neutron router-interface-add router-name private_subnet

so when creating instances attached to that network, they'll get an address from You'll provision the floating IPs from your public network subnet as one-off tasks:

neutron floatingip-create public

and associate them at creation time.

For your Kubernetes cloud.conf, you'll need the Subnet ID of the range of IPs you'd like to use for your LoadBalancer objects when creating resoures in Kubernetes:

~ » openstack subnet list                                                                                         2 ↵
| ID                                   | Name           | Network                              | Subnet           |
| 05a55a42-ff5e-4b53-a6a7-e9f4d1cc5a56 | subnet1        | 0048fce6-c715-4106-a810-473620326cb0 |   |
| ecc841d0-1ac4-419f-9a2e-a9fffbd44922 | private_subnet | a133a2c0-e16a-4a23-ac8e-df1e270169ed | |

so, for example, I want to use my subnet, so I'll make node of that subnet ID for later.

You can, then, proceed to create the security group:

openstack security group create kubernetes

and you'll just need your project ID from your Openstack RC file to proceed to create your rules:

openstack security group rule create \                                                                        
--dst-port 6443 \
--ingress \
--project $PROJECT_ID \
--src-ip \

this, for example, allows all the nodes in the cluster access to the API server port.

Once all of this is complete, usually independent of which Kube deployment method you use, you'll need to populate your cloud.conf, as I noted earlier, for the OpenStack cloud provider in Kubernetes, and with the OpenStack subnet ID noted earlier, you can populate it like so:


before you complete the rest of the setup. For Kubeadm users, the following guide is an excellent resource to setting up the Openstack cloud-provider for Kubernetes:

Kubernetes with OpenStack Cloud Provider

Posted on by:


markdown guide