Bug 1567062

Summary: [RFE] Kuryr project namespace isolation
Product: Red Hat OpenStack Reporter: Luis Tomas Bolivar <ltomasbo>
Component: openstack-kuryr-kubernetesAssignee: Luis Tomas Bolivar <ltomasbo>
Status: CLOSED ERRATA QA Contact: Jon Uriarte <juriarte>
Severity: high Docs Contact:
Priority: high    
Version: 14.0 (Rocky)CC: achernet, asegurap, ltomasbo, racedoro, tsedovic
Target Milestone: Upstream M2Keywords: FutureFeature, Triaged
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-kuryr-kubernetes-0.4.2-0.20180404104924.985c387.el7ost Doc Type: Release Note
Doc Text:
A new feature is included to add project namespace isolation between pods/svcs at different projects. This is achieved by creating a new network/subnet per project/namespace as well as limiting access between projects through security groups. A new namespace handler is added to reach to project creation/deletion events. In addition, a new kuryr subnet driver is introduced to create the new subnet per project (including the network and its connection to the router) upon namespace creation events. Finally, a new kuryr security group driver is added to handle the isolation between the projects (as well as enabling access from the default project to any other project and vice-versa). To enable this functionality at the controller, the namespace handler and the related drivers need to be enabled: [kubernetes] enabled_handlers=vif,lb,lbaasspec,namespace pod_subnets_driver = namespace pod_security_groups_driver = namespace service_security_groups_driver = namespace More information can be found on: https://docs.openstack.org/kuryr-kubernetes/latest/installation/network_namespace.html
 Story Points: ---
Clone Of:
: 1629573 (view as bug list) Environment:
Last Closed: 2019-01-11 11:49:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1585217, 1614643, 1629573    

Description Luis Tomas Bolivar 2018-04-13 11:20:07 UTC 
OpenShift is going to move from having a subnet for each node to have a subnet for each namespace. In order to align Kuryr with it, there is a need for a new namespace handler and a new subnet driver that will be in charge of creating/deleting the new networks/subnets for each namespace being created/deleted.
Comment 5 Antoni Segura Puimedon 2018-07-19 13:04:49 UTC 
It should cover the default openshift namespace isolation:

* All pods of the default namespace/project should be able to pods/svcs of an other project.
* All pods of the default namespace/project should be reachable from any other project pods.
* Pods of non-default namespace/project can only talk to pods/svcs of the same project (and the above points).
Comment 7 Luis Tomas Bolivar 2018-08-07 10:12:55 UTC 
Adding patch sets covering the isolation
Comment 11 errata-xmlrpc 2019-01-11 11:49:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045