Bug 1651222
Summary: | [RFE] Add support for kuryr network policies | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Luis Tomas Bolivar <ltomasbo> |
Component: | Installer | Assignee: | Luis Tomas Bolivar <ltomasbo> |
Installer sub component: | openshift-ansible | QA Contact: | Jon Uriarte <juriarte> |
Status: | CLOSED CURRENTRELEASE | Docs Contact: | |
Severity: | high | ||
Priority: | high | CC: | erich, gcheresh, gpei, hasha |
Version: | 3.11.0 | Keywords: | FutureFeature |
Target Milestone: | --- | Flags: | gcheresh:
needinfo+
|
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: |
Kubernetes supports a Network Policy object to express ingress and egress rules for pods. Network Policy reacts on labels to qualify multiple pods, and defines rules based on differents labeling and/or CIDRs. When combined with a networking plugin, those policy objetcs are enforced and respected.
Kuryr-Kubernetes relies on Neutron security groups and security group rules to enforce a Network Policy object, more specifically one security group per policy with possibly multiple rules. Each object has a namespace scoped Network Policy CRD that stores all OpenStack related resources on the Kubernetes side, avoiding many calls to Neutron and helping to differentiate between the current Kubernetes status of the Network Policy and the last one Kuryr-Kubernetes enforced.
More information at: https://github.com/openstack/kuryr-kubernetes/blob/master/doc/source/devref/network_policy.rst and https://github.com/openstack/kuryr-kubernetes/blob/master/doc/source/installation/network_policy.rst
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-07 14:58:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1504090 | ||
Bug Blocks: |
Description
Luis Tomas Bolivar
2018-11-19 13:21:04 UTC
juriarte, could you help to verify it ASAP? As you know, the bug has been attached in next coming 3.11.z release errata. Thanks (In reply to shahan from comment #2) > juriarte, could you help to verify it ASAP? As you know, the bug has been > attached in next coming 3.11.z release errata. Thanks This OCP RFE depends on an OSP RFE [1], which is targeted for OSP 15, and we do not have a build with it for the moment. We will verify this one once the RFE in OSP is delivered. Thank you [1] https://bugzilla.redhat.com/show_bug.cgi?id=1504090 This will not be supported with 3.x but is being investigated for OpenShift 4.x @Eric: Just to make it clear. The bits to support network policies on the openshift-ansible side are already there. The problem is there is also code that must be modified on kuryr-kubernetes side of things. That code is already there (the other bugzilla this one points) but still needs QE work and be released. So that is why the target for this work is not 3.11 but 4.X At the moment kuryr images in 3.11 don't support NP features, only images taken from 4.x So if it's gonna be supported in 3.11 we need to have kuryr images to test it. Till those images are not in the repo the bz should not be on QA |