Bug 1294198 - RFE : Network isolation to the outside world
Summary: RFE : Network isolation to the outside world
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Dan Winship
QA Contact: Johnny Liu
: 1321949 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2015-12-25 10:37 UTC by Miheer Salunke
Modified: 2017-03-08 18:26 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-09-27 09:34:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1933 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC

Description Miheer Salunke 2015-12-25 10:37:54 UTC
1. Proposed title of this feature request  
Network isolation to the outside world
3. What is the nature and description of the request?  
We are deploying openshift 3.x in a multi tenant way. In 3.0, we did not have any network isolation. In 3.1 you added network isolation, but we were told we cannot influence the outgoing IP. We need to be able to make a reliable difference between IPs of the containers of different tenants on the same node.
4. Why does the customer need this? (List the business requirements here)  
The applications hosted in Openshift need to contact resources still in the existing infrastructure. This happens over HTTP for some (accessing web services, ESB, ...) , but also binary protocols are used (remote EJB, database connections, file transfers, etc.). If we are to open up links to the networks of the our multiple tenants, we need to guarantee a level of isolation that a container from 1 tenant cannot start hacking machines in the traditional infrastructur of another tenant. If the containers are hosted on the same node, we need some way to get a firewall in between.
5. How would the customer like to achieve this? (List the functional requirements here)  
We need a reliable way to limit the access on networking level from a set of containers (project scope is fine) to a certain network range outside openshift.

Option 1 :
* the container IPs reflect the tenant in a configurable address pool. That way we can directly restrict the network access on our edges.

Option 2:
* you provide a way in openshift to link to these external networks via some sort of gateway that we can deploy on specific machines with well-known IPs. That way, openshift handles the isolation internally for accessing the gateway, traditional IP can handle the access to the outside network.

We are investigating cisco ACI so any integration / use of that technlogy to implement this functionality is a bonus.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
* Create an openshift network with 2 projects, each representing a different tenant
* Create a network outside openshift
* Configure the access that the containers from project 1 have access, those from project 2 do not
* Test the networking with various protocols

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
Openshift Enterprise 3.2
10. List any affected packages or components.  
Openshift Enterprise 3.2 
11. Would the customer be able to assist in testing this functionality if implemented? 
Yes. We can provide workloads where we can validate the behaviour.

Comment 2 Dan McPherson 2016-04-14 14:25:58 UTC
*** Bug 1321949 has been marked as a duplicate of this bug. ***

Comment 4 Dan Winship 2016-04-25 13:18:30 UTC
3.3 will have two features related to this:

  1. You can create "egress routers" which will route connections from pods
     in a given project to a single specific external IP, using a single
     otherwise unused source IP. (This was designed around a use case of
     needing to access a single external server... it is not currently
     possible to use the same source IP to talk to multiple external
     servers, although perhaps that that functionality could be added.)
     (This is the trello card Ben linked to above.)

  2. There will be some as-yet-not-fully-defined "outgoing network policy"
     that should let you set up per-project firewall rules, so you'd be
     able to say that by default, projects can't access certain IP ranges,
     but then allow specific projects to. (https://trello.com/c/OueEF7sq)

Comment 6 errata-xmlrpc 2016-09-27 09:34:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.