1. Proposed title of this feature request
Network isolation to the outside world
3. What is the nature and description of the request?
We are deploying openshift 3.x in a multi tenant way. In 3.0, we did not have any network isolation. In 3.1 you added network isolation, but we were told we cannot influence the outgoing IP. We need to be able to make a reliable difference between IPs of the containers of different tenants on the same node.
4. Why does the customer need this? (List the business requirements here)
The applications hosted in Openshift need to contact resources still in the existing infrastructure. This happens over HTTP for some (accessing web services, ESB, ...) , but also binary protocols are used (remote EJB, database connections, file transfers, etc.). If we are to open up links to the networks of the our multiple tenants, we need to guarantee a level of isolation that a container from 1 tenant cannot start hacking machines in the traditional infrastructur of another tenant. If the containers are hosted on the same node, we need some way to get a firewall in between.
5. How would the customer like to achieve this? (List the functional requirements here)
We need a reliable way to limit the access on networking level from a set of containers (project scope is fine) to a certain network range outside openshift.
Option 1 :
* the container IPs reflect the tenant in a configurable address pool. That way we can directly restrict the network access on our edges.
* you provide a way in openshift to link to these external networks via some sort of gateway that we can deploy on specific machines with well-known IPs. That way, openshift handles the isolation internally for accessing the gateway, traditional IP can handle the access to the outside network.
We are investigating cisco ACI so any integration / use of that technlogy to implement this functionality is a bonus.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
* Create an openshift network with 2 projects, each representing a different tenant
* Create a network outside openshift
* Configure the access that the containers from project 1 have access, those from project 2 do not
* Test the networking with various protocols
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
Openshift Enterprise 3.2
10. List any affected packages or components.
Openshift Enterprise 3.2
11. Would the customer be able to assist in testing this functionality if implemented?
Yes. We can provide workloads where we can validate the behaviour.
*** Bug 1321949 has been marked as a duplicate of this bug. ***
This is related to:
3.3 will have two features related to this:
1. You can create "egress routers" which will route connections from pods
in a given project to a single specific external IP, using a single
otherwise unused source IP. (This was designed around a use case of
needing to access a single external server... it is not currently
possible to use the same source IP to talk to multiple external
servers, although perhaps that that functionality could be added.)
(This is the trello card Ben linked to above.)
2. There will be some as-yet-not-fully-defined "outgoing network policy"
that should let you set up per-project firewall rules, so you'd be
able to say that by default, projects can't access certain IP ranges,
but then allow specific projects to. (https://trello.com/c/OueEF7sq)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.