1567062 – [RFE] Kuryr project namespace isolation

Bug 1567062 - [RFE] Kuryr project namespace isolation

Summary: [RFE] Kuryr project namespace isolation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-kuryr-kubernetes
Sub Component:
Version:	14.0 (Rocky)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Upstream M2
Target Release:	14.0 (Rocky)
Assignee:	Luis Tomas Bolivar
QA Contact:	Jon Uriarte
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1585217 1614643 1629573
TreeView+	depends on / blocked

Reported:	2018-04-13 11:20 UTC by Luis Tomas Bolivar
Modified:	2019-01-11 11:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-kuryr-kubernetes-0.4.2-0.20180404104924.985c387.el7ost
Doc Type:	Release Note
Doc Text:	A new feature is included to add project namespace isolation between pods/svcs at different projects. This is achieved by creating a new network/subnet per project/namespace as well as limiting access between projects through security groups. A new namespace handler is added to reach to project creation/deletion events. In addition, a new kuryr subnet driver is introduced to create the new subnet per project (including the network and its connection to the router) upon namespace creation events. Finally, a new kuryr security group driver is added to handle the isolation between the projects (as well as enabling access from the default project to any other project and vice-versa). To enable this functionality at the controller, the namespace handler and the related drivers need to be enabled: [kubernetes] enabled_handlers=vif,lb,lbaasspec,namespace pod_subnets_driver = namespace pod_security_groups_driver = namespace service_security_groups_driver = namespace More information can be found on: https://docs.openstack.org/kuryr-kubernetes/latest/installation/network_namespace.html
Clone Of:
Clones:	1629573 (view as bug list)
Environment:
Last Closed:	2019-01-11 11:49:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	562159	None	MERGED	Add namespace handler	2020-12-22 14:13:15 UTC
OpenStack gerrit	562247	None	MERGED	Add namespace subnet driver for namespace creation	2020-12-22 14:13:15 UTC
OpenStack gerrit	562249	None	MERGED	Namespace deletion functionality for namespace_subnet driver	2020-12-22 14:13:15 UTC
OpenStack gerrit	564148	None	MERGED	Add ports pool clean up support to namespace deletion	2020-12-22 14:13:47 UTC
OpenStack gerrit	567179	None	MERGED	Add tempest coverage for namespace creation	2020-12-22 14:13:47 UTC
OpenStack gerrit	571752	None	MERGED	Ensure namespace creation event is detected	2020-12-22 14:13:13 UTC
OpenStack gerrit	572344	None	MERGED	Retry namespace deletion to mitigate cascading race	2020-12-22 14:13:16 UTC
OpenStack gerrit	579181	None	MERGED	Ensure isolation between namespaces	2020-12-22 14:13:14 UTC
OpenStack gerrit	580678	None	MERGED	Namespace isolation tempest coverage	2020-12-22 14:13:16 UTC
OpenStack gerrit	581421	None	MERGED	Add namespace isolation for services	2020-12-22 14:13:16 UTC
OpenStack gerrit	587778	None	MERGED	Namespace svc isolation tempest coverage	2020-12-22 14:13:17 UTC
OpenStack gerrit	588463	None	MERGED	Fix delete namespace resources function	2020-12-22 14:13:17 UTC
OpenStack gerrit	588487	None	MERGED	Set namespace security group driver for namespace gate	2020-12-22 14:13:18 UTC
OpenStack gerrit	589413	None	MERGED	Fix wrong reference in kuryr_k8s_opts	2020-12-22 14:13:49 UTC
OpenStack gerrit	590739	None	MERGED	Ensure delete_network_pools include all the ports	2020-12-22 14:13:50 UTC
OpenStack gerrit	593619	None	MERGED	Avoid release_vif race when using namespaces and pools	2020-12-22 14:13:18 UTC
Red Hat Product Errata	RHEA-2019:0045	None	None	None	2019-01-11 11:49:53 UTC

Description Luis Tomas Bolivar 2018-04-13 11:20:07 UTC

OpenShift is going to move from having a subnet for each node to have a subnet for each namespace. In order to align Kuryr with it, there is a need for a new namespace handler and a new subnet driver that will be in charge of creating/deleting the new networks/subnets for each namespace being created/deleted.

Comment 5 Antoni Segura Puimedon 2018-07-19 13:04:49 UTC

It should cover the default openshift namespace isolation:

* All pods of the default namespace/project should be able to pods/svcs of an other project.
* All pods of the default namespace/project should be reachable from any other project pods.
* Pods of non-default namespace/project can only talk to pods/svcs of the same project (and the above points).

Comment 7 Luis Tomas Bolivar 2018-08-07 10:12:55 UTC

Adding patch sets covering the isolation

Comment 11 errata-xmlrpc 2019-01-11 11:49:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045

Note You need to log in before you can comment on or make changes to this bug.