Bug 1651222 - [RFE] Add support for kuryr network policies
Summary: [RFE] Add support for kuryr network policies
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.11.z
Assignee: Luis Tomas Bolivar
QA Contact: Jon Uriarte
URL:
Whiteboard:
Depends On: 1504090
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-19 13:21 UTC by Luis Tomas Bolivar
Modified: 2020-05-07 14:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Kubernetes supports a Network Policy object to express ingress and egress rules for pods. Network Policy reacts on labels to qualify multiple pods, and defines rules based on differents labeling and/or CIDRs. When combined with a networking plugin, those policy objetcs are enforced and respected. Kuryr-Kubernetes relies on Neutron security groups and security group rules to enforce a Network Policy object, more specifically one security group per policy with possibly multiple rules. Each object has a namespace scoped Network Policy CRD that stores all OpenStack related resources on the Kubernetes side, avoiding many calls to Neutron and helping to differentiate between the current Kubernetes status of the Network Policy and the last one Kuryr-Kubernetes enforced. More information at: https://github.com/openstack/kuryr-kubernetes/blob/master/doc/source/devref/network_policy.rst and https://github.com/openstack/kuryr-kubernetes/blob/master/doc/source/installation/network_policy.rst
Clone Of:
Environment:
Last Closed: 2020-05-07 14:58:30 UTC
Target Upstream Version:
Embargoed:
gcheresh: needinfo+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 10716 0 None closed Add kuryr support for network policies 2020-05-07 14:57:16 UTC
Github openshift openshift-ansible pull 11184 0 None closed [release-3.11] Add kuryr support for network policies 2020-05-07 14:57:16 UTC

Description Luis Tomas Bolivar 2018-11-19 13:21:04 UTC 
Add support to configure kuryr with the network policy handler
and the related drivers to provide fine grain isolation. It also
enables the support to configure network policy together with the
network per namespace feature -- but without enabling the namespace
isolation as the network policies will be the ones defining the
isolation between pods/projects.
Comment 2 shahan 2019-03-01 06:00:26 UTC 
juriarte, could you help to verify it ASAP? As you know, the bug has been attached in next coming 3.11.z release errata. Thanks
Comment 4 Jon Uriarte 2019-03-06 11:39:57 UTC 
(In reply to shahan from comment #2)
> juriarte, could you help to verify it ASAP? As you know, the bug has been
> attached in next coming 3.11.z release errata. Thanks

This OCP RFE depends on an OSP RFE [1], which is targeted for OSP 15, and we do not have
a build with it for the moment.
We will verify this one once the RFE in OSP is delivered.

Thank you


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1504090
Comment 5 Eric Rich 2019-03-07 14:43:48 UTC 
This will not be supported with 3.x but is being investigated for OpenShift 4.x
Comment 6 Luis Tomas Bolivar 2019-03-07 14:58:09 UTC 
@Eric: Just to make it clear. The bits to support network policies on the openshift-ansible side are already there. The problem is there is also code that must be modified on kuryr-kubernetes side of things. That code is already there (the other bugzilla this one points) but still needs QE work and be released. So that is why the target for this work is not 3.11 but 4.X
Comment 11 GenadiC 2019-06-26 14:12:57 UTC 
At the moment kuryr images in 3.11 don't support NP features, only images taken from 4.x
So if it's gonna be supported in 3.11 we need to have kuryr images to test it.
Till those images are not in the repo the bz should not be on QA
Note You need to log in before you can comment on or make changes to this bug.