[openstack-dev] [kuryr][magnum] Notes from Summit fishbowl session
Antoni Segura Puimedon
celebdor at gmail.com
Wed Nov 2 19:03:11 UTC 2016
Hi magna and kuryrs!
Thank you all for joining last week meetings. I am now writing a few
emails to have persistent notes of what was talked about and discussed
in the Kuryr work sessions. In the Magnum joint session the points
Kuryr - Magnum joint work session
* Consensus on using Keystone trust tokens.
- We should follow closely the Keystone effort into scoping the allowed
actions per token to limit those to the minimal required set of verbs
that the COE and Kuryr need.
* It was deemed unnecessary to pursue a proxying approach to access
Neutron. This means VM applications should be able to reach Neutron and
Keystone but the only source of credentials they should have is the
Tenancy and network topology
Two approaches should be made available to users:
Full Neutron networking
Under this configuration, containers running inside the nova instances
would get networking via Neutron vlan-aware-VMs feature. This means the COE
driver (either kuryr-libnetwork or kuryr-kubernetes) would request a
Neutron subport for the container. In this way, there can be multiple
isolated networks running on worker nodes.
The concerns about this solution are about the performance when starting
big amounts of containers and the latency introduced when starting them due
to going all the way to Neutron to request the subport.
Minimal Neutron networking
In order to address the concerns with the 'Full Neutron networking'
approach, and as a trade-off between features and minimalism, this way of
networking the containers would all be in the same Neutron network as the
ports of their VMs.
The problem with this solution is that allowing multiple isolated networks
like CNM and Kubernetes with policy have is quite complicated.
More information about the OpenStack-dev