[openstack-dev] [Magnum][Kuryr][Keystone] Securing services in container orchestration
ton at us.ibm.com
Mon Oct 10 02:57:59 UTC 2016
Hi Keystone team,
We have a scenario that involves securing services for container and
turned out to be rather difficult to solve, so we would like to bring to
the larger team for
Examples of this scenario:
1. Kubernetes cluster:
To support the load balancer and persistent storage features for
needs to interface with Neutron and Cinder. This requires the user
credential to establish
a session and request Openstack services. Currently this is done by
user to manually enter the credential in a Kubernetes config file and
of the Kubernetes services.
2. Swarm cluster:
To support the Swarm networking for container, the Kuryr libnetwork
agent needs to
interface with the Kuryr driver, so the agent needs a service credential to
a session with the driver running on some controllers.
The problem is in handling and storing these credential on the user VMs in
For #1, Magnum deploys the Kubernetes cluster but does not handle the
user credential, so the automation is not complete and the user needs to
some manual steps. Even this is not desirable since if the cluster is
a tenant, the user credential can be exposed to other users. Token does
well since token would expire and the service is required for the life of
For #2, storing a Kuryr service credential on the user VM is a security
so we are still looking for a solution.
The Magnum and Kuryr teams have been discussing this topic for some
We would welcome any suggestion.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev