[openstack-dev] [kuryr] Namespace isolation options
Luis Tomas Bolivar
ltomasbo at redhat.com
Thu Jul 12 09:31:45 UTC 2018
Hi folks,
I'm working on the kuryr-kubernetes namespace feature to enable
isolation between the different namespaces, i.e., pods on namespace A
cannot 'talk' to pods or services on namespace B.
For the pods isolation, there is already a patch working:
https://review.openstack.org/#/c/579181
However, for the services is a bit more complex. There is some initial
work on:
https://review.openstack.org/#/c/581421
The above patch ensures isolation between services by modifying the
security group associated to the loadbalancer VM to only allow traffic
from ports with a given security group, in our case the one associated
to the namespace.
However, it is missing how to handle special cases, such as route and
services of LoadBalancer type. For the LoadBalancer type we have two option:
1) When the service is of LoadBalancer type not modify the security
group associated to it as it is meant to be accessible from outsite.
This basically is the out of the box behaviour of octavia. Pros: it is
simple to implement and does not require any extra information. Cons:
the svc can be accessed not only on the FIP, but also on the VIP.
2) Add a new security group rule also enabling the traffic from the
public-subnet CIDR. Pros: It will not enable access from the VIP, only
from the FIP. Cons: it either needs admin rights to get the
public-subnet CIDR or a new config option where we specify it.
Any preferences? I already tested option 1) and will update the patch
set with it shortly, but if option 2) is preferred, I will of course
update the PS accordingly.
Thanks!
Best regards,
Luis
--
LUIS TOMÁS BOLÍVAR
SENIOR SOFTWARE ENGINEER
Red Hat
Madrid, Spain
ltomasbo at redhat.com
More information about the OpenStack-dev
mailing list