[openstack-dev] [kuryr][magnum] Notes from Summit fishbowl session

Antoni Segura Puimedon celebdor at gmail.com
Wed Nov 2 19:03:11 UTC 2016

Hi magna and kuryrs!

Thank you all for joining last week meetings. I am now writing a few
emails to have persistent notes of what was talked about and discussed
in the Kuryr work sessions. In the Magnum joint session the points

    Kuryr - Magnum joint work session


    * Consensus on using Keystone trust tokens.
        - We should follow closely the Keystone effort into scoping the allowed
          actions per token to limit those to the minimal required set of verbs
          that the COE and Kuryr need.

    * It was deemed unnecessary to pursue a proxying approach to access
      Neutron. This means VM applications should be able to reach Neutron and
      Keystone but the only source of credentials they should have is the
      Keystone tokens.

    Tenancy and network topology

    Two approaches should be made available to users:

    Full Neutron networking

    Under this configuration, containers running inside the nova instances
    would get networking via Neutron vlan-aware-VMs feature. This means the COE
    driver (either kuryr-libnetwork or kuryr-kubernetes) would request a
    Neutron subport for the container. In this way, there can be multiple
    isolated networks running on worker nodes.

    The concerns about this solution are about the performance when starting
    big amounts of containers and the latency introduced when starting them due
    to going all the way to Neutron to request the subport.

    Minimal Neutron networking

    In order to address the concerns with the 'Full Neutron networking'
    approach, and as a trade-off between features and minimalism, this way of
    networking the containers would all be in the same Neutron network as the
    ports of their VMs.

    The problem with this solution is that allowing multiple isolated networks
    like CNM and Kubernetes with policy have is quite complicated.



More information about the OpenStack-dev mailing list