As per the current release tested runtime, we test
python version from 3.8 to 3.11 so updating the
same in python classifier in setup.cfg
Change-Id: I98bddf58600c7e616fcf89a16064277695f10a65
This got decided at the PTG. The code is old, not maintained, not tested
and most likely doesn't work anymore. Moreover it gave us a hard
dependency on grpcio and protobuf, which is fairly problematic in Python
and gave us all sorts of headaches.
Change-Id: I0c8c91cdd3e1284e7a3c1e9fe04b4c0fbbde7e45
The implementation have some difference with the description of
blueprint. For more strict isolation, we only get project id from
namespace annotaion or configure option. The other resources's
project id inherit it's project or get from configiure option.
Implements: blueprint specify-project-by-annotation
Change-Id: Ia82cce6b211226599b4e1ca0d10416ed5e519ea2
It would be beneficial for the project to have it's own sanity check
command. Where we can verify the configuration used for kuryr is
supported.
Change-Id: I1a11694e938e00be653697e8fd96e071faacc96a
Setuptools v54.1.0 introduces a warning that the use of dash-separated
options in 'setup.cfg' will not be supported in a future version [1].
Get ahead of the issue by replacing the dashes with underscores. Without
this, we see 'UserWarning' messages like the following on new enough
versions of setuptools:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb
Change-Id: I40c3d36df3f7b2db683d226f5fb9edf08d2c27c8
In order to support OpenShift's ability to run its nodes in various
OpenStack subnets in a dynamic way, this commit introduces the
OpenShiftNodesSubnets and MachineHandler. The idea is that
MachineHandler is responsible for watching the OpenShift Machine objects
and calling the driver. The driver will then save and serve a list of
current worker nodes subnets.
Change-Id: Iae3a5d011abaeab4aa97d6aa7153227c6f85b93c
In order to have more control over the nodes subnets we expect instead
of relying on static configuration option it's better to have
flexibility. This commit introduces NodesSubnetsDriver model that will
allow writing more complicated drivers providing the
worker_nodes_subnets setting.
A use case in mind is to use OpenShift Machine Custom Resources in order
to discover subnets the nodes are using.
Change-Id: I0eb5d9ad50895151967c23d3ad6d1237cc4d9667
This commit is a huge refactoring of how we handle network policies. In
general:
* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
This means that in order to trigger SG rules recalculation on Pod ang
Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
KuryrNetworkPolicy objects, so that objects cannot get removed before
KuryrNetworkPolicyHandler won't process deletion correctly.
Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
This commit adds support for creation of loadbalancer, listeners,
members, pools with using the CRD, it is also filling the status
field in the CRD.
Depends-On: https://review.opendev.org/#/c/743214/
Change-Id: I42f90c836397b0d71969642d6ba31bfb49786a43
Till now, we were using pod annotations to store information regarding
state of the associated VIFs to pod. This alone have its own issues and
it's prone to the inconsistency in case of controller failures.
In this patch we propose new CRD called KuryrPort for storage the
information about VIFs.
Depends-On: If639b63dcf660ed709623c8d5f788026619c895c
Change-Id: I1e76ea949120f819dcab6d07714522a576e426f2
This patch contains binding driver, which intend to copy vhostuser port
to containers's directory. Here container's directory it's mounted
directory. Also this patch contains code to create proper VIF in case
when neutron ovs agent configured to work with vhostuser ports.
There is no code here for port creation, due to it performs in
base.connect by os_vif.plug. This function creates/or recreates OVS
bridge with netdev type, then it creates port in this bridge. It uses
vif.network.bridge as the name for integration bridge, IOW it doesn't
use ovs_bridge from kuryr.conf, vif.network.bridge is configured by
neutron ovs agent.
VhostUser mode is defined by neutron ovs agent, it obtains from
Open vSwitch configuration:
Command to check Open vSwitch configuration
ovs-vsctl list Open_vSwitch |grep iface_types
If neutron ovs agent finds dpdkvhostuserclient there, it sets
vhostuser_mode to VIFVHostUserMode.SERVER, it means DPDK application in
container will be a server, and OVS will be a client, so DPDK
application will create/bind/listen vhostuser socket by predefined path.
This path is set in kuryr.conf/vhostuser/mount_point.
When dpdkvhostuserclient is not in OVS's capability list, e.g. it's old
OVS or it was built w/o dpdkvhostuserclient support, the mode will be
VIFVHostUserMode.CLIENT. In this case OVS will create/bind/listen
socket, so socket file will exist, and it shoud be copied to container's
mount volume. At the moment of copying OVS server already has to listen
it, otherwise approach is not working.
Partially Implements: blueprint support-vhost-user-port-type-on-bm-installation
Change-Id: Ib9c22368e518815064282f4c3b9f9ddaf58dc622
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Andrey Zaikin <a.zaikin@partner.samsung.com>
Signed-off-by: Vladimir Kuramshin <v.kuramshin@samsung.com>
This patch moves the namespace handling to be more aligned
with the k8s style.
Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250
Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
Add DPDK support for nested K8s pods. Patch includes a new VIF driver on
the controller and a new CNI binding driver.
This patch introduces dependency from os-vif v.1.12.0, since there
a new vif type.
Change-Id: I6be9110192f524325e24fb97d905faff86d0cfef
Implements: blueprint nested-dpdk-support
Co-Authored-By: Kural Ramakrishnan <kuralamudhan.ramakrishnan@intel.com>
Co-Authored-By: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Danil Golov <d.golov@samsung.com>
NetworkPolicy can replicate what namespace isolation does (and much
more), so we are removing the code that is not needed
Change-Id: Ib79c21cb92c522744658a204001383b6c0e98846
Ussuri release is the one in which we drop Python 2 support, as its EOL
is pretty close now. This commit does so in kuryr-kubernetes by
removing Python 2 unit test jobs, switching all tempest jobs to Python
3, removing specific jobs for Python 3 and updating Dockerfiles to
centos:8 that includes Python 3 from the box.
Also CentOS 7 job is removed from check queue as it seems it doesn't
play well with Python 3. A CentOS 8 job will get created soon.
Change-Id: Id9983d2fd83cef89e3198b2760816cf4a851008b
When namespace subnet driver is used, a new subnet is created for
each new namespace. As pools are created per subnet, this patch
ensures that new ports are created for each pool for the new subnet
in the nested case.
Note this feature depends on using resource tagging to filter out
trunk ports in case of multiple clusters deployed on the same openstack
project or when other trunks are present. Otherwise it will consider
all the existing trunks no matter if they belong or not to the
kubernetes cluster.
NOTE: this is only for nested case, where pooling shows the greatest
improvements as ports are already ACTIVE.
Change-Id: Id014cf49da8d4cbe0c1795e47765fcf2f0684c09
As kuryrnetpolicy CRD objects are namespaced, when a namespace is
deleted, the object is deleted by kubernetes as part of the namespace
deletion process. This was making network policy driver failing on
releasing the network policy as it could not find the object. This
patch ensures kuryr-controller doesn't fail in case kubernetes has
already deleted the kuryrnetpolicy object by skipping the exception
when trying to delete an already deleted object.
Closes-Bug: 1816020
Change-Id: I0443b65e5d6897c5d6673c222fc50101c244cd1e
This patch adds a new handler in charge of reacting to pod relabeling
actions. It main purpose is to use it together with the network policy
handler and drivers to ensure the right policy is applied upon pod
label changes.
Partially Implements: blueprint k8s-network-policies
Change-Id: If026cefce847f77c54af09a0160eb35343f89f37
This commit creates a new security group driver for handling network
policies sg and sg rules.
Partially Implements: blueprint k8s-network-policies
Change-Id: Ie4dfac39704f4bbfb31eb329cd43ab8a06addf0d
As there's another kuryr-status binary in kuryr repo this creates issues
when creating packags out of the repo and could get confusing, therefore
I'm renaming this one.
Change-Id: I4b958d53c6530dd5099b3ac1dbcde4648055ff38
This commit adds kuryr-status utility that can be used to check if
upgrade is possible, convert annotations to new format and rollback
those changes if needed.
Implements: blueprint upgrade-checkers
Change-Id: I7a40a68518d7fbba18146b64befb6f585176ec8d
This commit includes a binding driver for SR-IOV interfaces. The driver
scans VFs of a PF for each SR-IOV interface requested and assignes them
to the Pod.
This commit adds new config parameter `physical_device_mappings`.
It is similar to neutron-sriov-nic-agent and helps manage PFs and physnets.
Implements: blueprint kuryr-kubernetes-sriov-support
Change-Id: Icda852cef35efdb75daeae78f7a093fe516f4c02
Signed-off-by: Danil Golov <d.golov@partner.samsung.com>
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
Signed-off-by: Vladimir Kuramshin <v.kuramshin@samsung.com>
This commit adds SR-IOV driver and new type of VIF to handle SR-IOV requests.
This driver can work as a primary driver and only one driver, but only when kubernetes
will fully support CNI specification.
Now this driver can work in couple with multi vif driver, e.g. NPWGMultiVIFDriver.
(see doc/source/installation/multi_vif_with_npwg_spec.rst)
Also this driver relies on kubernetes SRIOV device plugin.
This commit also adds 'default_physnet_subnets' setting, that should
include a mapping of physnets to neutron subnet IDs, it's necessary to
specify VIF's physnet (subnet id comes from annotation).
To get details how to create pods with sriov interfaces see
doc/source/installation/sriov.rst
Target bp: kuryr-kubernetes-sriov-support
Change-Id: I45c5f1a7fb423ee68731d0ae85f7171e33d0aeeb
Signed-off-by: Danil Golov <d.golov@partner.samsung.com>
Signed-off-by: Vladimir Kuramshin <v.kuramshin@samsung.com>
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
This patch creates a npwg multi-vif driver which can parse the
Pod annotations and CRD defined in Network Plumbing Working
Group CRD SPEC.
Implements: blueprint kuryr-npwg-spec-support
Change-Id: I9ee9643b468a5fe453541b9cf1acf31ca872a313
This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7
This patch implements the multi-vif of VIF-Handler And Vif
Drivers Design.
This patch creates a new driver type MultiVIFDriver. It will
be the base class of real drivers like sriov,
additional_subnet and npwg_multiple_interfaces. Each of the
derived driver should implement the parsing of the additional
interfaces definition in K8S pods, and call VIF driver to
either create or acquire the Neutron port and its VIF object.
A list of enabled drivers can be returned by its class method.
So that the VIFHandler can invoke each driver one by one to
get the whole list of interfaces for one pod.
Partially Implements: blueprint multi-vif-pods
Change-Id: I8b5175a4637b18a0b574e27674a217865afb22b7
Signed-off-by: Peng Liu <pliu@redhat.com>
This patch adds the driver skel for Network Policy Support and hooks the
previously merged handler to use it. Follow up patches will provide translation
between NP and Neutron security groups and driver implementation.
Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: Ie8cca7b717677347f6a100e8d3b3912bdc20a148
This patch adds a new default driver to get the project ID
associated to a namespace. Same as the pod and service project
drivers
Partially Implements: blueprint network-namespace
Change-Id: Ib4306ba2c3d07ddfa311e2970b67d8b617c951e7
This patch adds a base driver and handler for network policy events. Follow up
patches will implement the driver and actions on network policies crud
actions, as well as tempest tests.
Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: I26969f2597c112259ca90724ff8b357bd8bb376e
This is the third patch of the Ingress Controller capability.
This patch implements OCP-Route and Ingress LBaaS handlers.
Those handlers should retrieve the L7 LB details from the
Ingress controller and update L7 policy/rules and pool/members
upon changes in OCP-route and k8S-endpoint resources.
Please follow the instructions below to verify
OCP-Router functionality:
https://docs.google.com/document/d/1c3mfBToBbWlwFcw3S8fr7pQZb5_YZqFYdlG1HqaQPkQ/edit?usp=sharing
Implements: blueprint openshift-router-support
Change-Id: Ibfb6cda6dde9613ad31859d38235be031ade0639
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
This commit adds a base namespace handler. Follow up patch sets will
make use of it to implement actions on namespace creation/deletion.
Partially Implements: blueprint network-namespace
Change-Id: I503b32f2a981ea661c55625d24b14231a0a0e0f8
This patch introduces a new way for configuring which handlers the
Kuryr controller should be using. This will allow people to use
externally provided handlers as long as they are installed as
entrypoints of the right namespace.
Implements: blueprint kuryr-pluggable-handlers
Change-Id: I52ce0ef00771c8587d7f7113cc5eb4839d1309a5
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This patch adds support for nodes with different vif drivers as
well as different pool drivers for each vif driver type.
Closes-Bug: 1747406
Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9