This commit implements NP driver actions for creating/updating SG and SG
rules. It also creates KuryrNetPolicy as a CRD so we don't have to rely
on the slow neutron API for time-costly operations such as listing SG
and so.
Security group rules and label matching will be handled in a follow-up
patch, as well as storing CRD object_id in a network policy annotation.
Unit tests will also be added after some more functionality is added
with the remaining patch series.
Partially-Implements: bp/k8s-network-policies
Change-Id: I6d45a462e812b24073b529144fc0843e8725a06e
In devstack plugin, add KURYR_MULTI_VIF_DRIVER parameter to
specify which multi-vif driver to be enabled. If it's NPWG
driver, the network attachemnt definition CRD is created in
Kubernetes cluster.
Change-Id: I260a44880b9cfb3686843504bd29649e5d0518d0
This patch creates a npwg multi-vif driver which can parse the
Pod annotations and CRD defined in Network Plumbing Working
Group CRD SPEC.
Implements: blueprint kuryr-npwg-spec-support
Change-Id: I9ee9643b468a5fe453541b9cf1acf31ca872a313
This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7
This patch implements the multi-vif of VIF-Handler And Vif
Drivers Design.
This patch creates a new driver type MultiVIFDriver. It will
be the base class of real drivers like sriov,
additional_subnet and npwg_multiple_interfaces. Each of the
derived driver should implement the parsing of the additional
interfaces definition in K8S pods, and call VIF driver to
either create or acquire the Neutron port and its VIF object.
A list of enabled drivers can be returned by its class method.
So that the VIFHandler can invoke each driver one by one to
get the whole list of interfaces for one pod.
Partially Implements: blueprint multi-vif-pods
Change-Id: I8b5175a4637b18a0b574e27674a217865afb22b7
Signed-off-by: Peng Liu <pliu@redhat.com>
The purpose of Kubernetes Network Custom Resource Definition De-facto
Standard spec defined by Network Plumbing Working Group, is trying to
standardize the multi-network effort around K8S. In that spec, It
defines a PoD annotation and CRD mechanism for attaching pods to
multiple networks, using various CNIs.
This proposal is based on VIF-Handler And Vif Drivers Design. A new VIF
driver is created, which can parse the PoD annotation and CRD defined
by NPWG spec, and return the vif objects to Multi-vif driver.
Partially Implements: blueprint kuryr-npwg-spec-support
Change-Id: I4402b9b8f04536b31f14684559c2aad86bd54162
Kuryr-kubernetes declares, that supported CNI version is 0.3.0, but
it prints to output in format of version 0.2.0.
Kubernetes can't parse it.
This patch modifies CNI output according to 0.3.1, it has a little
difference with version 0.3.0, just in naming of ips field.
Change-Id: I7b6bb5c178035b7c85fc28973f9a0cf1bc1a139e
Closes-Bug: 1779718
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
This patch updates Ingress design Devref with the latest changes
in Kuryr's Ingress controller configuration options.
Change-Id: Iaaeaee393f0837276994a24c258c4080a0e2ef04
Closes-Bug: 1777821
This commit implements initial version of high availability support in
kuryr-controller - Active/Passive mode. In this mode only one instance
of controller is processing the resources while other ones are in
standby mode. If current leader dies, one of standbys is taking the
leader role and starts processing resources.
Please note that as leader election is based on Kubernetes mechanisms,
this is only supported when kuryr-controller is run as Pod on Kubernetes
cluster.
Implements: bp high-availability
Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
This patch extends the namespace handler to account for existing
ports at kuryr ports pools before deleting the network namespace
resources. It extends the vif_pool driver with support for removing
all the ports of the different pools belonging to the namespace to be
deleted.
Partially Implements: blueprint network-namespace
Change-Id: I84580201f38c219f1943510bb493da0f07e07153
This patch extends the namespace_subnet driver to handle namespace
deletion. It ensures the created resources during namespace creation
are removed upon namespace deletion.
Note it does not currently support deleting the extra ports created
by the ports pool feature, so it should not be used if ports pool
feature is enabled. A follow up patch will address this issue
Partially Implements: blueprint network-namespace
Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
OpenShift 3.7 has a bug [1] that prevents from updating metadata of pods
created without any Controller (e.g. through `kubectl apply -f
pod-def.yaml` with ServiceAccount credentials. This prevents
containerized Kuryr to apply annotations onto such pods.
As this is only fixed in 3.9 now, we'll raise default OpenShift version
in DevStack.
As our version compatibility docs say nothing about OpenShift, we can
just state that we support 3.9+ starting with next release.
Closes-Bug: 1765132
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1383707
Change-Id: Ia19c5a556085c13b70ae5f6bcd8538adce261fae
Starting with the Rocky release, Kuryr-Kubernetes will include a
pluggable interface for the Kuryr controller handlers.
This patch updates the documentation to include this capability.
Partially Implements: kuryr-pluggable-handlers
Change-Id: I908b5f52d2e2dfe3432ec95e34b04c1d28c21917
This patch adds a documentation placeholder to keep track of the
supported/tested version of kubernetes at the different
kuryr-kubernetes releases.
Change-Id: I53c6ae31cdd380876328ad357afc4c8938c7e5a0
Closes-Bug: 1752285
This commit fixes issue with creation of Kuryr Secret with CA
certificate when certificate doesn't exist. Basically it makes sure that
in that case the CA cert file will be empty.
Closes-Bug: 1760825
Change-Id: I519ef424e00584ea471d6707d916cd30b94b06bf
Our containerized gates started failing recently. Turns out some default
configuation was changed and `tls-proxy` service was added. This option
makes all OpenStack endpoints use HTTPS. This includes creation of a
DevStack CA certificates bundle that then will be configured to be
verified when connecting to OpenStack APIs. This works well with
non-containerized deployment as the bundle is available locally in
/opt/stack/data and our `[neutron]` section sets `cafile` option to
point there.
Things are different in containerized deployment use case as we need a
way to pass those certificates into the container. Effectively - we had
no CA certificates support for containerized deployments either in
DevStack or production.
This commit adds that support by including new Kuryr Kubernetes resource
definition - `kuryr-certificates` Secret. It is supposed to hold CA
certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet
definition was modified to mount the certificate into /etc/ssl/certs.
Changes also include implementing support for that in DevStack plugin
(placing the certificate in the secret and setting the `[neutron]cafile`
config option to point to that certificate).
Closes-Bug: 1758061
Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8
This commit implements what was discussed on the PTG, i.e. deprecation
of running Kuryr-Kubernetes without kuryr-daemon services. This commit
includes changes in configuration defaults, sample local.conf files,
documentation, gates and a release note explaining the change.
Change-Id: I152c81797cb83237af4917a4487cb1f1918270aa
This patch adds support for nodes with different vif drivers as
well as different pool drivers for each vif driver type.
Closes-Bug: 1747406
Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
Since LBaaSv2 doesn't support UDP load balancing,
Kuryr should ignore exposed UDP ports in K8S service.
This patch updates Kuryr to gracefully ignore UDP exposed
ports and updates the documentation with this info.
Closes-Bug: 1736060
Change-Id: I03f6d95a2d855cbd8954018c930e283a46763655
The CNI daemon should always be run in its own cgroup. That typically
can take two forms:
- Running inside a container
- Running as a systemd service
This patch changes the way the memory usage is tracked so that both
of the cgroup memberships listed above are supported.
Thanks to using cgroups for tracking the memory usage, we will finally
take into account the CNI daemon children memory usage.
Change-Id: I0ef48742653d5c17ea0cc787ae3a997d5d315c5a
Closes-Bug: 1752939
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
With the addition of the services documentation, the creation of the pod
and services resources is much better explained there and the part in
manual only adds confusion. This patch refers users to the new
documentation
Change-Id: I1bd83011742d77b026c746253c543839eb05a4f0
Closes-Bug: #1711074
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This patch adds readiness and liveness to CNI. It checks presence
of NET_ADMIN capabilities, IPDB in working order, connection to
Kubernetes API, quantity of CNI add failures, health of CNI
components and existence of memory leaks.
Implements: blueprint cni-daemon-readiness-liveness
Change-Id: I9a4b871d196dbadfed687df93bb3cad97c957bfb
It is common for Neutron deployment's policy to forbid GETs to the
public subnet, only allowing GETs for the public net. Since the only
required field of those two for creating a FIP is the public net, let's
change public net to be the only required config option and have the
subnet stick around as optional.
Change-Id: I31c3c51ad2dc12f8f560cbab01c86d04aabb754e
Closes-Bug: 1749921
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
