This commit implements NP driver actions for creating/updating SG and SG
rules. It also creates KuryrNetPolicy as a CRD so we don't have to rely
on the slow neutron API for time-costly operations such as listing SG
and so.
Security group rules and label matching will be handled in a follow-up
patch, as well as storing CRD object_id in a network policy annotation.
Unit tests will also be added after some more functionality is added
with the remaining patch series.
Partially-Implements: bp/k8s-network-policies
Change-Id: I6d45a462e812b24073b529144fc0843e8725a06e
In devstack plugin, add KURYR_MULTI_VIF_DRIVER parameter to
specify which multi-vif driver to be enabled. If it's NPWG
driver, the network attachemnt definition CRD is created in
Kubernetes cluster.
Change-Id: I260a44880b9cfb3686843504bd29649e5d0518d0
This patch creates a npwg multi-vif driver which can parse the
Pod annotations and CRD defined in Network Plumbing Working
Group CRD SPEC.
Implements: blueprint kuryr-npwg-spec-support
Change-Id: I9ee9643b468a5fe453541b9cf1acf31ca872a313
This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7
Kuryr-kubernetes declares, that supported CNI version is 0.3.0, but
it prints to output in format of version 0.2.0.
Kubernetes can't parse it.
This patch modifies CNI output according to 0.3.1, it has a little
difference with version 0.3.0, just in naming of ips field.
Change-Id: I7b6bb5c178035b7c85fc28973f9a0cf1bc1a139e
Closes-Bug: 1779718
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
This patch extends the namespace handler to account for existing
ports at kuryr ports pools before deleting the network namespace
resources. It extends the vif_pool driver with support for removing
all the ports of the different pools belonging to the namespace to be
deleted.
Partially Implements: blueprint network-namespace
Change-Id: I84580201f38c219f1943510bb493da0f07e07153
This patch extends the namespace_subnet driver to handle namespace
deletion. It ensures the created resources during namespace creation
are removed upon namespace deletion.
Note it does not currently support deleting the extra ports created
by the ports pool feature, so it should not be used if ports pool
feature is enabled. A follow up patch will address this issue
Partially Implements: blueprint network-namespace
Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
This commit fixes issue with creation of Kuryr Secret with CA
certificate when certificate doesn't exist. Basically it makes sure that
in that case the CA cert file will be empty.
Closes-Bug: 1760825
Change-Id: I519ef424e00584ea471d6707d916cd30b94b06bf
Our containerized gates started failing recently. Turns out some default
configuation was changed and `tls-proxy` service was added. This option
makes all OpenStack endpoints use HTTPS. This includes creation of a
DevStack CA certificates bundle that then will be configured to be
verified when connecting to OpenStack APIs. This works well with
non-containerized deployment as the bundle is available locally in
/opt/stack/data and our `[neutron]` section sets `cafile` option to
point there.
Things are different in containerized deployment use case as we need a
way to pass those certificates into the container. Effectively - we had
no CA certificates support for containerized deployments either in
DevStack or production.
This commit adds that support by including new Kuryr Kubernetes resource
definition - `kuryr-certificates` Secret. It is supposed to hold CA
certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet
definition was modified to mount the certificate into /etc/ssl/certs.
Changes also include implementing support for that in DevStack plugin
(placing the certificate in the secret and setting the `[neutron]cafile`
config option to point to that certificate).
Closes-Bug: 1758061
Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8
This commit implements what was discussed on the PTG, i.e. deprecation
of running Kuryr-Kubernetes without kuryr-daemon services. This commit
includes changes in configuration defaults, sample local.conf files,
documentation, gates and a release note explaining the change.
Change-Id: I152c81797cb83237af4917a4487cb1f1918270aa
This patch adds support for nodes with different vif drivers as
well as different pool drivers for each vif driver type.
Closes-Bug: 1747406
Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
Since LBaaSv2 doesn't support UDP load balancing,
Kuryr should ignore exposed UDP ports in K8S service.
This patch updates Kuryr to gracefully ignore UDP exposed
ports and updates the documentation with this info.
Closes-Bug: 1736060
Change-Id: I03f6d95a2d855cbd8954018c930e283a46763655
The CNI daemon should always be run in its own cgroup. That typically
can take two forms:
- Running inside a container
- Running as a systemd service
This patch changes the way the memory usage is tracked so that both
of the cgroup memberships listed above are supported.
Thanks to using cgroups for tracking the memory usage, we will finally
take into account the CNI daemon children memory usage.
Change-Id: I0ef48742653d5c17ea0cc787ae3a997d5d315c5a
Closes-Bug: 1752939
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
With the addition of the services documentation, the creation of the pod
and services resources is much better explained there and the part in
manual only adds confusion. This patch refers users to the new
documentation
Change-Id: I1bd83011742d77b026c746253c543839eb05a4f0
Closes-Bug: #1711074
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
It is common for Neutron deployment's policy to forbid GETs to the
public subnet, only allowing GETs for the public net. Since the only
required field of those two for creating a FIP is the public net, let's
change public net to be the only required config option and have the
subnet stick around as optional.
Change-Id: I31c3c51ad2dc12f8f560cbab01c86d04aabb754e
Closes-Bug: 1749921
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
This commit changes the way we produce kuryr-cni Docker image. Previously we've
distributed the kuryr-driver as pyinstaller binary that contained Python 3
interpreter and all the dependencies. This binary was called from CNI. That
approach had some disadvantages, the major being complicated build procedure
and having to see false-positive BrokenPipeError tracebacks in kubelet
logs.
This commit implements distributing kuryr-driver as a virtualenv with
kuryr-kubernetes and all the dependecies installed. That virtualenv is then
copied onto the host system and CNI can easily activate it and run kuryr-cni
binary. This should solve issues caused by pyinstaller.
Closes-Bug: 1747058
Change-Id: I65b01ba27cbe39b66f0a972d12f3abc166934e62
This commit extends developer docs to add information about CNI Daemon
and APIs between CNI Driver and CNI Daemon.
Implements: blueprint cni-split-exec-daemon
Co-Authored-By: Janonymous <janonymous.codevulture@gmail.com>
Change-Id: I0188c133d656e32b75bf7d9b6c012da33ffa2571
This patch extends the ports pool documentation to add information
about pools when using containerized versions, as well as how the
kuryr-controller recovers the pre-created ports and put them back
into their respective pools.
Change-Id: If108b16cf998bd29fd51954e889982fb47ef4e8e
When octavia is configured to SINGLE loadbalancer topology, we have a single point of failure
(Amphora), that's affect both user services and kuryr-kuberenets L7 router module.
Service documentation is updated with that info.
Change-Id: I04e2deaf155a43c26d9f008a03b13c05c5286a48
Closes-Bug: #1737978
This commit implements kuryr-daemon support when
KURYR_K8S_CONTAINERIZED_DEPLOYMENT=True. It's done by:
* CNI docker image installs Kuryr-Kubernetes pip package and adds
exectution of kuryr-daemon into entrypoint script.
* Hosts /proc and /var/run/openvswitch are mounted into the CNI
container.
* Code is changed to use /host_proc instead of /proc when in a container
(it's impossible to mount host's /proc into container's /proc).
Implements: blueprint cni-split-exec-daemon
Change-Id: I9155a2cba28f578cee129a4c40066209f7ab543d
This patch add a readiness probe to the kuryr controller when
the ports pool functionality is enabled. This ensures the
controller pod is not set to ready until all the precreated ports
have been loaded into their respective pools. This helps admins
to know when the kuryr-controller pod is prepared to start serving
requests.
Note the kuryr-controller will reply to request even if it is not
on ready status. However, that will lead to trigger port creation
for new pods as the already existing ports may not be on their
respective pools yet.
Change-Id: Id47d3e7450551c19cb19d9278e459bd32bf364cf
As Outreachy students were asking "where to start with
kuryr-kubernetes?" I've noticed that we don't have tutorial of most
basic DevStack installation. This commit adds such page to the
installation documentation.
Change-Id: I151f32143e4052156f23042e253503a530df0a1e
This patch introduces a ports pool manager that runs as an http server
thread belonging to the VIF handler. This Manager handles the requests
to populate and/or empty given subport pools so that they can be easily
managed.
It also includes a client and documentation to test/use the new functionality.
Implements: blueprint kuryr-manager-cli-tool
Change-Id: I495c0ca3ed997ab9da1763d8a3e60bbf7ac618b9
This patch adds the options to configure the pool driver directly
from devstack as well as includes the documentation related to its
usage.
Change-Id: Ie0edaebffe34f47547aac51dabd01db861123ae1
Service loadbalancerIP could be one of the following :
1. loadbalancerIP allocated from pre-defined pool
k8s service.spec.type = 'LoadBalancer'
2. loadbalancerIP specified by user
k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t'
This commit extend service capability to support '1' and '2'
Implements: blueprint k8s-service-type-loadbalancer
Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
This patch introduces the modifications needed to support
L2 member mode communication between the loadbalancer and
the pool members (i.e., the pods belonging to the service).
It also includes the needed changes to set up the environment
with devstack.
Implements: blueprint octavia-layer2-member-connectivity
Change-Id: I345a71fbdf6f30f314b12aed1fc6f59177c03d00
This patch adds the option to run the controller and the CNI as a
Kubernetes Deployment and Daemonset respectively.
Change-Id: If102c953f5d77adaacaacf2fc0cc96d3b7de0303
Implements: blueprint kubeadminstallable
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
Co-Authored-By Michal Dulko <mdulko@redhat.com>
