This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7
This patch implements the multi-vif of VIF-Handler And Vif
Drivers Design.
This patch creates a new driver type MultiVIFDriver. It will
be the base class of real drivers like sriov,
additional_subnet and npwg_multiple_interfaces. Each of the
derived driver should implement the parsing of the additional
interfaces definition in K8S pods, and call VIF driver to
either create or acquire the Neutron port and its VIF object.
A list of enabled drivers can be returned by its class method.
So that the VIFHandler can invoke each driver one by one to
get the whole list of interfaces for one pod.
Partially Implements: blueprint multi-vif-pods
Change-Id: I8b5175a4637b18a0b574e27674a217865afb22b7
Signed-off-by: Peng Liu <pliu@redhat.com>
This patch adds the driver skel for Network Policy Support and hooks the
previously merged handler to use it. Follow up patches will provide translation
between NP and Neutron security groups and driver implementation.
Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: Ie8cca7b717677347f6a100e8d3b3912bdc20a148
This patch adds a new default driver to get the project ID
associated to a namespace. Same as the pod and service project
drivers
Partially Implements: blueprint network-namespace
Change-Id: Ib4306ba2c3d07ddfa311e2970b67d8b617c951e7
This patch adds a base driver and handler for network policy events. Follow up
patches will implement the driver and actions on network policies crud
actions, as well as tempest tests.
Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: I26969f2597c112259ca90724ff8b357bd8bb376e
This is the second patch of the Ingress Controller capability.
In order for the K8S Ingress and OpenShift Route resources to work,
the cluster must have an Ingress Controller running.
This patch extends LBaaS driver to support L7 load balancing and
verifies, retrieves and stores the L7 router LB (pre-created by admin or
Devstack) details.
The OCP-route and K8S-endpoint handlers (implemented in next patch) will
query the ingress controller for the L7 router details.
Partially Implements: blueprint openshift-router-support
Change-Id: Id55169f6c9c1c607b2aa54c92711dfbd04a9e39d
This patch extends the namespace handler to account for existing
ports at kuryr ports pools before deleting the network namespace
resources. It extends the vif_pool driver with support for removing
all the ports of the different pools belonging to the namespace to be
deleted.
Partially Implements: blueprint network-namespace
Change-Id: I84580201f38c219f1943510bb493da0f07e07153
This patch extends the namespace_subnet driver to handle namespace
deletion. It ensures the created resources during namespace creation
are removed upon namespace deletion.
Note it does not currently support deleting the extra ports created
by the ports pool feature, so it should not be used if ports pool
feature is enabled. A follow up patch will address this issue
Partially Implements: blueprint network-namespace
Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
A Kuryr controller handler associates itself with specific Kubernetes object
kind (e.g: endpoint) and it's responsible for handling the events of this
object.
The Kuryr controller handlers call one or more Kuryr controller drivers to
manage specific aspects of the Kubernetes resource in the OpenStack domain.
This patch makes K8S-Endpoint handler and LBaaS driver decoupled, and also
updates LBaaS driver to be more generic (e.g: support create a pool that
attached to loadbalancer).
After having this change the LBaaS driver could be extended to
support L7 load balancing, means it could be used as the Ingress driver.
Closes-Bug: 1770934
Change-Id: Ifcda04cc0116bf42e79aa4f855dc9df73671b4d9
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
This patch adds support for nodes with different vif drivers as
well as different pool drivers for each vif driver type.
Closes-Bug: 1747406
Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
This is continuation of Ie4a53dedf54472394f92fdfacddf0632e33f1f5b and
aims to orchestrate security groups and rules creation to make sure
listeners are available for each LoadBalancer Service. This is done
on-demand in LBaaS v2 driver.
Related-Bug: 1749968
Change-Id: Ie6b3783eff7a21ad602923c32bacc37356664e82
Service loadbalancerIP could be one of the following :
1. loadbalancerIP allocated from pre-defined pool
k8s service.spec.type = 'LoadBalancer'
2. loadbalancerIP specified by user
k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t'
This commit extend service capability to support '1' and '2'
Implements: blueprint k8s-service-type-loadbalancer
Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
This patch enhances the generic vif pool driver to also pre-create
ports in bulk request, so that containers can make use of them
when being boot -- even if not that many containers have been
created and deleted before.
This patch also removes the port deletion/recycle from the pod deletion
pipeline by having a dedicated thread performing periodic recycling
actions.
Partially Implements blueprint ports-pool
Change-Id: I7a3165b8a43e314c360b04cb0cefc69e0e5e768f
In order to speed up containers creation/deletion a new generic-vif
driver is proposed that build upon the port pool driver to ensure
ports already created can be reused in the future.
Note this remove the neutron.create_port from the container creation process.
As measured in the performance evaluation performed in [0], these times are,
on average, around 2 seconds.
[0] https://blog.russellbryant.net/2016/12/19/comparing-openstack-neutron-ml2ovs-and-ovn-control-plane/
Partially Implements blueprint ports-pool
Change-Id: Ib127735570470850dde452c453eac3d5545f7a43
tox.ini contains a bunch of excludes, that are unnecessary. Some are
leftovers from neutron. Some are already fixed and there is no point in
excluding them and some are easy to fix.
This commit does not fix E128 as it is the only serious exclusion with
(currently 166 lines to be changed)
Change-Id: I48cb6cd2258b2d8ed5b8dfdd3ceac7d8d573be81
Every time a container is created or deleted there is a call from
Kuryr to Neutron to create/remove the port used by the container.
In order to speed up both container creation and deletion a vif
pool driver is added, enabling the posibility of performing
Neutron resource management actions before/after containers
creation/deletion process.
This patch introduces a basic structure for the driver to trigger
ports creation and cleanup as part of the vif pool management.
Note it will be followed up with extended versions of the drivers
to support the extra ports pool functionality.
Partially Implements blueprint ports-pool
Change-Id: I441aa8f8ef567414f38d40365e3799de33de5b8c
This patch implements LoadBalancerHandler that handles K8s Endpoints
events and tracks changes in LBaaSServiceSpec to update Neutron LBaaS
accordingly and to reflect its' actual state in LBaaSState.
Change-Id: I718daf6d3def981c1bde5ca9831f955766935fbd
Partially-Implements: blueprint kuryr-k8s-integration
This patch adds new LBaaSDriver driver used to support K8s services
and provides LBaaSv2Driver implementation that relies on Neutron
LBaaSv2 API.
NOTE: functionality added by this patch can only be properly
verified after corresponding handler is added to the controller
in subsequent patch.
Change-Id: Iaaeec7b6f8357ed1f7efbfcff0972f5349c28fe0
Partially-Implements: blueprint kuryr-k8s-integration
This patch introduces LBaaSSpecHandler that handles K8s Service
events and updates related Endpoints with LBaaSServiceSpec when
necessary.
Change-Id: I09a0235842edd06827437f37aeac7ca5daeb1774
Partially-Implements: blueprint kuryr-k8s-integration
This patch introduces a driver that manages normal Neutron ports to
provide VIFs for Kubernetes Pods.
Change-Id: Ice32e96e107f7b7331caca3b79c488532710b4a2
Partially-Implements: blueprint kuryr-k8s-integration
This patch adds a new driver type used to determine Neutron security
groups that should be used for Kubernetes pods. This patch also
provides a default driver implementation that uses a list of security
groups set in configuration file.
Change-Id: Id76f70b8a99ffa8372dfd3d199371e7db46fb812
Partially-Implements: blueprint kuryr-k8s-integration
This patch adds a new driver type used to determine Neutron subnet
that should be used for Kubernetes pods' ports. This patch also
provides a default subnet driver implementation that uses a
subnet set in configuration file.
This patch also introduces the 'os_vif_util' module that contains
functions to translate data structures returned by Neutron client to
os-vif objects. Only the subnet-related functions are added in this
patch.
Change-Id: I643b22858239ce7f64e6ba81822b31e788fc9990
Partially-Implements: blueprint kuryr-k8s-integration
This patch adds stevedore-based driver support to the controller and
implements a driver to determine OpenStack project ID used to create
pod ports.
Change-Id: I0002ce1c1f7985955b7f66902dcf5386db212a1a
Partially-Implements: blueprint kuryr-k8s-integration
