451add3543
This patch ensures svc namespace isolation may work with different types of octavia drivers. Depending on the ownership of the security group, as well as the tenant kuryr-controller is running on, there may be a need to create (and apply) a new security group for the loadbalancer VIP port, or simply update the existing one. A new configuration option, names sg_mode has been added that accepts update|create depending on the desired behavior. As of today, the options will be: - Amphora driver: needs to 'update' the SG as the VIP port is connected to the amphora through the allow_address_pair option, and the SG rules are enforced on the amphora port rather than on the VIP port. However, as both ports share the same SG, updating it will ensure the proper isolation. Note the SG in the amphora driver belongs to the admin tenant instead of the one creating the loadbalancer. - OVN driver: SG is applied directly on the VIP port, so both updating or creating a SG will work as the VIP port belongs to the tenant. However, as of today OVN-driver does not create a SG for the loadbalancer and the SG applied is the default one. Thus, there is a need for setting the sg_mode to 'create', so that a new one is created and the proper rules are applied there. Implements: blueprint octavia-ovn-provider Change-Id: I4ad4d55b75ce7a6d5e102b5f35bedc07af4fbb96 |
||
---|---|---|
.zuul.d | ||
contrib | ||
devstack | ||
doc | ||
etc | ||
hooks | ||
kubernetes_crds | ||
kuryr_kubernetes | ||
playbooks | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.dockerignore | ||
.gitignore | ||
.gitreview | ||
.stestr.conf | ||
.testr.conf | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
cni.Dockerfile | ||
cni_ds_init | ||
cni_py3.Dockerfile | ||
controller.Dockerfile | ||
controller_py3.Dockerfile | ||
lower-constraints.txt | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
Project description
Kubernetes integration with OpenStack networking
The OpenStack Kuryr project enables native Neutron-based networking in Kubernetes. With Kuryr-Kubernetes it's now possible to choose to run both OpenStack VMs and Kubernetes Pods on the same Neutron network if your workloads require it or to use different segments and, for example, route between them.
- Free software: Apache license
- Documentation: https://docs.openstack.org/kuryr-kubernetes/latest
- Source: https://git.openstack.org/cgit/openstack/kuryr-kubernetes
- Bugs: https://bugs.launchpad.net/kuryr-kubernetes
- Overview and demo: https://superuser.openstack.org/articles/networking-kubernetes-kuryr
- Release notes: https://docs.openstack.org/releasenotes/kuryr-kubernetes/
Contribution guidelines
For the process of new feature addition, refer to the Kuryr Policy