With the new config option `keystone_auth_default_policy`, cloud admin can set a default keystone auth policy for k8s cluster when the keystone auth is enabled. As a result, user can use their current keystone user to access k8s cluster as long as they're assigned correct roles, and they will get the pre-defined permissions set by the cloud provider. The default policy now is based on the v2 format recently introduced in k8s-keystone-auth which is getting more useful now. For example, in v1 it doesn't support a policy for user to access resources from all namespaces but kube-system, but v2 can do that. NOTE: Now we're using openstackmagnum dockerhub repo until CPO team fixing their image release issue. Task: 30069 Story: 1755770 Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
|2 years ago|
|Dockerfile||5 years ago|
|README.rst||5 years ago|
|run_openvswitch_neutron.sh||5 years ago|
This Dockerfile creates a Docker image based on Fedora 23 that runs Openvswitch and the Neutron L2 agent for Openvswitch. This container image is used by Magnum when a Swarm cluster is deployed with the attribute:
Magnum deploys this container on each Swarm node along with the Kuryr container to support Docker advanced networking based on the Container Networking Model.
To build the image, run this command in the same directory as the Dockerfile:
docker build -t openstackmagnum/fedora23-neutron-ovs:testing .
This image is available on Docker Hub as:
To update the image with a new build:
docker push openstackmagnum/fedora23-neutron-ovs:testing
The 'testing' tag may be replaced with 'latest' or other tag as needed.
This image is intended to run on the Fedora Atomic public image which by default does not have these packages installed. The common practice for Atomic OS is to run new packages in containers rather than installing them in the OS.
For the Neutron agent, you will need to provide 3 files at these locations:
These files are typically installed in the same locations on the Neutron controller node. The policy.json file is copied into the Docker image because it is fairly static and does not require customization for the cluster. If it is changed in the Neutron master repo, you just need to rebuild the Docker image to update the file. Magnum will create the other 2 files on each cluster node in the directory /etc/kuryr and map them to the proper directories in the container using the Docker -v option.
Since Openvswitch needs to operate on the host network name space, the Docker container will need the -net=host option. The /var/run/openvswitch directory is also mapped to the cluster node so that the Kuryr container can talk to openvswitch. To run the image from Fedora Atomic:
docker run --net=host \ --cap-add=NET_ADMIN \ --privileged=true \ -v /var/run/openvswitch:/var/run/openvswitch \ -v /lib/modules:/lib/modules:ro \ -v /etc/kuryr/neutron.conf:/etc/neutron/neutron.conf \ -v /etc/kuryr/ml2_conf.ini:/etc/neutron/plugins/ml2/ml2_conf.ini \ --name openvswitch-agent \ openstackmagnum/fedora23-neutron-ovs:testing