By default pods in Kubernetes can connect to each other. However in
Qinling, each pod should be independent acting as a worker of a function
or running an execution of a function. Disabling the inter-pods traffic
in the namespace used by Qinling would ensure the isolation of each pod.
This commit leverages the NetworkPolicy in Kubernetes[1] to isolate the
pods. So a network solution which supports NetworkPolicy (for example,
cailco) for Kubernetes must be used or there will be no effect.
[1] https://kubernetes.io/docs/concepts/services-networking/network-policies/
Story: 2001585
Task: 6534
Change-Id: I368323410e92cc23c9a7b50e4936c7070cd57ef7
The original file size limit is too small and not suitable for common
user case. This patch changes the file size limit to 50M but it could
be configurable in future.
Change-Id: Ie48c9374f8eb2b6a15416fb5ec775f6a444063c3
Story: 2002967
Task: 22973
By now, qinling connects to the Kubernetes API server insecurely.
kubectl proxy is used for testing purpose. However, in real production
deployments, it is not a good idea to let qinling connect to the
Kubernetes API server without any authentication and authorization.
This commit adds the support in qinling for it to connect to the
Kubernetes API server with X509 Client Certs for authentication [1].
An example file is also added for users to grant specific access to the
Kubernetes API for qinling using the RBAC authorization of
Kubernetes [2]. With these users can control qinling's access to the
Kubernetes API [3] and ensure qinling uses a secure connection to talk
with the Kubernetes API.
Devstack plugin also setups qinling to connect to Kubernetes API server
using TLS certificates by default. This makes the deployment with
devstack closer to a production-ready environment. For testing purpose,
user can set the QINLING_K8S_APISERVER_TLS variable to False in
devstack's local.conf.
Note: a HOTWO document will be added in a follow-up commit.
[1] https://kubernetes.io/docs/admin/authentication/#x509-client-certs
[2] https://kubernetes.io/docs/admin/authorization/rbac/
[3] https://kubernetes.io/docs/admin/accessing-the-api/
Change-Id: I532f131abbfc8ed90de398cc135e9b8248d2757a
All python code should include Licensed under the
Apache License, Version 2.0.
This patch is to add apache license.
Change-Id: I693826787d984b8976de8a10c2dbd5fc678876a1
Keystone session can be used directly in user function to access
OpenStack services.
Include openstack clients in python requirements as well.
Add a python function example.
Implements: blueprint qinling-openstack-clients
Change-Id: I4798c404cb57bafe14049f57ba8db7c7125106c7
