On 01/13/2016 05:02 PM, Srinivas Naga Kotaru (skotaru) wrote: > Dan > > Thanks for responding. Are you saying we need to install separate > cluster installations for internal & External or use single > cluster but achieve isolation using VXID approach?
No, neither of those. I'm saying you can just deploy a single cluster, without adding any new firewall rules, and it will work the way you want. (Internal pods will be able to talk to other internal pods, and external pods will be able to talk to other external pods, but internal and external won't be able to talk to each other.) OpenShift itself will still consider it to be a single VXLAN network, but if a pod on an internal node tries to talk to a pod on an external node, that would require that the internal node send a VXLAN packet to the external node, and your existing firewall will block that, so the attempt will fail. Likewise for external-to-internal. So although OpenShift is unaware of it, your VXLAN is effectively partitioned. -- Dan _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
