Hi,
I am new to Kubernetes networking and have some basic questions.
I am trying to write a multitenant SDN plugin that implements kubernetes
NetworkPolicy API. My goal is enable customers to
1.Allow only users who were given access in a namespace to create policies.
2.Create network polices so that pods across namespaces can talk to each other.
To achieve these I did the following.
I created a NetworkPolicy creator role and binded it to a user(let's say "foo")
in projects(let's say "frontent" and "backend") so that the "foo" will be able
to create network polices in these projects. Since "foo" has the right
permissions, kubernetes RBAC will allow creation of following policy in project
"backend".
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: backend
spec:
podSelector:
matchLabels:
role: db
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
Here comes my difficulty. In my plugin(which has cluster admin rights), how can
I only enable communication between pods to which "foo" has access? The problem
I am facing is that I am unable to map user that created network policy to
network policy creators in the namespaces that NetworkPolicy object is
referring to. Since kubernetes does not attach the "user" to any resource, I
am finding it hard to implement this.
Any pointers on this would be helpful. As I said I am pretty new here. So I
could be missing something very basic.
Thanks for your help!!!
Siva Teja.
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
