I don't understand at all what you said there.
If my kubernetes minions are attached to a gateway which has a direct
route to Magnum, let's say they're at, 192.0.2.{100,101,102}, and
Magnum is at 198.51.100.1, then as long as the minions' gateway knows
how to find 198.51.100.0/24, and Magnum's gateway knows how to route to
192.0.2.0/24, then you can have two-way communication and no floating
ips or NAT. This seems orthogonal to how external users find the minions.
Excerpts from Steven Dake (stdake)'s message of 2015-06-16 19:40:25 -0700:
> Clint,
>
> Answering Clint’s question, yes there is a reason all nodes must expose a
> floating IP address.
>
> In a Kubernetes cluster, each minion has a port address space. When an
> external service contacts the floating IP’s port, the request is routed over
> the internal network to the correct container using a proxy mechanism. The
> problem then is, how do you know which minion to connect to with your
> external service? The answer is you can connect to any of them. Kubernetes
> only has one port address space, so Kubernetes suffers from a single
> namespace problem (which Magnum solves with Bays).
>
> Longer term it may make sense to put the minion external addresses on a
> RFC1918 network, and put a floating VIF with a load balancer to connect to
> them. Then no need for floating address per node. We are blocked behind
> kubernetes implementing proper support for load balancing in OpenStack to
> even consider this work.
>
> Regards
> -steve
>
> From: <Fox>, Kevin M <[email protected]<mailto:[email protected]>>
> Reply-To: "OpenStack Development Mailing List (not for usage questions)"
> <[email protected]<mailto:[email protected]>>
> Date: Tuesday, June 16, 2015 at 6:36 AM
> To: "OpenStack Development Mailing List (not for usage questions)"
> <[email protected]<mailto:[email protected]>>
> Subject: Re: [openstack-dev] [Magnum] TLS Support in Magnum
>
> Out of the box, vms usually can contact the controllers though the routers
> nat, but not visa versa. So its preferable for guest agents to make the
> connection, not the controller connect to the guest agents. No floating ips,
> security group rules or special networks are needed then.
>
> Thanks,
> Kevin
>
> ________________________________
> From: Clint Byrum
> Sent: Monday, June 15, 2015 6:10:27 PM
> To: openstack-dev
> Subject: Re: [openstack-dev] [Magnum] TLS Support in Magnum
>
> Excerpts from Fox, Kevin M's message of 2015-06-15 15:59:18 -0700:
> > No, I was confused by your statement:
> > "When we create a bay, we have an ssh keypair that we use to inject the ssh
> > public key onto the nova instances we create."
> >
> > It sounded like you were using that keypair to inject a public key. I just
> > misunderstood.
> >
> > It does raise the question though, are you using ssh between the controller
> > and the instance anywhere? If so, we will still run into issues when we go
> > to try and test it at our site. Sahara does currently, and we're forced to
> > put a floating ip on every instance. Its less then ideal...
> >
>
> Why not just give each instance a port on a network which can route
> directly to the controller's network? Is there some reason you feel
> "forced" to use a floating IP?
>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
