[openstack-dev] [kuryr] Namespace isolation options

2018-07-12 Thread Luis Tomas Bolivar 
Hi folks,

I'm working on the kuryr-kubernetes namespace feature to enable
isolation between the different namespaces, i.e., pods on namespace A
cannot 'talk' to pods or services on namespace B.

For the pods isolation, there is already a patch working:
https://review.openstack.org/#/c/579181

However, for the services is a bit more complex. There is some initial
work on:
https://review.openstack.org/#/c/581421

The above patch ensures isolation between services by modifying the
security group associated to the loadbalancer VM to only allow traffic
from ports with a given security group, in our case the one associated
to the namespace.

However, it is missing how to handle special cases, such as route and
services of LoadBalancer type. For the LoadBalancer type we have two option:
1) When the service is of LoadBalancer type not modify the security
group associated to it as it is meant to be accessible from outsite.
This basically is the out of the box behaviour of octavia. Pros: it is
simple to implement and does not require any extra information. Cons:
the svc can be accessed not only on the FIP, but also on the VIP.

2) Add a new security group rule also enabling the traffic from the
public-subnet CIDR. Pros: It will not enable access from the VIP, only
from the FIP. Cons: it either needs admin rights to get the
public-subnet CIDR or a new config option where we specify it.

Any preferences? I already tested option 1) and will update the patch
set with it shortly, but if option 2) is preferred, I will of course
update the PS accordingly.

Thanks!

Best regards,
Luis
-- 
LUIS TOMÁS BOLÍVAR
SENIOR SOFTWARE ENGINEER
Red Hat
Madrid, Spain
ltoma...@redhat.com


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kuryr][kuryr-kubernetes] Propose to support Kubernetes Network Custom Resource Definition De-facto Standard Version 1

2018-06-06 Thread Luis Tomas Bolivar 
Hi Peng,

Thanks for the proposal! See below

On 06/06/2018 05:47 AM, Peng Liu wrote:
> Hi Kuryr-kubernetes team,
> 
> I'm thinking to propose a new BP to support  Kubernetes Network Custom
> Resource Definition De-facto Standard Version 1 [1], which was drafted
> by network plumbing working group of kubernetes-sig-network. I'll call
> it NPWG spec below.
> 
> The purpose of NPWG spec is trying to standardize the multi-network
> effort around K8S by defining a CRD object 'network' which can be
> consumed by various CNI plugins. I know there has already been a BP
> VIF-Handler And Vif Drivers Design, which has designed a set of
> mechanism to implement the multi-network functionality. However I think
> it is still worthwhile to support this widely accepted NPWG spec. 

Yes, I agree
> 
> My proposal is to implement a new vif_driver, which can interpret the
> PoD annotation and CRD defined by NPWG spec, and attach pod to
> additional neutron subnet and port accordingly. This new driver should
> be mutually exclusive with the sriov and additional_subnets drivers.So
> the endusers can choose either way of using mult-network with
> kuryr-kubernetes.

Perhaps we can move current kuryr annotations on pods to also use CRDs,
defining a standard way (for instance, dict with 'nic-name' :
kuryr-port-crd, and then the kuryr-port-crd having the vif information).

Cheers,
Luis

> 
> Please let me know your thought, any comments are welcome.
> 
> 
> 
> [1] 
> https://docs.google.com/document/d/1Ny03h6IDVy_e_vmElOqR7UdTPAG_RNydhVE1Kx54kFQ/edit#heading=h.hylsbqoj5fxd
> 
> 
> 
> Regards,
> 
> -- 
> Peng Liu
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 
LUIS TOMÁS BOLÍVAR
SENIOR SOFTWARE ENGINEER
Red Hat
Madrid, Spain
ltoma...@redhat.com


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron] Neutron team social event in Barcelona

2016-10-17 Thread Luis Tomas Bolivar 
+1

On 10/14/2016 08:30 PM, Miguel Lavalle wrote:
> Dear Neutrinos,
> 
> I am organizing a social event for the team on Thursday 27th at 19:30.
> After doing some Google research, I am proposing Raco de la Vila, which is
> located in Poblenou: http://www.racodelavila.com/en/index.htm. The menu is
> here: http://www.racodelavila.com/en/carta-racodelavila.htm
> 
> It is easy to get there by subway from the Summit venue:
> https://goo.gl/maps/HjaTEcBbDUR2. I made a reservation for 25 people under
> 'Neutron' or "Miguel Lavalle". Please confirm your attendance so we can get
> a final count.
> 
> Here's some reviews:
> https://www.tripadvisor.com/Restaurant_Review-g187497-d1682057-Reviews-Raco_De_La_Vila-Barcelona_Catalonia.html
> 
> Cheers
> 
> Miguel
> 
> 
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev