Re: Network segmentation

Fluentd runs on the host network and communicates out (today) to reach elastic search. Elastic search is protected by authorization that denies read/write access from random parties based on cluster level permissions. On Thu, Nov 3, 2016 at 4:52 PM, Josh Baird wrote: >

Re: Wrong resource consumption on scheduler

No, but the global default for any project will steer you away from infra nodes. On Wed, Nov 2, 2016 at 9:32 AM, Frank Liauw wrote: > No, it does not. Are nodes without region labels automatically classified > as infra region? > > Frank > Systems Engineer > > VSee:

Re: Network segmentation

The question is how much you trust container security. If someone managed to escape from a container they can send traffic to any pod in the network from the node. If the networks were physically separated that would not be possible... OVS is enforcing the pod connectivity rules, and it can't

Re: Network segmentation

Hi Ben, Thanks for the detailed response. Do you think it's worth the effort to have physical network separation between the infra/app nodes and the masters? Or.. can the masters and nodes both coexist in the same physical network without security concerns? Thanks, Josh On Thu, Nov 3, 2016

Re: Openshift discovery

Not sure from your output but ff the first entry in the same server isn't the openshift master address, then Alpine will fail because it doesn't try multiple name servers for things under cluster.local. But it *might* be trying a random one, in which case the only solution for alpine is to set up

Re: Openshift discovery

% oc get svc NAMECLUSTER-IP EXTERNAL-IP PORT(S)AGE net-tools 172.30.112.9 8080/TCP 18h / $ cat /etc/resolv.conf search sd-testing.svc.cluster.local svc.cluster.local cluster.local cisco.com nameserver 173.36.96.19 nameserver 173.37.137.85 nameserver 173.37.142.73

Re: Openshift discovery

Can you show me the output of dig for kubernetes.default.svc.cluster.local AND contents of resolv.conf? On Thu, Nov 3, 2016 at 12:38 PM, Srinivas Naga Kotaru (skotaru) < skot...@cisco.com> wrote: > SKOTARU-M-H06U:~ $ oc get pods > > NAMEREADY STATUS RESTARTS AGE

Re: Openshift discovery

SKOTARU-M-H06U:~ $ oc get pods NAMEREADY STATUS RESTARTS AGE net-tools-1-pp4t4 0/1 CrashLoopBackOff 20817h SKOTARU-M-H06U:~ $ SKOTARU-M-H06U:~ $ oc debug net-tools-1-pp4t4 Debugging with pod/net-tools-1-pp4t4-debug, original command: sh Waiting

Re: Unable to start openshift in VM, AWS or google cloud

Hi Ravi, On AWS, the magic incantation is: oc cluster up --public-hostname=[public dns name] --routing-suffix=[ip address].xip.io Don't specify the numeric ip address in --public-hostname, rather the dns name. You can then access the web console at https://[public

Upcoming: backwards incompatible change of handling --env/--param/--value oc options

In upcoming Origin 1.4 and OpenShift Container Platform 3.4 releases, it will no longer be possible to use single command-line line option to pass several comma-separated environment variables or template parameters. Examples of commands that will not work as before: oc start-build hello-world

Re: Unable to start openshift in VM, AWS or google cloud

On Wed, Nov 2, 2016 at 11:34 PM, Ravi wrote: > > I am not able to start openshift, I tried three different ways. > > 1. Windows 7 + Virtual Box + Ubuntu > oc cluster up works well. I went to console and launched nodejs-ex > example. Console shows it is up, however when I

Re: How to use SCC and HostPath ?

2016-11-03 15:03 GMT+01:00 Stéphane Klein : > > > 2016-11-03 14:56 GMT+01:00 Clayton Coleman : > >> That RC is creating pods under service account cassandra. So you need to >> give "cassandra" access to privileged >> >> > Yes ! it's here:

Re: How to use SCC and HostPath ?

2016-11-03 15:03 GMT+01:00 Stéphane Klein : > > > 2016-11-03 14:56 GMT+01:00 Clayton Coleman : > >> That RC is creating pods under service account cassandra. So you need to >> give "cassandra" access to privileged >> >> > Yes ! it's here:

Re: Openshift discovery

Clayton Sorry for confusion. Original problem was, Service discovery not working in regular openshift apps. Out of the box images as well as custom images. I was trying to build a image with a net tools for debugging, so it is easy for troubleshoot as out of the box images does not have basic

Re: How to use SCC and HostPath ?

That RC is creating pods under service account cassandra. So you need to give "cassandra" access to privileged On Nov 3, 2016, at 9:23 AM, Stéphane Klein wrote: Hi, This my SCC: $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP

Re: How to use SCC and HostPath ?

2016-11-03 14:56 GMT+01:00 Clayton Coleman : > That RC is creating pods under service account cassandra. So you need to > give "cassandra" access to privileged > > Yes ! it's here:

Re: Openshift discovery

If you "oc debug" the crashing pods, do you get a shell up? On Nov 3, 2016, at 9:56 AM, Srinivas Naga Kotaru (skotaru) < skot...@cisco.com> wrote: Clayton Sorry for confusion. Original problem was, Service discovery not working in regular openshift apps. Out of the box images as well as custom

Re: How to use SCC and HostPath ?

Hi, I suspect that it can be caused by wrong indentation. Could you try to reduce the indentation of the volumes: block by 2 spaces? -- Slava Semushin | OpenShift - Original Message - From: "Stéphane Klein" To: "users"

Re: Openshift discovery

Alpine uses musl which has known differences from glibc in how it handles DNS resolution. *usually* this is because multiple nameservers are listed in resolv.conf and the first one doesn't answer queries for *svc.cluster.local. You can check that by execing into containers and looking at the

How to use SCC and HostPath ?

Hi, This my SCC: $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUPPRIORITY READONLYROOTFS VOLUMES anyuid false []MustRunAs RunAsAny RunAsAnyRunAsAny10 false[configMap downwardAPI emptyDir