Hi folks, I'm working on the kuryr-kubernetes namespace feature to enable isolation between the different namespaces, i.e., pods on namespace A cannot 'talk' to pods or services on namespace B.
For the pods isolation, there is already a patch working: https://review.openstack.org/#/c/579181 However, for the services is a bit more complex. There is some initial work on: https://review.openstack.org/#/c/581421 The above patch ensures isolation between services by modifying the security group associated to the loadbalancer VM to only allow traffic from ports with a given security group, in our case the one associated to the namespace. However, it is missing how to handle special cases, such as route and services of LoadBalancer type. For the LoadBalancer type we have two option: 1) When the service is of LoadBalancer type not modify the security group associated to it as it is meant to be accessible from outsite. This basically is the out of the box behaviour of octavia. Pros: it is simple to implement and does not require any extra information. Cons: the svc can be accessed not only on the FIP, but also on the VIP. 2) Add a new security group rule also enabling the traffic from the public-subnet CIDR. Pros: It will not enable access from the VIP, only from the FIP. Cons: it either needs admin rights to get the public-subnet CIDR or a new config option where we specify it. Any preferences? I already tested option 1) and will update the patch set with it shortly, but if option 2) is preferred, I will of course update the PS accordingly. Thanks! Best regards, Luis -- LUIS TOMÁS BOLÍVAR SENIOR SOFTWARE ENGINEER Red Hat Madrid, Spain ltoma...@redhat.com __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
