kuryr-kubernetes

namespace and network policy handlers are not compatible

Bug #1799496 reported by Luis Tomas Bolivar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kuryr-kubernetes
Fix Released
Undecided
Luis Tomas Bolivar

Bug Description

Both namespace and network policy handler will need a different security group driver to properly ensure the isolation. This leads to them being incompatible as kuryr only supports to configure one security group driver at a time.

We need to ensure that the namespace handler can work without the need for ensuring isolation (i.e., without an special security group driver) as the network policy security group driver is able to create finer-grain isolation policies.

Luis Tomas Bolivar (ltomasbo)
Changed in kuryr-kubernetes:
assignee: nobody → Luis Tomas Bolivar (ltomasbo)
OpenStack Infra (hudson-openstack)
Changed in kuryr-kubernetes:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.openstack.org/611606
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=651da66af1191053a96b283aa6d890fd8488438d
Submitter: Zuul
Branch: master

commit 651da66af1191053a96b283aa6d890fd8488438d
Author: Luis Tomas Bolivar <email address hidden>
Date: Thu Oct 18 14:29:19 2018 +0200

    Ensure namespace and network policy compatibility

    This patch ensures namespace handler does not depend on specific
    functions implemented on the security group driver for the namespace
    isolation. This way it will be possible to enable the namespace
    handler (to create a different network per namespace) together with
    the network policy that will perform the isolation between pods/svc
    in a different way.

    Partially Implements: blueprint k8s-network-policies
    Closes-Bug: #1799496
    Change-Id: Ied892e616075ce16fdc15ceb31219c100e011536

Changed in kuryr-kubernetes:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kuryr-kubernetes (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/613860

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (stable/rocky)

Reviewed: https://review.openstack.org/613860
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=00c991be36ebee76c2e720e6fdc11bf06e0a33f8
Submitter: Zuul
Branch: stable/rocky

commit 00c991be36ebee76c2e720e6fdc11bf06e0a33f8
Author: Luis Tomas Bolivar <email address hidden>
Date: Thu Oct 18 14:29:19 2018 +0200

    Ensure namespace and network policy compatibility

    This patch ensures namespace handler does not depend on specific
    functions implemented on the security group driver for the namespace
    isolation. This way it will be possible to enable the namespace
    handler (to create a different network per namespace) together with
    the network policy that will perform the isolation between pods/svc
    in a different way.

    Partially Implements: blueprint k8s-network-policies
    Closes-Bug: #1799496
    Change-Id: Ied892e616075ce16fdc15ceb31219c100e011536
    (cherry picked from commit 651da66af1191053a96b283aa6d890fd8488438d)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kuryr-kubernetes 0.5.2

This issue was fixed in the openstack/kuryr-kubernetes 0.5.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kuryr-kubernetes 0.6.0

This issue was fixed in the openstack/kuryr-kubernetes 0.6.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.