namespace and network policy handlers are not compatible
Bug #1799496 reported by
Luis Tomas Bolivar
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
Fix Released
|
Undecided
|
Luis Tomas Bolivar |
Bug Description
Both namespace and network policy handler will need a different security group driver to properly ensure the isolation. This leads to them being incompatible as kuryr only supports to configure one security group driver at a time.
We need to ensure that the namespace handler can work without the need for ensuring isolation (i.e., without an special security group driver) as the network policy security group driver is able to create finer-grain isolation policies.
Changed in kuryr-kubernetes: | |
assignee: | nobody → Luis Tomas Bolivar (ltomasbo) |
Changed in kuryr-kubernetes: | |
status: | New → In Progress |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/611606 /git.openstack. org/cgit/ openstack/ kuryr-kubernete s/commit/ ?id=651da66af11 91053a96b283aa6 d890fd8488438d
Committed: https:/
Submitter: Zuul
Branch: master
commit 651da66af119105 3a96b283aa6d890 fd8488438d
Author: Luis Tomas Bolivar <email address hidden>
Date: Thu Oct 18 14:29:19 2018 +0200
Ensure namespace and network policy compatibility
This patch ensures namespace handler does not depend on specific
functions implemented on the security group driver for the namespace
isolation. This way it will be possible to enable the namespace
handler (to create a different network per namespace) together with
the network policy that will perform the isolation between pods/svc
in a different way.
Partially Implements: blueprint k8s-network- policies 16fdc15ceb31219 c100e011536
Closes-Bug: #1799496
Change-Id: Ied892e616075ce