• Brings OpenStack networking and storage to containers • Kubernetes Neutron Networking • Native OpenStack infrastructure for mixed workloads
○ ○ ○ ○ ■ ■ ■
spec: podSelector: matchLabels: role: db policyTypes: - Ingress For the purposes of our talk: - Egress - call the top one the protected pod selector ingress: - call the bottom one the remote pod selector - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379
● ● ○ ○ ○ ● openstack security group rule create SG_NAME --protocol PROTO \ --dst-port FROM:TO [--remote-ip CIDR | --remote-group] [--egress] ● ● ●
Neutron Translate: K8s watches: spec: podSelector: Create SG that applied on Watch all pods “role: db” Watch matchLabels: pods with “role:db” callback - annotate pods with role: db sg-id policyTypes: No Egress policy: allow all - Ingress egress; ingress: Ingress according to spec - from: - ipBlock: Translated to set of remote cidr: 1.1.1.0/24 ip prefix : (1.1.1.128/25 , except: 1.1.1.64/26) - 1.1.1.0/26 - namespaceSelector: Watch on namespace that Create SG and use as matchLabels: matches to query “project: remote_group_id project: myproject my project” Watches on pods that - podSelector: Create SG and use as matches to query “role: matchLabels: remote_group_id frontend” role: frontend ports: Each rule above must - protocol: TCP match this protocol and port: 6379 port
Recommend
More recommend