Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why danm CNI k8s namespace and pods namespace should be same?? #49

Closed
anannaya opened this issue Feb 25, 2019 · 4 comments
Closed

Why danm CNI k8s namespace and pods namespace should be same?? #49

anannaya opened this issue Feb 25, 2019 · 4 comments
Labels
support How? And why?

Comments

@anannaya
Copy link

Hi ,
I have 2 questions , here

  1. How the ipam management is done, If we create a same network(subnet) in 2 different namespaces? Can this be handled using Admission controller?

  2. Since CNI (Danmnets) creation is the Administrator responsibility ,May not have been deployed in different namespace. Can we provide a option in Annotation block to provide a k8S namespace as well along with other details?

Please share your opinion on these 2 questions/Issues.
Br,
Anand

@Levovar
Copy link
Collaborator

Levovar commented Feb 25, 2019

1: you can define different allocation_pools for both. So, you provide the same CIDR, but divide the CIDR into two non-overlapping allocation pools
Yeah I guess a ValidationWebhook could make sure allocation_pools are not overlapping between DanmNetes

2: technically would be possible, but practically speaking as you say network administration is an operator responsibility. Deployment / Pod etc. manifests are usually submitted to the cluster by an application though, or by an application deployment engineer. The two roles are usually separate, done by different users, having different set of privileges.
If we would allow applications to overrule administrators, and then use networks not meant for them would be a violation of data privacy.
E.g. operator creates "flannel" NetworkType DanmNet in namespace vnf1, but not in vnf2. Application in vnf2 should not be able to use this network from namespace vnf1, and thus connect to a network it is not allowed to.

BTW I'm not against providing a configuration interface for defining cluster-wide networks, but it shall be done in a way that still only operators can access that configuration interface.

@anannaya
Copy link
Author

I guess a ValidationWebhook could make sure allocation_pools are not overlapping between DanmNetes
->>>> Is this Webhook planned in future releases?

BTW I'm not against providing a configuration interface for defining cluster-wide networks, but it shall be done in a way that still only operators can access that configuration interface.
->>>> For example products like CSCF,HSS(UDM)... Can share the common OAM network created in different namespace in same cluster. Is there any plan to support this kind of configuration.

@Levovar
Copy link
Collaborator

Levovar commented Feb 26, 2019

1: A Webhook is definitely planned, we even have an issue open for that. Though the primary focus of the hook would be validating other things, but this is a good additional use-case for the component.
Will record it in its own thread

2: For the time being as I described above you can have achieve this configuration by splitting the allocation pool between namespaces.
I don't have a proposal right now for the long run, we need to figure out the right configuration interface.

If you don't mind I will close the issue case I think it is answered, but I will expand the validator use-case list, and will discuss how to approach concept of cluster-wide networks.
If we have a good way I'm gonna open a new Issue specifically for it. Ofc we are also open to suggestions, as long as the main constraint of network management being operator responsibility remains as-is.

@Levovar
Copy link
Collaborator

Levovar commented Feb 26, 2019

(for the second purpose you can also use Flannel BTW. as Flannel manages its own IPs, you don't need to define CIDR, and allocation pool parameters per namespace)

@Levovar Levovar added the support How? And why? label Mar 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
support How? And why?
Projects
None yet
Development

No branches or pull requests

2 participants