Friday, 2019-03-29

« Thursday, 2019-03-28 Index Saturday, 2019-03-30 »
*** hongbin has joined #openstack-kuryr00:40
*** jistr has quit IRC01:00
*** jistr has joined #openstack-kuryr01:00
*** hongbin has quit IRC03:52
*** openstackgerrit has joined #openstack-kuryr05:58
openstackgerritYash Gupta proposed openstack/kuryr-kubernetes master: Improve logging for event dispatcher  https://review.openstack.org/64861205:58
*** yboaron_ has quit IRC06:02
*** janki has joined #openstack-kuryr06:10
*** ccamposr has joined #openstack-kuryr07:08
*** yboaron_ has joined #openstack-kuryr08:15
*** celebdor has joined #openstack-kuryr08:17
*** premsankar has quit IRC08:28
*** maysams has joined #openstack-kuryr08:34
*** yboaron_ has quit IRC08:56
*** celebdor has quit IRC09:11
*** pcaruana has joined #openstack-kuryr09:15
*** alisanhaji has joined #openstack-kuryr09:21
*** celebdor has joined #openstack-kuryr10:11
dulekmaysams: I rebased your patch and started seeing issues with allowed_cidrs variable?10:38
dulekmaysams: My VM died yesterday, so I can't provide you with the exact logs.10:38
maysamsdulek: do you remember what kind of issues?10:40
dulekmaysams: Nope. But I'm stacking again, so I'll probably know very soon. ;)10:41
maysamsdulek: right, thanks10:41
dmelladodulek: maysams I might be slightly off today but pls keep me in the loop on that11:02
dulekmaysams: Hm, you're right that defaults to tcp…11:19
openstackgerritMichał Dulko proposed openstack/kuryr-kubernetes master: NP: Create allow-all SG and add it to pod SG's  https://review.openstack.org/64848811:23
maysamsdulek, yup11:23
dulekThis will work - `--protocol any`. :)11:23
dulekmaysams: "Ran 1 of 3253 Specs in 308.722 seconds". :)11:30
dulekltomasbo: Hey! Why do you think that if there's only ingress NP we should also open egress?11:31
maysamsdulek: this is the output of the tests?11:31
dulekI'm obviously new to all this, so need some context. ;)11:31
ltomasbodulek, let me see the examples of kubernetes policies11:31
ltomasbodulek, for instance, here: https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic11:33
ltomasbowell, better than deny, lets go to the allow all11:33
ltomasbohttps://kubernetes.io/docs/concepts/services-networking/network-policies/#default-allow-all-ingress-traffic11:33
maysamsdulek: do you know if the only way to add tags to resources is with neutron cli? 'neutron tag-add --resource-type...'?11:34
ltomasboif you see that, that NP is meant to allow all traffic from pods in the same namespace11:34
ltomasbobut if that is removing all the egress rules, at the end of the day, noone could talk to noone11:34
dulekmaysams: Uh, I don't remember, but take a look on openstackclient, maybe it allows to do it better.11:36
dulekltomasbo: Hm…11:36
dulekltomasbo: I'm not 100% sure this NP is supposed to allow egress as well.11:37
dulekltomasbo: I'll dig it up.11:37
ltomasbodulek, tbh, I'm not sure either....11:37
ltomasbolets check the spec...11:37
ltomasbodulek:  If this field is empty then this NetworkPolicy limits all outgoing traffic11:38
ltomasbodulek, so, maybe you are right11:39
ltomasboohh, perhaps the trick is on the policyTypes field11:39
ltomasbodulek: policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress.11:39
dulekltomasbo: I don't know yet. :P11:39
ltomasboso, egress is different than ingress11:40
ltomasbohttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#networkpolicyspec-v1-networking-k8s-io11:40
ltomasbodulek, maysams ^^11:40
ltomasbofrom there I understand, ingress is always applied, but not egress11:40
ltomasboif you want to only apply egress (without limiting ingress) then you need to state it a the policyType, saying "Egress"11:40
ltomasbowe don't have that support yet either....11:41
ltomasbo Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ])11:41
ltomasboso, if there is no Egress field on the NP spec, the policy only applies to ingress, and egress should be allowed11:42
dulekltomasbo: Ha, so to implement that we also need two new SG's - egress-all and ingress-all.11:43
dulekltomasbo: And apply those based on policyType?11:43
ltomasbodulek, so, the thing is that currently we support policies with either just ingress or ingress+egress11:44
ltomasbodulek, but we were not considering at all policyTypes11:44
ltomasboso, we have no support for just egress (indicating that ingress is allowed)11:45
dulekltomasbo: But this shouldn't be too hard to implement, isn't it? If policyType=ingress, apply egress-all, if policyType=egress apply ingress-all.11:45
ltomasboyep11:46
dulekThe only problem would be - what if pod is under two NP's - one ingress and one egress. We shouldn't apply neither egress-all or ingress-all.11:46
ltomasboumm11:47
ltomasbowell, that is why it is better to contain each NP associated to 1 SG11:47
ltomasboand generate the rules accordingly11:47
ltomasbothen, it is additive, if one of the policies allows it, then it is allowed11:47
ltomasboand this goes more complex, because one policy can enable only certain egres and the other other ingress/egress...11:48
dulekltomasbo: Yeah, it's not trivial, I think.11:48
ltomasboso, I would go for, if only ingress spec or policyType == ingress (or not defined)11:48
ltomasbothen add default egress rule allowing everyting11:48
ltomasboif only ingress spec but policyType==ingress,egress tehn not add the egress rules as it should be blocked11:49
ltomasboif ingress+egress spec (or only egress) and not policyTypes, then as we have now, removing the defulat egress rules11:50
ltomasbowe may need another table for that... xD11:51
dulekltomasbo: This isn't really too complicated. But do we evaluate NP's on pod one-by-one or do we have all of them applied in one go?11:52
ltomasboeach NP is a sg that is attached to the related pods (ports)11:53
ltomasboso, if many NPs applied to a pod, that means many sgs attached to their ports11:53
ltomasbobut relation is 1 NP == 1 SG11:53
dulekltomasbo: Okay, so it shouldn't be too bad, we need some additional info about NP's - if they're ingress or egress or both.11:56
dulekAnd apply allow-egress and allow-ingress if all NP's are missing it.11:57
ltomasboyep, I'm building a table for the cases11:57
ltomasbomaysams, do you remember the document I created for the Network policy options? I don't find it anymore...12:07
maysamsyes12:07
maysamsone sec12:07
maysamshttps://docs.google.com/document/d/1Uth4OihWjq72Dj-LbAPKvbueF-b-GylqRWtbUXn7IrE/edit?usp=sharing12:08
ltomasbothanks!12:08
maysamsltomasbo: np!12:08
ltomasbomaysams, dulek: I've added another table to that document (https://docs.google.com/document/d/1Uth4OihWjq72Dj-LbAPKvbueF-b-GylqRWtbUXn7IrE/edit) regarding the possible options and actions12:18
ltomasboplease double check12:18
*** janki has quit IRC12:20
maysamsltomasbo: I will. Thanks!12:23
ltomasbomaysams, dulek: seems we cover 1/3 of the cases...12:29
ltomasboman, NP is getting bigger and bigger...12:29
dulekltomasbo: Well, at least there's value in those K8s e2e tests? :D12:29
ltomasbodulek, indeed!12:30
ltomasboqe should have been chasing those down too...12:30
maysamsdulek: They are really valuable12:31
ltomasbodulek, do you want to take a look at adding that as part of your patch? should be a different one/follow-up?12:31
dulekltomasbo: Ah, my thoughts exactly, but decided to keep them to myself. :P12:32
dulekltomasbo: I'm pretty sure it should be follow up, but let me think about it a bit.12:32
maysamslunch, brb12:32
dulekBTW - yeah, with my patches applied the egress test passes, but not then the ingress is broken. :D12:33
ltomasbodulek, sure... let add an extra column with the expected result of your patch (removing default egress rules)12:33
dulekThough not really sure why.12:33
dulekltomasbo: Please give me some time to analyze this.12:33
ltomasbosure!12:33
openstackgerritLuis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add support for policyTypes at Network Policies  https://review.openstack.org/64869914:16
ltomasbodulek, maysams ^^fix for the policyType we discussed14:17
openstackgerritLuis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add support for policyTypes at Network Policies  https://review.openstack.org/64869914:23
ltomasbodulek, it would be great if you could give it a try on your env and see if it passes NP tests14:23
dulek21 lines? Maaan, it's not bad. :D14:25
ltomasboyep! it was simpler than expected14:25
ltomasbo(if it works...)14:25
ltomasbodulek, plus, I put it on top of your modification removing the default egress rules14:26
maysamsltomasbo: I will take a look asap14:38
ltomasbomaysams, thanks!14:45
*** alisanhaji has quit IRC14:57
dulekltomasbo: Damn, this explanation in the API reference is really complicated. :D15:08
dulekltomasbo: I think the way you implemented it will not work in a case when Pod has two policies applied.15:09
dulekImagine that there's one egress and one ingress policy applied on one pod.15:10
dulekA combination of SG's that allow all on ingress and egress will lead to opening all traffic.15:10
dulekAnd I don't think that is how it should be working. :(15:10
ltomasboreading15:11
ltomasbodulek, well, if you are applying those rules in a different NP, then that is user problem15:12
ltomasbodulek, if you have a policy enabling all traffic, it does not matter if you later add another one enabling only some traffic, all will be allowed, right?15:12
ltomasbois an OR and security groups works like that too15:13
dulekltomasbo: Well, depends on the additive logic, isn't it?15:13
dulekltomasbo: Yeah, it's OR or AND. I don't know how that should work in K8s.15:13
dulekAnd I understand that SG's in OpenStack work the other way. :)15:13
ltomasboif you want to have ingress + egress rules combined, you need to apply them in the same policy15:13
dulekltomasbo: I really hope you're right here. :D15:14
ltomasbolet me re-check the examples at https://kubernetes.io/docs/concepts/services-networking/network-policies/15:14
dulekltomasbo: "If you want to allow all traffic from all pods in a namespace (even if policies are added that cause some pods to be treated as “isolated”)" - this suggests you're right if I'm reading that "isolated" correctly?15:16
ltomasboI think so15:17
ltomasbodulek, did you try to run the tests with that? is it failing?15:19
dulekltomasbo: Sorry, not yet, my env's quite fragile.15:19
dulekI should probably try to run that on a baremetal machine. :P15:20
ltomasbodulek, no hurry!15:22
*** dmellado has quit IRC15:24
*** dulek has quit IRC15:24
*** dmellado has joined #openstack-kuryr15:26
*** dulek has joined #openstack-kuryr15:27
*** gmann is now known as gmann_afk15:32
*** maysams has quit IRC16:10
*** ccamposr has quit IRC16:29
*** celebdor has quit IRC16:36
dulekltomasbo: Okay, it'll take ma a lot more time, because I think some podman update broke my VM again. :(16:44
ltomasbodulek, no worries...16:45
*** celebdor has joined #openstack-kuryr17:04
*** jistr is now known as jistr|off17:45
*** jistr|off is now known as jistr17:45
*** gcheresh has joined #openstack-kuryr18:24
*** pcaruana has quit IRC18:38
*** gcheresh has quit IRC19:08
*** gmann_afk is now known as gmann19:19
*** celebdor has quit IRC19:50
*** celebdor has joined #openstack-kuryr23:14
*** celebdor has quit IRC23:19
*** rh-jelabarre has quit IRC23:34
« Thursday, 2019-03-28 Index Saturday, 2019-03-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!