[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpensShift SDN



Dan

Thanks for responding. Are you saying we need to install separate cluster installations for internal & External or use single cluster but achieve isolation using VXID approach? As per documentation VXID helps isolation only with project level. To get that, we have to provision internal apps and external apps in separate projects and maintain isolation using VXID although they shared with single cluster installation.


-- 
Srinivas Kotaru






On 1/13/16, 1:45 PM, "Dan Winship" <danw redhat com> wrote:

>On 01/13/2016 01:34 AM, Srinivas Naga Kotaru (skotaru) wrote:
>> Just going back to original question of Internal Vs External apps
>> running from same cluster but separate pods placement using node
>> selector/region and zone. Remember although it is same cluster,
>> internal and external nodes will be running from their own
>> network subnets. We might need to open required ports for
>> openshift nodes to talk each other and talk to master.
>
>Yes, all the nodes, regardless of which subnet they are on, need to be
>able to send VXLAN packets to all of the other nodes.
>
>Well... Hm... Actually, I suppose that if you don't want there to be
>*any* communication between internal and external pods, you could just
>*not* allow the VXLAN traffic to pass between the two networks...
>
>> As per our Infosec policy, Internal apps shouldn’t talk to
>> external or vice versa. That is the reason we physically separate
>> them using network ACL’s and allow only required ports.
>> 
>> The question here is, since OpenShift SDN is common across nodes,
>> am thinking any pod can communicate other pods or apps if they
>> want.
>
>That's how it would normally work, yeah, but as above, I guess there's
>no reason that you actually *have* to allow internal and external nodes
>to talk to each other, as long as all of them can talk to the master.
>
>OpenShift SDN wasn't designed with this use case in mind, but it seems
>like it ought to work... let us know if it does.
>
>(As you noted, the "official" way to do this is to use the multi-tenant
>plugin, and let it handle isolation within the single VXLAN. But it
>sounds like that doesn't map as well to your existing network.)
>
>-- Dan
>
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]