Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please add examples of how to achieve via ACLs the effect that would be equivalent to combining natOutgoing: true + private: true #167

Open
abravalheri opened this issue May 24, 2024 · 3 comments
Open

Please add examples of how to achieve via ACLs the effect that would be equivalent to combining natOutgoing: true + private: true #167

abravalheri opened this issue May 24, 2024 · 3 comments

Comments

@abravalheri
Copy link

abravalheri commented May 24, 2024
edited
Loading

Issue requested by kubeovn/kube-ovn#3408 (comment).

Motivation

In kubeovn/kube-ovn#3408 I noticed that it is not currently possible to combine natOutgoing: true + private: true.

The effect that I would like to achieve is internal isolation between the subnets, while also allowing the pods to access addresses on the internet (e.g. for downloading datasets) via NAT-ing (so that external internet addresses cannot initiate any connection with a pod inside the cluster).

Constraints

I don't know beforehand which CIDRs the pods need to access/not to access.

Basically the pods should be able to access the whole "external world"/internet, and I don't have a predefined list of all CIDRs inside the cluster (new subnets are created and deleted dynamically all the time).

Documentation Request

One of the OVN contributors suggested in kubeovn/kube-ovn#3408 (comment) that it is possible to achieve that via ACLs. However I find that it is very hard to figure that out by myself, and I imagine that other people might be struggling with that too.

It would be nice if the docs contain examples of how to achieve this by manipulating the ACLs.
@abravalheri abravalheri mentioned this issue May 24, 2024
Closed
@bobz965
Copy link
Contributor

bobz965 commented Aug 9, 2024

image

@abravalheri
Copy link
Author

abravalheri commented Aug 9, 2024
edited
Loading

Hi @bobz965 , thank you very much for pointing out in the docs what the meaning of the private configuration is. I think that is very clear in the current state of the docs.

The objective of this request is different, however: how to achieve the same effect as private by manipulating the ACLs, but without knowing beforehand all the subnets that are going to be crested in the future in the cluster?

The rationale is described in detail in kubeovn/kube-ovn#3408.

Ideally, what we wanted is natOutgoing: true + private: true, but in kubeovn/kube-ovn#3408 the maintainers said these 2 configuration don't work together. In kubeovn/kube-ovn#3408 (comment) however it is suggested that it is possible to implement the same effect as private: true by using ACLs.

It is not obvious to me how to do that, hence this request for documentation: please include in the docs an example of how to obtain the same effects as private: true without using private: true so that we can bypass the limitation and effectively achieve the effect that would be expected natOutgoing: true + private: true.

@bobz965
Copy link
Contributor

bobz965 commented Aug 12, 2024

@oilbeater I'm not familiar with natoutGoing, cloud you please take a look at this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abravalheri @bobz965