Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1366227 - Deterministic IP provisioning for pods within projects
Summary: Deterministic IP provisioning for pods within projects
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-11 10:27 UTC by Jaspreet Kaur
Modified: 2016-09-27 09:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-27 09:43:45 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1933 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC

Description Jaspreet Kaur 2016-08-11 10:27:26 UTC
1. Proposed title of this feature request  
    Deterministic IP provisioning for pods within projects. 
  
    3. What is the nature and description of the request?
    Pods provisioned, with in a project should have a deterministic set of IP's (range) to which they are allocated. 
      
    4. Why does the customer need this? (List the business requirements here)  
    External applications to OpenShift implement "white list" restrictions for access. Applications implemented on OpenShift, cant
     access these applications because IP's for the pods, are non-deterministic, and dynamic white-list updates are not acceptable change
     for these "downstream" application to make, simply to accommodate OpenShift applications. 
      
    5. How would the customer like to achieve this? (List the functional requirements here)
    
    Within the pod .yaml configuration file (or elsewhere) we could have an entry to specify it's IP or an IP range , so that the pod is allocated to this IP or one from the range of IPs. The IP or range can be used by the external applications to add it to their whitelist. 
      
    6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

    Using the API we can see that the IP of provisioned pods are within the range of IPs given.
      
    7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  

    No
      
    8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

    OSE v.3.x targeted, need already exists for this semester. 
      
    9. Is the sales team involved in this request and do they have any additional input?  

    No
    NOTE: It is suggested that this is discussed with them. 
      
    10. List any affected packages or components.  

    atomic-openshift-node
      
    11. Would the customer be able to assist in testing this functionality if implemented?  

    yes

Comment 2 Dan Winship 2016-08-30 14:34:37 UTC
Giving the pods deterministic IPs within the cluster doesn't help because all pod-to-external traffic gets NATted, so external servers will see the IP of the node, not the pod.

We added an "egress router" feature in 3.3 that allows you to cause certain traffic to get NATted to a special reserved IP address. It looks like it never got added to the official docs, so I'll file a bug about that, but there's a README in the source tree describing how it works: https://github.com/openshift/origin/tree/master/images/router/egress

Comment 4 errata-xmlrpc 2016-09-27 09:43:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933


Note You need to log in before you can comment on or make changes to this bug.