CORENET-6665: Virtual Private Clouds#1967
Conversation
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
jira/valid-reference
|
@tssurya: This pull request references CORENET-6665 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
|
|
||
| The VPC controller's lifecycle management will be done through Cluster Network Operator | ||
| on OpenShift. [TBD] The vpc controller pods will just run on the control plane | ||
| of the cluster (management clustr in case of multiple clusters) and create the relevant |
| Does not create VPCs directly — uses the namespaces provisioned by the | ||
| network administrator. | ||
| - **VPC controller**: the automated reconciler that translates VPC intent | ||
| into OVN-Kubernetes resources. |
There was a problem hiding this comment.
Should we implement a 'pause' or 'skip-reconcile' mechanism? (just like PausedUntil )This would be invaluable for troubleshooting or handling manual overrides in specific edge cases.
|
|
||
| Does this proposal implement a behavior that's new/unique/novel? Is it poorly | ||
| aligned with existing user expectations? Will it be a significant maintenance | ||
| burden? Is it likely to be superceded by something else in the near future? |
There was a problem hiding this comment.
VPC serves more as a logical business boundary than just a flat platform capability. This abstraction suggests that we should decoupled network services like NLB/SLB and FloatingIPs—should we consider these as part of our future roadmap to complete the networking ecosystem?"
| ## Motivation | ||
|
|
||
| Today, achieving VPC-like isolation on OpenShift requires manually creating and | ||
| wiring together multiple low-level networking primitives (C(UDN)s, CNCs, |
There was a problem hiding this comment.
I think everywhere you say "C(UDN)s" you mean "(C)UDNs"?
| private, isolated) it had in VMware, so that the migration is transparent | ||
| to applications. | ||
|
|
||
|  |
There was a problem hiding this comment.
(This is nitpicky, but if you end up having to go back to change any of the images, right now several of them have boxes inside boxes, where the inner and outer boxes both have the same fill pattern, and the inner boxes are transparent, and not all aligned the same way to the outer box, so you get different interference patterns in different places. Eg, in the left green box in this image, VM2 appears to be shaded darker than VM1, even though it's not supposed to be.)
| remain in `v1beta1` — the primary user-facing interfaces for the | ||
| initial delivery are the **CLI plugin** and **OpenShift Console plugin**. | ||
| Users should not need to hand-craft VPC YAML; the CLI and console | ||
| are the intended entry points. |
There was a problem hiding this comment.
"users should not need to hand-craft YAML" does not explain why "the API will remain v1beta1"... unless you are suggesting that we will intentionally try to keep users from using the API directly so that we have more flexibility to make incompatible changes to it later, in which case you should say that.
(But based on "Workflow 3: Direct API (YAML / GitOps)" below it seems like you don't mean that?)
|
|
||
| N/A | ||
|
|
||
| ## Introduction |
There was a problem hiding this comment.
This needs to come MUCH sooner. Definitely before the User Stories. Possibly between Summary and Motivation.
|
|
||
| ### Internet Gateway / NAT Gateway | ||
|
|
||
| An **internet gateway** enables communication between VPC resources and the |
There was a problem hiding this comment.
| An **internet gateway** enables communication between VPC resources and the | |
| An **internet gateway** enables bidirectional communication between VPC resources and the |
(or "inbound and outbound" if you want more parallelism with the NAT Gateway definition)
|
|
||
| // AvailabilityZone selects the failure domain for a VPC subnet. | ||
| // It follows the nested selector pattern used by AdminNetworkPolicy | ||
| // (e.g. NamespacedPod groups namespaceSelector + podSelector). |
There was a problem hiding this comment.
The person reading the API docs does not need to know that the API pattern came from ANP
| // the selector receive the namespace + UDN for this subnet. | ||
| // | ||
| // +kubebuilder:validation:Required | ||
| // +required |
There was a problem hiding this comment.
if AvailabilityZone is multi-cluster-only then the docs above in VPCSubnet should say that
| // plugin) so that all pods in the subnet schedule only on matching | ||
| // nodes. | ||
| // | ||
| // The typical use is AZ pinning — e.g. |
There was a problem hiding this comment.
This is inside a struct called AvailabilityZone... AZ pinning is the only use, right?
| - **production-app-a**, **production-app-b** (Private): node IP SNAT for outbound traffic | ||
| - **production-db-a**, **production-db-b** (Isolated): no external routing, no intra-VPC routing | ||
|
|
||
| #### Subnet Immutability |
There was a problem hiding this comment.
need validation in the CRD
|
|
||
| #### DNS | ||
|
|
||
| In the OpenStack world, each tenant network has its own DNS. The VPC model |
There was a problem hiding this comment.
Do you mean VMware? You don't mention OpenStack anywhere else...
|
thanks @danwinship / @lance5890 for the reviews! addressing them.. |
4 participants
This PR adds the design/architecture for modelling VPCs in OpenShift