Add CNI support when iptables are unavailable (e.g. OpenShift4) #1610
Comments
@ksubrmnn - What are your thoughts around this? Could you help us scope this work to see what all would be involved to support OpenShift? |
As part of Windows Support for OSM #2082 we could use a CNI plugin. The existing alternative (init_container) is not possible on Windows since modifying HNS policies requires the container to modify host properties as an administrator. Which leaves us with the CNI as the best way forward. This would require some further research to address the following questions: CNI plugin specific question
CNI plugin apiHow does the CNI plugin communication with OSM? I think these are only the preliminary questions and the next step is to submit a detailed RFC to answer to these and solicit feedback from the community. |
I'm definitely interested in this option. For the record, the Istio answers to the above are:
Some customers have security policies that might mandate this approach (they will not accept an init container with the required network privileges). The DaemonSet approach for distribution seems almost as bad as the init container privileges question to me from a security point of view, but I'm not a security expert. |
Added default label |
Added default label |
This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update. |
Issue closed due to inactivity. |
I've tried installing OSM 0.3 on OpenShift 4.5 and was able to get the control plane pods running. But the bookstore app pods will not start because the init-container requires iptables which are not used in OpenShift. The same issue was solved in Istio via CNI support (see this Istio issue for more).
OpenShift users will be blocked without CNI support or some sort of ecure workaround I'm not aware of.
Scope (please mark with X where applicable)
The text was updated successfully, but these errors were encountered: