15:31:53 <apuimedo> #startmeeting k8s integration 15:31:54 <openstack> Meeting started Wed Feb 3 15:31:53 2016 UTC and is due to finish in 60 minutes. The chair is apuimedo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:31:55 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:31:57 <openstack> The meeting name has been set to 'k8s_integration' 15:32:01 <apuimedo> who's here for the meeting? 15:32:09 <banix> o/ 15:32:24 <gsagie_> hi 15:33:19 <apuimedo> irena said she'd be late 15:33:28 <apuimedo> fkautz: you there? 15:34:16 <irenab> hi 15:34:27 <gsagie_> irena!!!! :) 15:34:29 <apuimedo> irenab: is not that late :P 15:34:32 <irenab> almost on time :-) 15:34:58 <irenab> gsagie: also glad to see you :-) ! 15:35:01 <apuimedo> well, I was hoping there would be more people, but we have a nice cozy assemble 15:35:07 <apuimedo> *assembly 15:35:56 <apuimedo> alright, let's start 15:36:08 <banix> salv-orlando: you here by any chance? 15:36:14 <irenab> shall we start from use cases? 15:36:35 <apuimedo> mmm 15:36:43 <apuimedo> I forgot where we left off 15:36:56 <apuimedo> ah yes 15:37:14 <banix> we wrer in a forrest and looking for a way out? 15:37:18 <apuimedo> option T vs option T+F vs option F 15:37:26 <apuimedo> banix: look left 15:37:39 <banix> always the right direction 15:37:44 <irenab> lets focus on what we will support and then how? 15:37:54 <banix> T was? 15:38:28 <gsagie_> translation to libnetwork 15:38:42 <banix> and F? 15:38:44 <gsagie_> and the other just to implement the CNI 15:38:51 <gsagie_> two different solutions 15:38:55 <banix> thx 15:38:58 <gsagie_> integrate with Kubernetes 15:39:04 <irenab> I thought we already decided to drop T 15:39:20 <gsagie_> its good with me 15:39:37 <apuimedo> irenab: no, we did not 15:39:41 <gsagie_> the only reason was that someone (i think Matt) 15:39:48 <gsagie_> wanted to try and work on it in parallel 15:39:49 <apuimedo> Mike 15:39:52 <gsagie_> Mike yeah 15:39:55 <apuimedo> Mike Spreitzer 15:40:26 <apuimedo> though I think there's a big consensus in reducing it to option t+f vs option F 15:40:39 <apuimedo> I vote to reduce it to that 15:40:58 <apuimedo> do you all agree? 15:41:01 <banix> apuimedo: what is exactly T+F? 15:41:02 <gsagie_> ok 15:41:17 <irenab> I already thought we agreed on this :-) 15:41:25 <banix> seems you all left me in the forrest :) 15:41:30 <gsagie_> banix: work on them in parallel together, i guess apuimedo things that translation to lib network is something we can do pretty quick 15:41:34 <gsagie_> for fast term goal 15:41:41 <gsagie_> thinks 15:41:42 <banix> ok 15:41:44 <irenab> banix: looks I am in the forest too, maybe the different one 15:41:57 <banix> so long term solution we think is F. Right? 15:42:01 <banix> irenab: :) 15:42:12 <gsagie_> i only remember it from our last meeting, and i wasn't concentrating most of the time :) 15:42:45 <gsagie_> i think since Mike is not here, we don't focus on this because there is no one that is actually going to devote time to do it, apuimedo: do you have anyone for this? 15:42:52 <apuimedo> banix: yes 15:42:55 <gsagie_> atlas not focus in this meeting 15:43:03 <gsagie_> atleast 15:43:08 <banix> just confused about reducing to T+F which is more like expanding to T+F 15:43:20 <apuimedo> gsagie_: well, I haven't dropped completely doing some sort of T 15:43:32 <apuimedo> while we work on F 15:43:49 <apuimedo> for me it would be, have somebody working on the CNI driver 15:44:08 <apuimedo> somebody working on the etcd component that sends commands to Neutron 15:44:09 <irenab> apuimedo: Can we please focus on WHAT before HOW? 15:44:30 <apuimedo> and, while we refactor, we can translate to libnetwork 15:44:37 <apuimedo> irenab: you got me 15:44:42 <apuimedo> :-D 15:44:57 <irenab> I think its easier to move with how :-) 15:45:37 <apuimedo> ok 15:45:41 <apuimedo> #topic HOW 15:45:51 <apuimedo> alright 15:46:06 <apuimedo> my proposal is that we do two components 15:46:21 <banix> i think ireana meant after we are done with WHAT 15:46:34 <apuimedo> oh right 15:46:42 <irenab> banix: I do beleive we are in the same forrest :-) 15:46:44 <apuimedo> #topic WHAT!!! 15:47:04 <apuimedo> I'm sorry for the confusion 15:47:08 <irenab> Shall we first support the “flat”, i.e. current k8s networking mode or we want to go forward with Network Policy proposal? 15:47:34 <apuimedo> F should start directly with the policy proposal 15:47:57 <irenab> do we want to have annotation/label based expressions supported? 15:48:23 <irenab> I think its probably matter of what k8s version we want to support 15:48:45 <irenab> the proposal will probably land in 1.2 15:48:48 <gsagie_> yes 15:49:00 <apuimedo> 1.2 is the target I think 15:49:00 <gsagie_> we want something that query etcd and translate to Kuryr 15:49:03 <irenab> gsagie: yes on what part? 15:49:41 <gsagie_> yes we want to have annotation/label based expressions supported, which means we define special labels/annotations for certain configuration in Neutron right? 15:50:11 <irenab> sounds good to me 15:50:15 <apuimedo> gsagie_: I think extra label support is a plus, but not an immediate requisite 15:50:51 <apuimedo> but yeah... I'd like to have it to be able to specify lb settings and other stuff 15:50:53 <gsagie_> ok, so what features currently in Kubernetes we want to support? we want the basic stuff of creating the networks right? 15:50:59 <gsagie_> and the lb replacing kube-proxy 15:51:12 <apuimedo> gsagie_: yes, that's the minimum 15:51:18 <banix> +1 15:51:21 <apuimedo> LB for replication 15:51:28 <gsagie_> for services 15:51:39 <irenab> if we want to support Policy, it may require SG 15:51:50 <apuimedo> FIP for load balancer mode 15:51:54 <irenab> so its connectivity + ACL 15:51:55 <gsagie_> okie, so the CNI already gives us the first part, for the services configuration we need to listen to etcd? 15:52:23 <irenab> seems we may need the listener to support both services and policies 15:52:30 <gsagie_> which is services VIPs and north-south LB 15:52:31 <banix> yes we need SG but that would be ok 15:52:34 <apuimedo> gsagie_: but CNI, as it is used in k8s now, IIRC only tells you to join the network that exists in the worker node 15:53:08 <apuimedo> we need it to be able to get network per tier for example 15:53:55 <irenab> apuimedo: I think this is something that needs to be concluded from the models 15:54:05 <apuimedo> exactly 15:54:12 <gsagie_> apuimedo: okie, so it seems to me that the challenge here will be to sync between the information we read from etcd and the CNI which needs to do the binding part 15:54:17 <apuimedo> so another "What" we need is 15:54:26 <apuimedo> gsagie_: exactly, you erad my mind 15:54:32 <apuimedo> *read 15:54:53 <apuimedo> * find a way for having the entities created by the watcher in the cni driver 15:54:59 <apuimedo> so that they can be used 15:55:07 <irenab> so we may even think of once understanding the model and doing some operations for neutron, add annotations after the actions to be processed by CNI 15:55:09 <apuimedo> I believe they have a similar issue in k8s-net-sig 15:55:23 <apuimedo> they were considering pushing the data down all the way to the cni 15:55:36 <apuimedo> but I'm not sure if it's going to happen nor if it is the right thing 15:55:48 <gsagie_> we can always read the etcd DB from our CNI implementation 15:55:51 <irenab> apuimedo: initially we may add details via annotations in scope of the watcher 15:55:56 <gsagie_> the problem is what happens first 15:56:10 <apuimedo> gsagie_: I'm not sure how operators would feel about that, but it is a good option 15:56:39 <irenab> gsagie: I hope we can avoid this 15:57:04 <apuimedo> irenab: me too 15:57:17 <irenab> CNI plugin should be not k8s specifc, at least ecventualy 15:57:27 <apuimedo> I'd want the cni driver to be able to do with as little as possible 15:57:38 <apuimedo> so that ideally 15:57:54 <apuimedo> it would only learn about the ip in the worst case 15:58:07 <apuimedo> or uuid/vlan(for nested) in the best base 15:58:11 <apuimedo> *case 15:58:14 <irenab> apuimedo: there is both network and IPAM drivers 15:58:27 <apuimedo> I would like to do the ipam in the watcher 15:58:38 <apuimedo> to speed up 15:58:38 <gsagie_> one option is that we keep the CNI operations in Kuryr in a queue and wait until the watcher added the correct port in neutron and only then do the binding 15:58:56 <apuimedo> I would be overjoyed if the worker nodes don't need to have access to the neutron api 15:59:06 <apuimedo> and they can make do with the mq 15:59:23 <irenab> mq for what? 15:59:29 <banix> gsagie_: why? for applying acl? 16:00:15 <gsagie_> banix: we have a watcher that listen to etcd, it gets all the relevant information (IPAM/SG/correct network) from etcd and then call the Neutron API from the master 16:00:22 <gsagie_> then the CNI driver only do the binding part 16:00:24 <apuimedo> irenab: mq for the ovs neutron agent 16:00:42 <gsagie_> connect the neutron port to the container namespace 16:00:51 <irenab> apuimedo: this is backend dependent 16:01:18 <apuimedo> irenab: the point is 16:01:38 <apuimedo> If possible, the worker nodes shouldn't need to be on the neutron management network 16:02:07 <gsagie_> so we basically have something that integrate with Kubernetes "API" by listening to the etcd DB (can later use labels and annotations) and configure Neutron, then the end points in the nodes only do the binding 16:02:08 <irenab> apuimedo: at least not talk to neutron API 16:02:14 <apuimedo> we have it in plain kuryr libnetwork because there is no orchestration we can check (well, with cluster store we could correct it, but that is another topic) 16:02:20 <gsagie_> apuimedo, irenab: what do you think about that? 16:02:37 <apuimedo> gsagie_: that's the goal, yes 16:02:47 <irenab> gsagie_: I agree 16:03:00 <gsagie_> apuimedo: okie, so i think we have defined it 16:03:09 <gsagie_> irenab 16:03:17 <apuimedo> gsagie_: thanks for synthesizing it 16:03:20 <irenab> so we are ok with How while discussing what :-) 16:03:38 <gsagie_> i think we also agree on the what 16:03:39 <apuimedo> the rest of the what is 16:03:49 <gsagie_> just how to model to Neutron 16:03:51 <gsagie_> networks/routers 16:03:52 <apuimedo> gsagie_: take a stab at synthesizing it 16:03:54 <apuimedo> :P 16:03:58 <apuimedo> you are on a roll 16:04:03 <gsagie_> heh 16:04:33 <gsagie_> i think we need to do the simplest thing at first stage just to build the "infrastructure" for the different components 16:04:44 <irenab> yes, and probably to define the lables/annotation we may expect as part of the k8s model entities 16:04:58 <gsagie_> so i guess you want to model it-> service=network 16:05:16 <irenab> what about namespaces isolation option? 16:05:21 <apuimedo> gsagie_: yes, that's the simplest and more common use case we can support 16:05:22 <gsagie_> and then add routing between them, at first between all 16:05:54 <irenab> we may consider pods (RC) to be on the same network regardless the service 16:06:03 <apuimedo> irenab: I'm tempted to say that namespaces is something that I want to ignore for the time being 16:06:19 <irenab> I think in some simple examples there are only Pods 16:06:21 <apuimedo> in the sense that we would not isolate namespaces of the same tenant 16:06:30 <apuimedo> but I'm not 80% on this 16:06:37 <irenab> apuimedo: do we have multi-tenancy? 16:06:39 <apuimedo> so I can be easily convinced 16:06:53 <apuimedo> irenab: sort of xD 16:07:01 <banix> well tenants don’t go across namespaces. no? 16:07:04 <apuimedo> but now it relies on one host per tenant 16:07:13 <gsagie_> multi tenancy is just how you connect the relevant networks to a router 16:07:16 <gsagie_> i think 16:07:18 <banix> nottalking about network namespaces 16:07:22 <apuimedo> banix: no. exactly. But tenants could have several namespaces 16:07:37 <irenab> k8s namespaces 16:07:43 <banix> wll are you talking about k8s namespace 16:07:45 <banix> ok 16:08:17 <apuimedo> I am talking to k8s namespaces, yes 16:09:11 <apuimedo> irenab: I think that for multitenancy we will have to rely on the multitenancy that they are adding to k8s 16:09:14 <irenab> so back to What, I think we should define scenarious to support, i.e. assuming all k8s namespace are not isolated 16:09:29 <apuimedo> and somehow bundle authorization there 16:09:46 <irenab> apuimedo: do you have any details on what is the k8s plan for multi-tenancy? 16:09:50 <apuimedo> so that in etcd we can get the auth of the tenant that is associated to the service 16:10:04 <apuimedo> and try to perform the neutron action with their auth 16:10:11 <apuimedo> irenab: not in hand, no 16:10:18 <irenab> apuimedo: this can be great, but we will need to manage tenants in keystone? 16:10:38 <apuimedo> irenab: I was thinking something simpler 16:10:52 <apuimedo> that somehow the creds would end up in etcd 16:10:58 <irenab> assuming no multi-tenancy should be ok for now, agreee? 16:11:11 <apuimedo> yes. without mulit-tenancy we should be ok 16:12:13 <irenab> gsagie_: banix ? 16:12:17 <apuimedo> hey, does any of you remember if it was possible to create an arbitrary token for a user in keystone? 16:12:24 <banix> +1 16:12:44 <banix> apuimedo: what do you mean by arbitrary? 16:12:46 <gsagie_> i am fine with it, i don't see the challenge if etcd support the namespace, we only need the "watcher" thread to have the various different tenants 16:12:50 <gsagie_> credentials 16:12:55 <gsagie_> unless i didnt get something 16:13:06 <gsagie_> but i am not too familiar with the k8 namespaces yet 16:13:13 <gsagie_> but we can work without them at first 16:13:18 <irenab> I think we need to see how to reflect this in neutron 16:13:19 <apuimedo> I meant like oath token like k8s uses 16:13:36 <gsagie_> irenab: why this can't be different OS tenants? 16:13:42 <gsagie_> different Neutron tenants 16:13:54 <banix> a tenant can create tokens at will but i am probably missing your point 16:13:56 <irenab> gsagie_: who defines them and when? 16:14:10 <apuimedo> oh 16:14:14 <apuimedo> hey guys 16:14:19 <apuimedo> and gals 16:14:26 <apuimedo> k8s supports keystone auth 16:14:28 <irenab> lets handle multi-tenancy for next phase 16:14:33 <apuimedo> we may just require it 16:14:37 <apuimedo> https://github.com/kubernetes/kubernetes/blob/master/docs/admin/authentication.md 16:14:43 <irenab> apuimedo: cool 16:15:09 <apuimedo> I'm not sure how big a handicap it will be for operators to accept keystone 16:15:18 <apuimedo> but I'm sure big operators should be content with it 16:15:34 <apuimedo> I'm betting openshift uses it 16:15:37 <apuimedo> so we could say 16:15:54 <apuimedo> if k8s keystone integration is configured it is multitenant, otherwise it is single tenant 16:15:57 <apuimedo> for starters 16:16:08 <apuimedo> #link https://github.com/kubernetes/kubernetes/blob/master/docs/admin/authentication.md 16:16:13 <irenab> apuimedo: I think we need to verify the k8s approach for app multi-tenancy 16:16:20 <gsagie_> sorry need to go all :) but i think the first start of the work is defined, so we can start coding and defining in parallel the next bits 16:16:30 <irenab> apuimedo: this maybe related to the whole cluster 16:16:48 <gsagie_> if it integrates with keystone that would be great 16:16:57 <apuimedo> #info 16:17:02 <apuimedo> #info we basically have something that integrate with Kubernetes "API" by listening to the etcd DB (can later use labels and annotations) and configure Neutron, then the end points in the nodes only do the binding 16:17:36 <gsagie_> yes challenge, we need to be able to keep the binding until neutron configuration has ended 16:18:12 <apuimedo> gsagie_: banix: irenab: what about we create a blueprint with what we discussed 16:18:23 <apuimedo> and as soon as it matures a bit we put it on a spec 16:18:28 <apuimedo> completely WIP 16:18:30 <banix> sounds good 16:18:31 <gsagie_> agreed! 16:18:31 <irenab> gsagie_: we need to check contrail approach, I think they have similar components 16:18:45 <apuimedo> or we can go straight for wip spec if you see fit 16:18:57 <irenab> apuimedo: I will try to arrange initial draft version 16:19:02 <apuimedo> as it seems people comment more on spec 16:19:15 <apuimedo> irena: you just earned an extra cheese delivery 16:19:17 <apuimedo> :-) 16:19:21 <apuimedo> thanks! 16:19:24 <irenab> apuimedo: :-) 16:19:31 <apuimedo> #topic other 16:19:31 <irenab> the last one was very good 16:19:40 <apuimedo> that was extra :-) 16:19:42 <apuimedo> anything else? 16:20:00 <gsagie_> :) 16:20:20 <gsagie_> somebody look at what contrail are doing 16:20:24 <gsagie_> i am fine doing it 16:20:27 <apuimedo> I'm delivering catalan cheese straight from the farm :-) 16:20:46 <apuimedo> gsagie_: if you can take a look at the etcd watcher, that'd be great 16:20:58 <irenab> gsagie_:banix you better go for the cheese than T-bone 16:21:14 <banix> :) 16:21:36 <apuimedo> alright, so let's close up 16:21:45 <apuimedo> #action irena to submit WIP spec 16:21:56 <apuimedo> #action gsagie to look at contrail watcher 16:22:02 <apuimedo> #endmeeting