Uploaded image for project: 'OpenStack Strategy'
  1. OpenStack Strategy
  2. RHOSSTRAT-886

Deliver images for multi-tenant telemetry control

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhos-18.0.10 FR 3
    • Telemetry
    • None
    • Moderate
    • Not Selected
    • False
    • False
    • Hide

      None

      Show
      None
    • S
    • 0
    • 0
    • 67% To Do, 0% In Progress, 33% Done
    • Red Hat OpenStack Services on OpenShift (formerly Red Hat OpenStack Platform)
    • Release Note Not Required

      Feature Overview

      Deliver images to allowing tenant-level access to telemetry data.

      Goals

      • Images for access control proxies are imported downstream and are shipped with RHOSO.
        • aetos-proxy
        • kube-rbac-proxy
      • Images are verified as being available in a disconnected environment.

      Requirements

      Requirement Notes isMVP?
      aetos-proxy image is imported and built for production delivery   yes
      kube-rbac-proxy image is imported and built for production delivery   yes
      Proxy images are shipped within the RHOSO product (openstack-operator)   yes
      Images are available and work within a disconnected environment deployment   yes

       

      Done - Acceptance Criteria 

      Production chain is setup for the import of the proxy images and are able to ship within the openstack-operator.

      Use Cases - i.e. User Experience & Workflow:

      The eventual use case will be to update any RHOSO services that need to access telemetry data to do so through an interface that can provide tenancy. Currently these services access Prometheus directly and provides no RBAC interfaces.

      The need to implement the proxies and update services to use those routes instead is to provide access control to telemetry data on an as-needed basis (only expose the data that is required by the service).

      Being able to limit data by tenant instead of administrator level access (unless specifically configured) will provide a better security story. Alignment to accessing data using kube-rbac-proxy will further align the product to best practices already utilized by OpenShift.

      Out of Scope

      • Implementation of Aetos and kube-rbac-proxy access within the services themselves. (Only the availability of the images is expected in this Feature.)

      Documentation Considerations 

      No documentation interfaces are expected as part of this delivery.

      Questions to Answer

      No known questions to answer at this time. Work is expected to fall within the standard operating procedures of importing and shipping new images within the RHOSO product.

      Background and Strategic Fit 

      No extra background information expected to be required.

      Customer Considerations

      No customer considerations are expected for this Feature.

      Risks

      • aetos is a net-new project that targets Flamingo, which uses py3.10, therefore there is a risk with how we will import and productize this in both the RHOSO 18 (Antelope) and RHOSO 19 (Epoxy) timeframes

              lmadsen@redhat.com Leif Madsen
              lmadsen@redhat.com Leif Madsen
              Jaromir Wysoglad
              Simon Herlofsson Simon Herlofsson
              Edu Alcaniz Edu Alcaniz
              rhos-conplat-observability
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: