Uploaded image for project: 'Knative Serving'
  1. Knative Serving
  2. SRVKS-342

Ensure that network communication in/out of the namespace isn't blocked

XMLWordPrintable

    • Serverless Sprint 175

      Problem

      When creating a service Serverless checkbox is now freely available. That could easily lead users to deploy services that looks like they do not work.

      After deploying a Serverless service (a service with serverless checkbox checked), serverless operator should add namespace of that service to a Serverless Service Mesh Member Roll. That would result in that namespace being part of Service Mesh Control Plane managed by Serverless Operator. Deploying a serverless service to namespace that isn't part of Serverless SMMR, would result in adding that namespace to SMMR.

      After that any other regular service created in that namespace will result in that service being unreachable. Any existing regular services will also be unreachable.

      To be changed

      Ensure that network communication in/out of the namespace isn't blocked. Today this is impacted by Service Mesh policies.

      On Nov 12th we discussed a possible solution using the operator to inspect network policies on a given namespace.

      If one already exists, the operator won't create a network policy and the user then is in control to set policies to allow traffic in/out of the namespace.

      If no network policy exists for that namespace, we then create a wide open policy to ensure that traffic can go in/out of the namespace and Openshift Routes can still be used.

      To reproduce:

      1. Deploy a serverless service (serverless checkbox checked) from image docker.io/mgencur/helloworld-go and name helloworld-go to namespace default
      2. Deploy a generic service (serverless checkbox unchecked) image docker.io/mgencur/helloworld-go and name helloworld-go-noks to namespace default
      3. Generic service will be deployed and created are DeploymentConfig, Service, and Route, but service isn't responding to requests:
      $ curl -Ik http://helloworld-go-noks-default.apps.ksuszyns-31-ocf-ocp-4.0-aws-clean-ksuszyns.openshift-aws.rhocf-dev.com/
HTTP/1.0 503 Service Unavailable
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store
Connection: close
Content-Type: text/html

      cURL takes a while.

       

       

              bbrownin@redhat.com Ben Browning
              woliveir@redhat.com William Oliveira (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: