|
| 1 | +## OpenStack and Kubernetes integration options |
| 2 | + |
| 3 | +### In-tree OpenStack provider in Kubernetes repository |
| 4 | + |
| 5 | +Traditional option `--cloud-provider` and `cloud-config` in `kubelet`, `kube-apiserver` and `kube-controller-manager` |
| 6 | + |
| 7 | +### Cloud Controller Manager (CCM) in Kubernetes repository |
| 8 | + |
| 9 | +Temporary stop gap binary `cloud-controller-manager` that has both `--cloud-provider` and `--cloud-config` |
| 10 | +command line params. Need to set `--cloud-provider=external` for the other kubernetes binaries. |
| 11 | + |
| 12 | +Also use the `--external-cloud-volume-plugin` command line parameter in `kube-controller-manager` to use the |
| 13 | +in-tree cinder volume plugin. Note that the provisioner name for the in-tree volume plugin is `kubernetes.io/cinder` |
| 14 | + |
| 15 | +### External OpenStack provider |
| 16 | + |
| 17 | +Mostly the same code as CCM, but code moved out of the main kubernetes repository. `--cloud-provider` is hard coded |
| 18 | +to `openstack`. `--cloud-config` needs to be specified. |
| 19 | + |
| 20 | +Similar to CCM, you can use the `--external-cloud-volume-plugin` in `kube-controller-manager` until support for that |
| 21 | +flag is dropped. |
| 22 | + |
| 23 | +Scenarios tested: |
| 24 | +- External LBaaS with Neutron LBaaSv2 |
| 25 | +- Internal LBaaS with Neutron LBaaSv2 |
| 26 | +- LVM / iSCSI with Cinder |
| 27 | +- Ceph / RBD with Cinder |
| 28 | + |
| 29 | +TODO: |
| 30 | +- Test LBaaS scenarios with Octavia |
| 31 | + |
| 32 | +### Kubernetes Keystone Webhooks |
| 33 | + |
| 34 | +There are two scenarios, authentication and authorization. They can be configured/used independently. There is |
| 35 | +support in the kubectl CLI for OpenStack auth provider. This provider can pick up the usual OS_* env vars and |
| 36 | +use them to talk to kube api server. However you need the auth webhook to authenticate the tokens. |
| 37 | + |
| 38 | +The authorization is a WIP. the initial thought was to provide a way similar to OpenStack Keystone policy files |
| 39 | +to do some authorization checks. You can just use the kubernetes builtin RBAC support. |
| 40 | + |
| 41 | +### Cinder Standalone provisioner |
| 42 | + |
| 43 | +Tested with `LVM / iSCSI` and `Ceph / RBD` scenarios. The provisioner name is `openstack.org/standalone-cinder`. |
| 44 | +You can use this along with the External OpenStack provider or CCM. |
| 45 | + |
| 46 | +### Cinder Flex volume driver |
| 47 | + |
| 48 | +WIP - There is some code, needs to be tested |
| 49 | + |
| 50 | +### Cinder CSI driver |
| 51 | + |
| 52 | +WIP - There is some example code in a SIG-storage repo. Need to investigate |
0 commit comments