You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Standards/scs-XXXX-v1-kaas-networking.md
+11-4Lines changed: 11 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,8 +15,15 @@ This standard specifies a minimal set of networking features that users can expe
15
15
16
16
## Terminology
17
17
18
-
Example (abbr. Ex)
19
-
This is the description for an example terminology.
18
+
The following terms are used throughout this document:
19
+
20
+
| Term | Meaning |
21
+
|------|---------|
22
+
| KaaS, managed Kubernetes | Kubernetes as a Service, automated on-demand deployment of Kubernetes clusters. |
23
+
| CSP | Cloud Service Provider, the provider of the KaaS infrastructure. |
24
+
| CNI | Container Network Interface, a standardized networking interface for container runtimes. |
25
+
| CNI plugin, networking plugin | Kubernetes bindings for a CNI implementation, translates Kubernetes API concepts into more basic container networking concepts. |
26
+
| network policy | A set of rules to restrict network traffic in a Kubernetes cluster. |
20
27
21
28
## Motivation
22
29
@@ -49,7 +56,7 @@ The wide support among CNI plugins makes them a good target for SCS standardizat
49
56
Basic network policies are namespaced resources, and can only filter traffic to and from pods in their own namespace.
50
57
In a newly created namespace without policies the default behavior will apply, which is to not restrict traffic at all.
51
58
52
-
It can be desirable to automatically create default network policies in new namespaces, using an operator such as Kyverno.
59
+
It can be desirable to automatically create default network policies in new namespaces, using a policy operator such as Kyverno.
53
60
A CSP could provide such an operator and offer a number of default policies, like blocking connections to other namespaces by default, or blocking access to the OpenStack metadata service.
54
61
55
62
Any user with permissions to manage their own network policies in a namespace will of course be able to remove or modify any default network policies in that namespace.
@@ -73,7 +80,7 @@ Unlike the L3/L4-based LoadBalancer Service type, Ingress provides L7 load balan
73
80
This functionality can be provided within the cluster by a pod-based ingress controller such as `ingress-nginx`, that exposes Ingress resources as Services.
74
81
75
82
However, there are also Ingress controllers that integrate with underlying infrastructure and may help to reduce overhead.
76
-
Examples for this are the Cilium CNI plugin, which comes with built-in Ingress support, and the Octavia ingress controller, which may be a good choice if OpenStack Octavia is already used to provide L3/L4 load balancing.
83
+
Examples for this are the Cilium CNI plugin, which comes with built-in Ingress support, and the Octavia Ingress controller, which may be a good choice if OpenStack Octavia is already used to provide L3/L4 load balancing.
77
84
78
85
The CSPs that manage the underlying infrastructure can of course make the best choice for such an integrated Ingress controller, so they should be encouraged to do so.
79
86
Even with a CSP-provided default Ingress controller present, users will be able to use alternative Ingress controllers by creating a new `IngressClass`, which can then be referenced in Ingress resources.
0 commit comments