-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add standard for provider networks #572
base: main
Are you sure you want to change the base?
Conversation
We should probably just focus the standard on external provider networks/subnets, because that is ultimately what facilitates public IP networking, as SovereignCloudStack/issues#167 and SovereignCloudStack/issues#166 are calling for. I have been trying to find a way to meaningfully incorporate the other suggestions from #522 (and the comments), like OVN/L3-router-HA and API-extensions/plugins and port security and policies, but they are either orthogonal to the issues (like the HA-topic), or follow from the provider-network requirements (like port security and, at least partially, the API-extensions), or should be discussed somewhere else more broadly (also the HA topic, and policies, specifically codification of/deviation from default policies). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, this looks good to me. There are a few issues and open questions for me, which I noted below.
| RBAC | Role-based Access Control: A mechanism in the Network API to give projects limited access to resources owned by other projects. Typically used by CSPs to create provider networks. | | ||
| Shared Network | Virtual network that is shared between projects in a way that allows direct attachment of servers. | | ||
| External Network | Virtual network that is shared between projects in a way that only allows virtual routers to use it as external gateway. Typically used by CSPs to provide access to networks outside of the cloud environment. | | ||
| Provider Network | Any shared or external network that is managed by the CSP. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OpenStack provider networks have a different property, namely that they're tied to non-virtualised networks. I think that property is relevant enough to include it in this definition.
(Or are we using the term "provider network" in a different sense here?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In many places, including some Openstack documentation, I found the term provider network to be used (interchangeably with "external network") to mean CSP-managed networks that are tied to non-virtualized networks, because that is usually what they are used for.
I was looking at this from more of an RBAC-perspective though, where any network, regardless of it's provider:network_type
and provider:physical_network
can have an access_as_external
rule, and where ownership and RBAC rules ultimately dictate how a network can be used in a project. In that context, it made more sense to me to define provider networks literally as "networks managed by the provider".
This will still cover the classical use-case of bridging into non-virtualized networks, but also use-cases like a CSP-managed shared network.
It's still a deviation from common Openstack terminology of course, and I can try rewording it to stay closer to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that context, it made more sense to me to define provider networks literally as "networks managed by the provider".
I agree. My main problem with the definition as written above is that the "managed by the CSP" gets overpowered by the "shared or external" attributes, which make me read that definition as if the key point was that the network was "shared or external", not "managed by the CSP".
Maybe: "A network managed by the CSP, typically connected to non-virtualized infrastructure and commonly made external or shared."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The network being shared or external is kinda essential though, as that is what actually makes it a provider network to tenants, otherwise it's just invisible to them and might as well be non-existent.
I have changed it now to "A CSP-managed virtual network made available to projects as either shared or external, typically connected to non-virtualized infrastructure."
|
||
The Network API's Role Based Access Control (RBAC) extension can then be used to share it with other projects. | ||
RBAC rules for networks support the two actions `access_as_external` and `access_as_shared`, and can be created automatically on `openstack network create` with the options `--external` and `--share`. | ||
* `access_as_external` allows networks to be used as external gateway for virtual routers in the target projects. Such networks are in the following referred to as _external networks_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another notable thing access_as_external
allows is creation of floating IPs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added a mention of that.
The was a short discussion in the community call today on the question of mandatory internet access vs. air-gapped infrastructure that was raised in the IaaS call yesterday. I will try to reword the standard to reflect this. |
9541a83
to
1fc89c0
Compare
I have been trying to extend this standard to also apply to private and air-gaped clouds, and it turns out that this is somewhat difficult. The approach that I'm currently trying, is to make it more conditional and discuss specific use-cases, like:
I'm still working out the details though. An alternative would of course be to scope the standard strictly to clouds with public IPs. |
e115ebf
to
76601c2
Compare
Finding a common ground regarding provider networks between public, private, and specifically air-gaped clouds is hard, even with individually scoped rules. There is some overlap, but the requirements are very different. I have now given up on that and made some changes to the draft to limit the standard to clouds that provide public IPs. |
@kgube Thanks for all this impressive work! I see that this is a difficult situation. Please do go into the meetings (Team IaaS) and raise awareness as soon as possible. Please try to get people to go into an in-depth break-out session with you. |
@kgube overall it looks good to me, maybe it makes sense, besides neutron-dynamic-routing, to refer also to ovn-bgp-agent. because OVN will perhaps take over this task in the future |
da9ec1a
to
364c01a
Compare
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
364c01a
to
2e06a86
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
| DHCP | Dynamic Host Configuration Protocol: Used to automatically configure hosts in a network with IP addresses, default routes, and other information such as DNS servers. | | ||
| Prefix | IP address prefix of a given bit-length N, written as _ADDRESS/N_. Divides addresses into a network and a host part, a shorter prefix allows more hosts but takes up more address space. | | ||
| NAT | Network Address Translation: mapping (usually public) IPv4 addresses onto a different (usually private) address space. May allows multiple hosts to share a public address by multiplexing TCP/UDP ports. | | ||
| RBAC | Role-based Access Control: A mechanism in the Network API to give projects limited access to resources owned by other projects. Typically used by CSPs to create provider networks. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This maybe a little bit nitpicking:
When I think of RBAC in OpenStack, I first think about user roles and access to projects. While we also have access to projects here, it has nothing to do with user roles and is a very Neutron specific thing.
Could we maybe change the wording a bit? Maybe to "network RBAC" like in the openstack CLI command?
Also this would have to be adapted overall in this standard.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed it to "Networking RBAC" now, because Networking is the name of the API, and there is less chance for confusion when talking about RBAC rules for networks.
|
||
## Conformance Tests | ||
|
||
(TBD, current requirements should mostly be testable by API. Testing external routing is more tricky and will require external testing infrastructure of some sort) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will review again, when tests are implemented.
While working on the conformance tests I stumbled on Openstacks network auto-allocation feature: I'm not sure how I missed that previously, but I am going to update the standard to conform to the auto-allocation requirements. This is great, actually, because it will greatly simplify conformance in the presence of multiple provider networks or subnet pools, which is currently discouraged but allowed: we can just mandate the SCS default resources to be marked as exclusive auto-allocation defaults. |
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
CSPs **MUST** externally route any public IP addresses allocated from subnets of the standard provider network. | ||
CSPs **MUST** provide dynamic routing for all project-allocated public IP-prefixes via the standard provider network. | ||
|
||
By default, users **SHOULD** be prohibited by policy from creating Networking RBAC rules, to prevent the creation of faux provider networks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add an implementation note that shows the necessary policy change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I clicked the link and unfortunately this is not good documented by OpenStack itself. It my be better to attach an implementataion note and not just write in block text but have the policy change presented in a clear readable way. Otherwise people might overread it.. I have something in mind like:
Policy adjustment for network rbac
OpenStack itself allows all user, regardless of role to change the accessability of network resources (e.g. networks, routers, security groups, etc). This allows malicious users to present networking resources to other client as coming from the CSP. To forbid this the following policy adjustments SHOULD be implemented in the policy.yaml
file:
"create_rbac_policy": "rule:admin_only"
There haven't been much updates here, even though I have continuously been trying to build compliance tests for this. I will try to identify those issues and approach them more systematically: The scope of the standard.
I now think that the better approach is to not generally mandate public IP addresses, but to define external IP addresses as addresses reachable by a user with access to the openstack API, such that e.g. automated tooling can talk directly to both API and VMs. CSPs offering public cloud services can then specifically be required to provide public IPs as external IPs. This will make the standard more useful and allow easier compliance testing, at least for the basic requirements. Support for multiple provider networks and/or multiple shared subnet pools per IP version.
There may be other parts of the standard that are not yet part of the reference implementation and may need a grace period (IPv6 dynamic routing?). It is much more useful to keep the requirement of the is_default flag in the standard and treat the whole standard as a recommendation until it has been properly verified. This is especially true because all of the requirements for auto-allocation (at least for IPv6) are already mandated by the standard, the only addition really is the flag. Compliance tests are limited to the project perspective.
This is not a huge issue and does not actually affect the tests themselves (because this is the only way to do them, in this regard). Limited feedback on the standard.
There isn't really much I can do about this. I will try to build the compliance tests somewhat modular, but not more than aids general readability. There is no point in considering potential future test scenarios if we aren't there yet, and refactoring will be easier than preparing, in this case. |
Signed-off-by: Konrad Gube <[email protected]>
Signed-off-by: Konrad Gube <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part looks good to me so far. So its just the test and maybe implementation notes missing (see my comment on that)
CSPs **MUST** externally route any public IP addresses allocated from subnets of the standard provider network. | ||
CSPs **MUST** provide dynamic routing for all project-allocated public IP-prefixes via the standard provider network. | ||
|
||
By default, users **SHOULD** be prohibited by policy from creating Networking RBAC rules, to prevent the creation of faux provider networks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I clicked the link and unfortunately this is not good documented by OpenStack itself. It my be better to attach an implementataion note and not just write in block text but have the policy change presented in a clear readable way. Otherwise people might overread it.. I have something in mind like:
Policy adjustment for network rbac
OpenStack itself allows all user, regardless of role to change the accessability of network resources (e.g. networks, routers, security groups, etc). This allows malicious users to present networking resources to other client as coming from the CSP. To forbid this the following policy adjustments SHOULD be implemented in the policy.yaml
file:
"create_rbac_policy": "rule:admin_only"
If CSPs offer public IP addresses, they **SHOULD** also offer public IPv4 addresses. | ||
If they do offer public IPv4 addresses, they **MUST** provide at least one public Floating IP per project, but **MAY** also provide a shared subnet pool for the allocation of public IPv4 prefixes to project networks. | ||
If CSPs offer a subnet pool for the allocation of public IPv4 prefixes, it **MUST** have the `is_default` flag set to True, and it **MUST** be the only IPv4 subnet pool to do so. | ||
If the CSP offers external IPv4 addresses, they **MUST** provide at least one external Floating IP per project that can be allocated from the standard provider network. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree to name it external instead of pulic to include clouds which are only used internally / privately.
This is a WIP for a standard covering provider networks and public IP allocation.
SovereignCloudStack/issues#166
SovereignCloudStack/issues#167