Network isolation to outside world

Solution In Progress - Updated -

Issue

  • We are deploying openshift 3.x in a multi tenant way. In 3.0, we did not have any network isolation. In 3.1 you added network isolation, but we were told we cannot influence the outgoing IP. We need to be able to make a reliable difference between IPs of the containers of different tenants on the same node.
  • The applications hosted in Openshift need to contact resources still in the existing infrastructure. This happens over HTTP for some (accessing web services, ESB, ...) , but also binary protocols are used (remote EJB, database connections, file transfers, etc.). If we are to open up links to the networks of the our multiple tenants, we need to guarantee a level of isolation that a container from 1 tenant cannot start hacking machines in the traditional infrastructure of another tenant. If the containers are hosted on the same node, we need some way to get a firewall in between.
  • We need a reliable way to limit the access on networking level from a set of containers (project scope is fine) to a certain network range outside openshift.

    • Option 1 :
      the container IPs reflect the tenant in a configurable address pool. That way we can directly restrict the network access on our edges.

    • Option 2:
      you provide a way in openshift to link to these external networks via some sort of gateway that we can deploy on specific machines with well-known IPs. That way, openshift handles the isolation internally for accessing the gateway, traditional IP can handle the access to the outside network.

We are investigating cisco ACI so any integration / use of that technology to implement this functionality is a bonus.

Environment

  • Openshift Enterprise 3.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.