Integrate execution container to Neutron Project / Tenant Networks
It would be useful to be able to hook up a private project / tenant Neutron network to the container during code execution. This would be beneficial where a tenant / project has a database server / cephfs cluster / redis node or something else the function needs to reach out to in a secure fashion. In it's current state I beleive the execution container would need to reach the project's storage over a public network only which obviously raises security eyebrows.
There are a number of solutions I can imagine here...
a) Joining execution containers direct to the neutron network (seems a silly idea as it could exhaust neutron ports and subnet IPs very quickly on smaller subnets with a large number of concurrent execution jobs)
b) Joining execution containers to a routed Neutron network + subnet (Execution containers join their own network within the tenant which is then routed to the private tenant networks holding the resources via a Neutron router, this method still has alot of creation, attaching and detatching of ports and heavy usage of the dhcp agent)
c) Joining a port to a Neutron router to some network namespace to provide NAT to the execution nodes (Providing some bridge to an execution network external from Neutron and just bridging it via a Neutron router probably takes the strain off the Neutron agents, but would require alot of network management within Picasso itself.)
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Robert Putt
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by