Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Achieve Docker-Compose Network functionality using NetworkPolicy in Kubernates #1188

Closed
mudverma opened this issue Nov 26, 2019 · 6 comments · Fixed by #1195
Closed

Proposal: Achieve Docker-Compose Network functionality using NetworkPolicy in Kubernates #1188

mudverma opened this issue Nov 26, 2019 · 6 comments · Fixed by #1195

Comments

@mudverma
Copy link
Contributor

mudverma commented Nov 26, 2019
edited
Loading

Currently Kompose does not support Network Key Translation. However, Network functionality is widely used is Docker World.

Consider the following interactions:

Services A1, A2 are part of net_a while Services B1, B2 are part of Net_B, there is also a gateway that is part of Both the networks (net_a and net_b). This provides an isolated environment to a subset of services. It would be interesting to achieve equivalent functionality in Kubernates via translated artefacts.

Since Kubernates follows a flat networking structure, where every pod can talk to each other by default, achieving direct Network key translation is not straight forward.

There is a proposal to treat Docker-Compose network as Namespaces in Kubernates, however, we feel that an alternate approach is required for the following reasons. #1066

We propose that using "Labels" and "NetworkPolicy" in Kubernates we can achieve same functionality as multi Networks in Docker world.

We can extract network information from docker-compose and persist them as Labels in generated/translated kubernates artefacts. Along-with, we can also generate a networkPolicy that limits the communications amongst pods with same Network Labels.

Input:
docker-compose.yaml

networks:
  app:
    external:
      name: app-network
  web:
    external:
      name: web-network
services:
  appFoo:
    image: foo:latest
    command: sh -c "echo Hello Foo"
    networks:
      app: {}
      web: {}

Output:
appfoo-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose -f docker-compose.yaml convert
    kompose.version: 1.18.0 (06a2e56)
  creationTimestamp: null
  labels:
    io.kompose.service: appfoo
  name: appfoo
spec:
  replicas: 0
  strategy: {}
  template:
    metadata:
      annotations:
        kompose.cmd: kompose -f docker-compose.yaml convert
        kompose.version: 1.18.0 (06a2e56)
      creationTimestamp: null
      labels:
        io.kompose.network/app-network: "true"
        io.kompose.network/web-network: "true"
        io.kompose.service: appfoo
    spec:
      containers:
      - args:
        - sh
        - -c
        - echo Hello Foo
        image: foo:latest
        name: appfoo
        resources: {}
      restartPolicy: Always
status: {}

web-network-networkpolicy.yaml:

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  creationTimestamp: null
  name: web-network
spec:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          io.kompose.network/web-network: "true"
  podSelector:
    matchLabels:
      io.kompose.network/web-network: "true"

app-network-networkpolicy.yaml:

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  creationTimestamp: null
  name: app-network
spec:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          io.kompose.network/app-network: "true"
  podSelector:
    matchLabels:
      io.kompose.network/app-network: "true"
@mudverma
Copy link
Contributor Author

The reason we chose 'label' over 'namespace' is the following:
a) 'Namespace' is a much harder segregation than 'label'. When somebody thinks of 'Namespace', they are looking at the level of two different projects. For example, in Openshift, each project is defined as a namespace.
b) There can be pod that is shared across multiple networks, which is much easier to implement using labels.
c) When a user gets access to a cluster to deploy a project, in many cases the infra teams give access to a single namespace, and the user does not have access to creating a new namespace. A single project in many cases have multiple networks.
d) 'network' segregation does not mean 'namespace' segregation, and this helps us keep the concepts separate.

This was referenced Nov 26, 2019
Closed
Closed
@hangyan
Copy link
Contributor

hangyan commented Nov 28, 2019

Agreed.

@mudverma mudverma mentioned this issue Nov 28, 2019
Closed
@jvitor83 jvitor83 mentioned this issue Nov 29, 2019
Closed
@mudverma mudverma mentioned this issue Nov 30, 2019
Merged
@mudverma
Copy link
Contributor Author

@hangyan If possible, could you please review the merge request #1195 for network key translation.

@hangyan
Copy link
Contributor

hangyan commented Dec 1, 2019

@mudverma Thanks!

@mudverma mudverma mentioned this issue Dec 2, 2019
Closed
@mudverma
Copy link
Contributor Author

mudverma commented Dec 2, 2019

Thanks @hangyan. Much appreciated your prompt review. May you also please review minor change in network integration tests that I forgot to add in earlier PR. Issue is #1196 PR is #1197

@jvitor83 jvitor83 mentioned this issue Dec 4, 2019
Closed
@paularah
Copy link

paularah commented Jul 5, 2022

@mudverma I know this issue has been closed and implemented. In the case that the network is an external network, I don't think network polices are exactly the right k8s abstraction for this

@martinjirku martinjirku mentioned this issue Mar 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Network Key Translation Feature and test cases
Network Translation
Network Key Translation
3 participants
@hangyan @mudverma @paularah