Home Explore Blog CI



kubernetes
8th chunk of `content/en/blog/_posts/2016-10-00-Kubernetes-And-Openstack-At-Yahoo-Japan.md`
f4271cb4143ac645fb56708bd3abd6bb36c88caaf4c836200000000100000831
**Authentication** With a Kubernetes plugin, OpenStack Keystone can be used for Authentication. By Adding authURL of Keystone at startup Kubernetes API server, we can use OpenStack OS\_USERNAME and OS\_PASSWORD for Authentication. **Authorization** We currently use the ABAC (Attribute-Based Access Control) mode of Kubernetes Authorization. We worked with a consulting company, Solinea, who helped create a utility to convert OpenStack Keystone user and tenant information to Kubernetes JSON policy file that maps Kubernetes ABAC user and namespace information to OpenStack tenants. We then specify that policy file when launching Kubernetes API Server. This utility also creates namespaces from tenant information. These configurations enable Kubernetes to authenticate with OpenStack Keystone and operate in authorized namespaces. **Volumes and Data Persistence** Kubernetes provides “Persistent Volumes” subsystem which works as persistent storage for Pods. “Persistent Volumes” is capable to support cloud-provider storage, it is possible to utilize OpenStack cinder-volume by using OpenStack as cloud provider. **Networking** Flannel and various networking exists as networking model for Kubernetes, we used Project Calico for this project. Yahoo! JAPAN recommends to build data center with pure L3 networking like redistribute ARP validation or IP CLOS networking, Project Calico matches this direction. When we apply overlay model like Flannel, we cannot access to Pod IP from outside of Kubernetes clusters. But Project Calico makes it possible. We also use Project Calico for Load Balancing we describe later.



[
](https://s.yimg.jp/images/tecblog/2016-1H/os_n_k8s/network.png)

In Project Calico, broadcast production IP by BGP working on BIRD containers (OSS routing software) launched on each nodes of Kubernetes. By default, it broadcast in cluster only. By setting peering routers outside of clusters, it makes it possible to access a Pod from outside of the clusters. **External Service Load Balancing**
Title: Kubernetes Authentication with Keystone, Volumes and Networking with Calico and BGP
Summary
This section describes the configuration for authentication in Kubernetes using OpenStack Keystone, utilizing ABAC (Attribute-Based Access Control). It explains the implementation of Persistent Volumes with OpenStack cinder-volume for data persistence. The networking implementation uses Project Calico to adhere to L3 networking principles and enable external access to Pod IPs. It details how BGP in BIRD containers is used for broadcasting production IPs, allowing access to Pods from outside the cluster by peering with external routers.