Fix Network Policy documentation

Adds additional configuration needed to fully enable Network Policy
functionality.

Closes-Bug: #1811370
Change-Id: I785e703dcd83201ffa3e9cc92c31466087770890
This commit is contained in:
Maysa Macedo 2019-01-11 11:20:42 +00:00 committed by Maysa de Macedo Souza
parent d4929ef243
commit d490b08cb7
1 changed files with 22 additions and 5 deletions

View File

@ -1,13 +1,13 @@
Enable network policy support functionality
===========================================
Enable the policy handler to respond to network policy events. As this is not
done by default you'd have to explicitly add that to the list of enabled
Enable policy, pod_label and namespace handlers to respond to network policy events.
As this is not done by default you'd have to explicitly add that to the list of enabled
handlers at kuryr.conf (further info on how to do this can be found at
:doc:`./devstack/containerized`)::
[kubernetes]
enabled_handlers=vif,lb,lbaasspec,policy,pod_label
enabled_handlers=vif,lb,lbaasspec,policy,pod_label,namespace
After that, enable also the security group drivers for policies::
@ -15,6 +15,22 @@ After that, enable also the security group drivers for policies::
service_security_groups_driver = policy
pod_security_groups_driver = policy
Enable the namespace subnet driver by modifying the default pod_subnet_driver
option::
[kubernetes]
pod_subnets_driver = namespace
Select the subnet pool from where the new subnets will get their CIDR::
[namespace_subnet]
pod_subnet_pool = SUBNET_POOL_ID
Lastly, select the router where the new subnet will be connected::
[namespace_subnet]
pod_router = ROUTER_ID
Note you need to restart the kuryr controller after applying the above step.
For devstack non-containerized deployments::
@ -26,10 +42,11 @@ Same for containerized deployments::
$ kubectl -n kube-system delete pod KURYR_CONTROLLER_POD_NAME
For directly enabling the driver when deploying with devstack, you just need
to add the policy handler and drivers with::
to add the policy, pod_label and namespace handler and drivers with::
KURYR_ENABLED_HANDLERS=vif,lb,lbaasspec,policy,pod_label
KURYR_ENABLED_HANDLERS=vif,lb,lbaasspec,policy,pod_label,namespace
KURYR_SG_DRIVER=policy
KURYR_SUBNET_DRIVER=namespace
Testing the network policy support functionality
------------------------------------------------