Contributors:
Isaku Yamahata <isaku.yamahata@intel.com> <isaku.yamahata@gmail.com>
Bin Hu <bh526r@att.com>
Munish Agarwal <munish.agarwal@ericsson.com>
Please put your name here.com>
Bin Hu <bh526r@att.com>
Munish Agarwal <munish.agarwal@ericsson.com>
Earle West (ew8463@att.com
Please put your name here
Affected Projects and PTLs for socialization
| Project | PTL | impact and notes | feedback etc |
|---|---|---|---|
modeling | Hui Deng | new Newms of Data model to describe k8s node/COE instead of compute/opentstack | |
| SDC | Michael Lando | ||
| SO | multi-cloud adaptoer to call multicloud k8s driver. For Beijing release. ARIA adaptor which already was merged will be utilized with config twist. | ||
| OOF & policy | New policy to use COE to run VNF in container. OOF does only match making. | ||
| A&AI/EST | new name to represent k8s or COE. schema extensions to represent k8s data(key value pairs). | ||
| multicloud | new k8s plugin | ||
| controllers/APP-C | no ipact or new adaptor |
https://gerrit.onap.org/r/#/c/
...
30027/
the discussion is continued at the above spec document. Please review/comment there.
...
Similar to other case, k8s plugin has its own URL prefix so that it doesn’t affect other multicloud northbound API.
Base URL for kubernets plugin
...
For details of kubernetes API, please refer to https://kubernetes.io/docs/reference/api-overview/
Note: kubernetes doesn’t have concept of region, tenant.(at this point). So region and tenant_id isn’t in path.
...
8. Kubernetes cluster authentication
Note: https://kubernetes.io/docs/admin/authentication
Because Kubernetes cluster installation is not mentioned, we should treat all users as normal users when authenticate to Kubernetes VIM. There are several ways to authenticate Kubernetes cluster:
8.0.1. Using kubeconfig file
Users provide each Kubernetes VIM information as a cluster, user or context in kubeconfig files.
apiVersion: v1
clusters:
- cluster:
certificate-authority: fake-ca-file
server: https://1.2.3.4
name: development
- cluster:
insecure-skip-tls-verify: true
server: https://5.6.7.8
name: scratch
contexts:
- context:
cluster: development
namespace: frontend
user: developer
name: dev-frontend
- context:
cluster: scratch
namespace: default
user: experimenter
name: exp-scratch
current-context: ""
kind: Config
preferences: {}
users:
- name: developer
user:
client-certificate: fake-cert-file
client-key: fake-key-file
In this scenario, when user want to deploy a VNF, user should provide:
...
Details for configure access multiple clusters, please refer to https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters
8.0.2. Using Bearer token
Similar as above approach, but we only store some necessary parameter to validate an user using Bearer token. When register a Kubernetes VIM, user should fill in the following information:
Kubernetes API address: The address and port of the Kubernetes API server (e.g. 192.168.1.2:6443)
Bearer token: Bearer token for authentication to the API server
Client certificate file: Path to a client certificate file for TLS (optional)
8.0.3. Using basic authentication
Different way, username and password for authenticating
...
Past presentations/proposals
Munish proposal: https://schd.ws/hosted_files/onapbeijing2017/dd/Management%20of%20Cloud%20Native%20VNFs%20with%20ONAP%20PA5.pptx
Isaku proposal:https://schd.ws/hosted_files/onapbeijing2017/9d/onap-kubernetes-arch-design-proposal.pdf
Bin Hu proposal:https://wikilf-onap.onapatlassian.orgnet/wiki/download/attachments/1600789016255887/ONAP-SantaClara-BinHu-final.pdf?version=1&modificationDate=1513558701000&api=v2
https://wikilf-onap.onapatlassian.orgnet/wiki/display/DW/RESTful+API+Design+Specification