-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sync GESIS node Network Policy with mybinder.org federation #2788
Comments
https://github.com/jupyterhub/mybinder.org-deploy/blob/main/mybinder/templates/netpol.yaml is been deploy on GESIS cluster as
(part of the specs ommited) and the Docker-in-Docker pod is
successfully. Calico/Tigera Operator is running
Does anyone see what I am missing? Thanks! |
I might have discovered the missing piece:
|
I fixed the CalicoNetwork IPPool in GESIS node. I tested using deny all configuration and Network Policy is working. The problem now is that the The Binderhub namespace has 3 Network Policies:
|
Is it possible the NetworkPolicy controller doesn't quite implement policies in the way it's meant to? In #2698 I had a lot of problems with the AWS network policy controller, so I ended up overriding the policies after a lot of trial and error. See the One method I found useful for debugging was to create a pod.yaml for an image like netshoot, but copying the annotations and labels from one of the Jupyter pods. If you deploy this pod the annotations/labels means it should have the same Network Policy restrictions as the Jupyter pod in question, and so you can then E.g. # kubectl apply -f pod.yaml
# kubectl exec -it host-shell -- bash
---
apiVersion: v1
kind: Pod
metadata:
name: host-shell
labels:
app: jupyterhub
component: hub
hub.jupyter.org/network-access-proxy-api: "true"
hub.jupyter.org/network-access-proxy-http: "true"
hub.jupyter.org/network-access-singleuser: "true"
release: curvenote
spec:
# Uncomment if you need to connect to a specific node
# nodeSelector:
# kubernetes.io/hostname: nodename.k8s.example.org
containers:
- name: host-shell
command:
- sleep
args:
- 1h
image: docker.io/nicolaka/netshoot:v0.11
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
restartPolicy: Never
tolerations:
- effect: NoSchedule
key: hub.jupyter.org/dedicated
operator: Equal
value: user
- effect: NoSchedule
key: hub.jupyter.org_dedicated
operator: Equal
value: user |
Thanks @manics. I follow your suggestion for debug. |
GESIS node configuration is deployed using GitLab CI (similar to GitHub Actions). The core steps are
GESIS node is running Kubernetes with Calico as Container Network Interface (CNI) plugin.
The Helm Chart loads
I think that I'm missing an important step here. Any help?
The text was updated successfully, but these errors were encountered: