Describe node analysis deployment configurations#75
Conversation
| * [NetworkPolicy](#network-policy) | ||
|
|
||
| ## Deployments | ||
| When a FLAME Analysis is started, the Pod Orchestrator service creates two separate deployments: one for the analysis itself, and one for a nginx instance. Both are required for the analysis to be able to run and transmit its results, but as shown below, both have very stringent policies in place to severely limit their traffic. |
There was a problem hiding this comment.
The network policy is only on the analysis, not the nginx I would write it more like this
"When a FLAME Analysis is started, the Pod Orchestrator service creates two separate deployments: one for the analysis itself and one for an NGINX instance. Both are required for the analysis to run and transmit its results. A network policy is placed on the analysis pod that only allows communication from the analysis pod to the NGINX deployment (and to the K8s DNS to resolve the NGINX address). "
| ### Nginx Deployment | ||
| Nginx serves as a sidecar proxy, acting as the *only* means of communication between the analysis pod and everything else. The partnered analysis container can communicate only through the endpoints defined within this Nginx deployment (endpoint descriptions can be found in the [ConfigMap](#configmap) section), and like the analysis deployment, the same restrictive Network Policy is applied to the pods in this deployment through the use of specific labels and selectors. | ||
|
|
||
| The created Nginx pod is only capable of communication with the partnered analysis pod, itself, and the DNS service for your kubernetes cluster. Because the analysis pod needs to communicate with other FLAME components, it must be able to discover those services within the kubernetes cluster and thus requires access to the kubernetes DNS service to resolve these service names. |
There was a problem hiding this comment.
"The created Nginx pod is configured to only communicate with the partnered analysis pod, the other Flame components."
ther is no restriction from the network policy on the nginx so it should not be hear
| ``` | ||
|
|
||
| ## ConfigMap | ||
| A kubernetes [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) is used in the FLAME Node to define the endpoints for the Nginx sidecar pod by providing the imported Nginx configuration. Because the traffic from the analysis pod is tightly controlled, it is necessary to pre-define the Nginx endpoints with which this pod can use for communication and transmitting results. The endpoints are to enable communication with other Flame Node components and are configured such that each one will only accept connections from the analysis container (as defined by its Service IP). |
There was a problem hiding this comment.
I would just link back to the nginx template and keep it form repeating
"A kubernetes ConfigMap is used in the FLAME Node to define the endpoints for the Nginx sidecar pod by providing the imported Nginx configuration."
| spec: | ||
| podSelector: | ||
| matchLabels: | ||
| app: <analysis deployment name> |
There was a problem hiding this comment.
Hear only the analysis, not the nginx
| ``` | ||
|
|
||
| ## Network Policy | ||
| The Network Policy resource is a policy which restricts traffic either exiting (egress) or entering (ingress) a matching pod. It is applied to any pod with a matching label, in the case of the FLAME Node, the label is `app: <analysis deployment name>` meaning that any resource in the kubernetes cluster with a matching label selector will have this network policy applied to it e.g. the analysis and nginx pods. the applied policy contains rules for both ingress and egress. The ingress policy makes it so that only traffic coming from the associated Nginx pod is allowed, while the egress policy only allows requests to be sent to either the Nginx pod or the kubernetes cluster's DNS pod. |
There was a problem hiding this comment.
The Network Policy resource is a policy that restricts traffic either entering (ingress) or exiting (egress) a matching pod. It is applied to any pod with a matching label. In the case of the FLAME Node, the label is app: <analysis deployment name>, meaning that any resource in the Kubernetes cluster with a matching label selector will have this network policy applied to it, e.g., the analysis.
|
@brucetony We're going to create another commit with our changes in a bit. |
Co-authored-by: Nightknight3000 <alexander.roehl@uni-tuebingen.de>
Co-authored-by: Nightknight3000 <alexander.roehl@uni-tuebingen.de>
3 participants
No description provided.