Giter Club home page Giter Club logo

Comments (4)

Ph0tonic avatar Ph0tonic commented on July 28, 2024

Hi,
I confirm this issue and I managed to make it work with the following netpol which is a bit more restricted:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dask-network-policy
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: dask-gateway
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: dask-gateway
    - from:
        - podSelector:
            matchLabels:
              app: jupyterhub
  egress:
    - ports:
        - port: 6443
        - port: 53
          protocol: UDP
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: dask-gateway
    - to:
        - podSelector:
            matchLabels:
              app: jupyterhub

from helm-chart.

kcote-ncar avatar kcote-ncar commented on July 28, 2024

@Ph0tonic Thank you for confirming and providing a more restrictive netpol. Unfortunately, when I apply that netpol on a generic deployment I am still getting packet drops for the hub pod to the traefik pod on port 8000.

Mar 15 12:00:07.234: jhub01/hub-6cdf59cc94-x4zmf:54686 (ID:154794) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-fghxd:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
Mar 15 12:00:08.278: jhub01/hub-6cdf59cc94-x4zmf:54686 (ID:154794) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-fghxd:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)

If I allow egress port 8000 (via the 6443 workaround) for the hub pod then I receive blocks from the proxy pod to the traefik pod:

Mar 15 13:11:07.854: jhub01/proxy-84cd6496dc-64jvb:47066 (ID:138248) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
Mar 15 13:11:08.886: jhub01/proxy-84cd6496dc-64jvb:47066 (ID:138248) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)

If I modify the proxy networkpolicy and allow egress for port 8000 then I receive blocks from the singleuser pod to the traefik pod:

Mar 15 13:14:07.052: jhub01/jupyter-test:49324 (ID:132715) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
Mar 15 13:14:08.109: jhub01/jupyter-test:49324 (ID:132715) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)

I then modified the singleuser networkpolicy to allow egress for port 8000 and everything works.

Since this chart is designed to deploy two sub-charts, I think it should address the networkpolicies to allow correct communications between the two deployments. The root issue is with the jupyterhub egress networkpolicies. I tried to address this with a helm values file:

jupyterhub:
  hub:
    networkPolicy:
      egress:
        - ports:
            - port: 6443
            - port: 8000
  chp:
    networkPolicy:
      egress:
        - ports:
            - port: 8000
  singleuser:
    networkPolicy:
      egress:
        - ports:
            - port: 8000

However, this chart doesn't understand the chp: part which is for the proxy pod that is defined in the jupyterhub chart. If the values file lacks the chp: part then it addresses the hub and singleuser pods but the proxy networkpolicy still needs manual modification.

from helm-chart.

Ph0tonic avatar Ph0tonic commented on July 28, 2024

Ho, sorry, indeed I only mentioned the config for dask-gateway, here is my config for Jupyterhub Helm Chart:

values:
  proxy:
    chp:
      networkPolicy:
        egress:
          - to:
              - podSelector:
                  matchLabels:
                    app.kubernetes.io/name: dask-gateway
            ports:
              - port: 8000
  singleuser:
    networkPolicy:
      egress:
        - to:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/name: dask-gateway
          ports:
            - port: 8000
  hub:
    networkPolicy:
      egress:
        - ports:
            - port: 6443
        - to:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/name: dask-gateway
          ports:
            - port: 8000

And the additional config as previously provided:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dask-network-policy
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: dask-gateway
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: dask-gateway
    - from:
        - podSelector:
            matchLabels:
              app: jupyterhub
  egress:
    - ports:
        - port: 6443
        - port: 53
          protocol: UDP
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: dask-gateway
    - to:
        - podSelector:
            matchLabels:
              app: jupyterhub

However, I agree that it would be nice to have those config as default.

from helm-chart.

kcote-ncar avatar kcote-ncar commented on July 28, 2024

@Ph0tonic Thank you! With the values you provided I have managed to make dask-gateway function with jupyterhub.

For others that may come upon this issue, these values work for the daskhub chart:

jupyterhub:
  proxy:
    chp:
      networkPolicy:
        egress:
          - to:
              - podSelector:
                  matchLabels:
                    app.kubernetes.io/name: dask-gateway
            ports:
              - port: 8000
  singleuser:
    networkPolicy:
      egress:
        - to:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/name: dask-gateway
          ports:
            - port: 8000
  hub:
    networkPolicy:
      egress:
        - ports:
            - port: 6443
        - to:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/name: dask-gateway
          ports:
            - port: 8000

I do think these values should be defined by default when deploying the daskhub chart so dask-gateway works with jupyterhub.

from helm-chart.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.