Comments (4)
Hi,
I confirm this issue and I managed to make it work with the following netpol
which is a bit more restricted:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dask-network-policy
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
- from:
- podSelector:
matchLabels:
app: jupyterhub
egress:
- ports:
- port: 6443
- port: 53
protocol: UDP
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
- to:
- podSelector:
matchLabels:
app: jupyterhub
from helm-chart.
@Ph0tonic Thank you for confirming and providing a more restrictive netpol
. Unfortunately, when I apply that netpol
on a generic deployment I am still getting packet drops for the hub pod to the traefik pod on port 8000.
Mar 15 12:00:07.234: jhub01/hub-6cdf59cc94-x4zmf:54686 (ID:154794) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-fghxd:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
Mar 15 12:00:08.278: jhub01/hub-6cdf59cc94-x4zmf:54686 (ID:154794) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-fghxd:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
If I allow egress port 8000 (via the 6443 workaround) for the hub pod then I receive blocks from the proxy pod to the traefik pod:
Mar 15 13:11:07.854: jhub01/proxy-84cd6496dc-64jvb:47066 (ID:138248) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
Mar 15 13:11:08.886: jhub01/proxy-84cd6496dc-64jvb:47066 (ID:138248) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
If I modify the proxy networkpolicy and allow egress for port 8000 then I receive blocks from the singleuser pod to the traefik pod:
Mar 15 13:14:07.052: jhub01/jupyter-test:49324 (ID:132715) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
Mar 15 13:14:08.109: jhub01/jupyter-test:49324 (ID:132715) <> jhub01/traefik-jhub01-dask-gateway-7665b69c66-cqkbg:8000 (ID:135336) Policy denied DROPPED (TCP Flags: SYN)
I then modified the singleuser networkpolicy to allow egress for port 8000 and everything works.
Since this chart is designed to deploy two sub-charts, I think it should address the networkpolicies to allow correct communications between the two deployments. The root issue is with the jupyterhub egress networkpolicies. I tried to address this with a helm values file:
jupyterhub:
hub:
networkPolicy:
egress:
- ports:
- port: 6443
- port: 8000
chp:
networkPolicy:
egress:
- ports:
- port: 8000
singleuser:
networkPolicy:
egress:
- ports:
- port: 8000
However, this chart doesn't understand the chp:
part which is for the proxy pod that is defined in the jupyterhub chart. If the values file lacks the chp:
part then it addresses the hub and singleuser pods but the proxy networkpolicy still needs manual modification.
from helm-chart.
Ho, sorry, indeed I only mentioned the config for dask-gateway, here is my config for Jupyterhub Helm Chart:
values:
proxy:
chp:
networkPolicy:
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
ports:
- port: 8000
singleuser:
networkPolicy:
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
ports:
- port: 8000
hub:
networkPolicy:
egress:
- ports:
- port: 6443
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
ports:
- port: 8000
And the additional config as previously provided:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: dask-network-policy
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
- from:
- podSelector:
matchLabels:
app: jupyterhub
egress:
- ports:
- port: 6443
- port: 53
protocol: UDP
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
- to:
- podSelector:
matchLabels:
app: jupyterhub
However, I agree that it would be nice to have those config as default.
from helm-chart.
@Ph0tonic Thank you! With the values you provided I have managed to make dask-gateway function with jupyterhub.
For others that may come upon this issue, these values work for the daskhub chart:
jupyterhub:
proxy:
chp:
networkPolicy:
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
ports:
- port: 8000
singleuser:
networkPolicy:
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
ports:
- port: 8000
hub:
networkPolicy:
egress:
- ports:
- port: 6443
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: dask-gateway
ports:
- port: 8000
I do think these values should be defined by default when deploying the daskhub chart so dask-gateway works with jupyterhub.
from helm-chart.
Related Issues (20)
- Daskhub `additional_worker_groups` configuration HOT 2
- Additional worker group quirks HOT 4
- [BUG] Using a hostname to expose Jupyter causes Helm Render to fail
- Release 2022.5.0 HOT 13
- Hourly check of upstream Docker image version failing
- Remove generated files from version control HOT 5
- Add `envFrom` in dask/dask workers deployment HOT 1
- Automatic updates have broken HOT 6
- Chart README not being packaged
- SSL error when having https enabled with manual certificates in jupyterhub side. HOT 2
- is it possible to change the scheduler.service.name ? HOT 2
- Chart is using depracted `bokeh-port` argument HOT 8
- Add RELEASE.md HOT 1
- Add Liveness and Readiness Probes to Pods
- OverrideNames failure
- DaskHub cannot be placed in a subdirectory URL
- jupyterhub helm chart update HOT 3
- client = cluster.get_client() : Timed out HOT 1
- ARM support HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-chart.