Considerations when using the OpenStack cloud provider

Considerations when using the OpenStack cloud providerΒΆ

The OpenStack cloud provider for Kubernetes has several requirements in OpenStack, which are outlined in the OpenStack cloud provider Overview section.

In addition to component requirements, there are operational requirements:

  • Instance names must have a proper DNS label, consisting of letters, numbers, and dashes, ending with an alphanumeric character. Underscores and other symbols are invalid.
  • All Kubernetes nodes must be Nova instances in the same project/tenant. Bare metal hosts or OpenStack instances from another tenant cannot be joined to the cluster with the OpenStack cloud provider.
  • All Kubernetes nodes must be on the same Neutron subnet.
  • OpenStack public APIs (such as Keystone API) must be accessible from all Kubernetes nodes.

In addition to operational requirements, the OpenStack cloud provider introduces a significant security concern. As a result, a non-privileged user should be created in the project/tenant where the instances reside specifically for this purpose. The reason behind this is that every single Kubernetes node (both Master node and Node) must contain the entire credentials in cleartext in the /etc/kubernetes/cloud-config.conf file. These credentials are put into pillar as well, so this is also a security vector to be aware of.