adding documentation for private and public subnets in AWS

elotl · Apr 14, 2020 · 9e098a9 · 9e098a9
1 parent c24988d
commit 9e098a9
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/docs/annotations.md b/docs/annotations.md
@@ -27,7 +27,7 @@ In AWS, Kip cells will get a public IP address if the cell is run in a subnet co
 
 ```yaml
 annotations:
-  pod.elotl.co/private-ip-only: true
+  pod.elotl.co/private-ip-only: 'true'
 ```
 
 **pod.elotl.co/security-groups**

diff --git a/docs/networking.md b/docs/networking.md
@@ -10,3 +10,15 @@ Currently, Kip needs to run in host network mode. Since NodePorts are managed by
 The cloud instances hosting pods created via Kip also run a combined service proxy and network policy agent, which is kube-router. BGP is disabled in kube-router, since the cloud routes take care of routing to the CIDRs used for regular pods on the nodes; only service proxying and firewalling are enabled.
 
 This way, pods can reach Kubernetes services either via IPVS or iptables NAT rules, created by kube-router, and network policies are also enforced (via iptables filtering rules, also maintained by kube-router). Essentially, this is the same setup as on Kubernetes nodes. Kube-router has a very low memory and CPU footprint, thus even small cloud instances can dedicate almost all their resources to the application(s) running in the pod.
+
+## Public and Private Subnets in AWS
+
+If running inside a cloud network, Kip will deploy pods onto cells that are located in the same subnet and region as the instance where Kip is running.  If Kip is runnning outside the cloud network, Kip's [provider.yaml](#provider-configuration) file will need to specify the subnet where cells will run.
+
+All Kip cells have private network addresses and some will also have a publicly accessable address depending on the subnet Kip deploys to and annotations specified in the Kip pod.  In AWS, a public subnet is defined as subnet with a associated route table entry that points at an internet gateway.  Subnets without a routable internet gateway are considered private subnets.
+
+Kip cells running in public subnets are assigned a public address by default while Kip cells in private subnets will never have a public address.  The user can force cells in public subnets to only have a private address by setting the following annotation on the pod: `pod.elotl.co/private-ip-only: "true"`.
+
+Kip pods without public addresses and access to the internet must be able to download an itzo binary from S3 and be able to download any container images used in the pod spec.  The easiest way to ensure access to S3 from a private subnet in AWS is to setup a VPC endpoint to allow access to `com.amazonaws.us-east-1.s3`.  Likewise, a VPC endpoint can be used to allow access to ECR registries.
+
+Itzo images can be downloaded from alternative locations by specifying a custom url for `cells.itzo.url` in [provider.yaml](#provider-configuration).  This allows cells to download the itzo binary from a webserver or other endpoint inside the user's cloud network.