openstack/kuryr-kubernetes
Code Issues Proposed changes
34fc8f114b
kuryr-kubernetes/kuryr_kubernetes/utils.py

322 lines
11 KiB
Python
Raw Normal View History

Add asyncio eventloop. This commits introduces the asyncio event loop as well as the base abstract class to define watchers. It is in a very simple approach (it does not reschedule watchers if they fail) but it lets you to see the proposal of hierarchy in watchers as well as the methods that a watcher has to implement (see the pod module). Partial-Implements: blueprint kuryr-k8s-integration Co-Authored-By: Taku Fukushima <f.tac.mac@gmail.com> Co-Authored-By: Antoni Segura Puimedon Change-Id: I91975dd197213c1a6b0e171c1ae218a547722eeb
2016-08-24 15:19:26 +02:00
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Watcher restarts watching resources in failure kuryr-kubernetes watcher watches k8s resources and trigger registered pipeline. This patch handles restarting watching when watch thread has failed. Change-Id: I27a719a326dc37f97c46b88d0c171d0f12ded605 Closes-Bug: 1739776 Related-Bug: 1705429 Signed-off-by: Eunsoo Park <esevan.park@gmail.com>
2018-02-22 16:12:34 +09:00
import random
kuryr-controller A/P HA This commit implements initial version of high availability support in kuryr-controller - Active/Passive mode. In this mode only one instance of controller is processing the resources while other ones are in standby mode. If current leader dies, one of standbys is taking the leader role and starts processing resources. Please note that as leader election is based on Kubernetes mechanisms, this is only supported when kuryr-controller is run as Pod on Kubernetes cluster. Implements: bp high-availability Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
2018-04-23 12:49:37 +02:00
import socket
Watcher restarts watching resources in failure kuryr-kubernetes watcher watches k8s resources and trigger registered pipeline. This patch handles restarting watching when watch thread has failed. Change-Id: I27a719a326dc37f97c46b88d0c171d0f12ded605 Closes-Bug: 1739776 Related-Bug: 1705429 Signed-off-by: Eunsoo Park <esevan.park@gmail.com>
2018-02-22 16:12:34 +09:00
import time
kuryr-controller A/P HA This commit implements initial version of high availability support in kuryr-controller - Active/Passive mode. In this mode only one instance of controller is processing the resources while other ones are in standby mode. If current leader dies, one of standbys is taking the leader role and starts processing resources. Please note that as leader election is based on Kubernetes mechanisms, this is only supported when kuryr-controller is run as Pod on Kubernetes cluster. Implements: bp high-availability Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
2018-04-23 12:49:37 +02:00
import requests
Add Network Policy support to services This patch adds support for Network Policy on services. It applies pods' security groups onto the services in front of them. It makes the next assumptions: - All the pods pointed by one svc have the same labels, thus the same sgs being enforced - Only copies the SG rules that have the same protocol and direction as the listener being created - Adds a default rule to NP to enable traffic from services subnet CIDR Partially Implements: blueprint k8s-network-policies Change-Id: Ibd4b51ff40b69af26ab7e7b81d18e63abddf775b
2018-12-24 13:01:12 +01:00
from neutronclient.common import exceptions as n_exc
Fix compatiblity with old Pod annotation format We've changed Pod annotation format in Rocky. To support upgrading Kuryr we need to keep compatiblity with that format. This commit implements that. We should also think about creating a tool that will convert all the annotations in a setup. Change-Id: I88e1b318d58d0d90138e347503928da41518a888 Closes-Bug: 1782366
2018-07-20 17:20:24 +02:00
from os_vif import objects
Move function get_subnet to kuryr_kubernetes.utils Since the function _get_subnet is widely used by different components, I move it to kuryr_kubernetes.utils as a part of common utilities. Change-Id: I9a80fb55f5c02274fb50c4c92eb3514ccb42830e
2018-08-09 17:24:17 +08:00
from oslo_cache import core as cache
Support kuryr-daemon when running containerized This commit implements kuryr-daemon support when KURYR_K8S_CONTAINERIZED_DEPLOYMENT=True. It's done by: * CNI docker image installs Kuryr-Kubernetes pip package and adds exectution of kuryr-daemon into entrypoint script. * Hosts /proc and /var/run/openvswitch are mounted into the CNI container. * Code is changed to use /host_proc instead of /proc when in a container (it's impossible to mount host's /proc into container's /proc). Implements: blueprint cni-split-exec-daemon Change-Id: I9155a2cba28f578cee129a4c40066209f7ab543d
2017-11-03 13:25:15 +01:00
from oslo_config import cfg
kuryr-controller A/P HA This commit implements initial version of high availability support in kuryr-controller - Active/Passive mode. In this mode only one instance of controller is processing the resources while other ones are in standby mode. If current leader dies, one of standbys is taking the leader role and starts processing resources. Please note that as leader election is based on Kubernetes mechanisms, this is only supported when kuryr-controller is run as Pod on Kubernetes cluster. Implements: bp high-availability Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
2018-04-23 12:49:37 +02:00
from oslo_log import log
Add asyncio eventloop. This commits introduces the asyncio event loop as well as the base abstract class to define watchers. It is in a very simple approach (it does not reschedule watchers if they fail) but it lets you to see the proposal of hierarchy in watchers as well as the methods that a watcher has to implement (see the pod module). Partial-Implements: blueprint kuryr-k8s-integration Co-Authored-By: Taku Fukushima <f.tac.mac@gmail.com> Co-Authored-By: Antoni Segura Puimedon Change-Id: I91975dd197213c1a6b0e171c1ae218a547722eeb
2016-08-24 15:19:26 +02:00
from oslo_serialization import jsonutils
Move function get_subnet to kuryr_kubernetes.utils Since the function _get_subnet is widely used by different components, I move it to kuryr_kubernetes.utils as a part of common utilities. Change-Id: I9a80fb55f5c02274fb50c4c92eb3514ccb42830e
2018-08-09 17:24:17 +08:00
from kuryr_kubernetes import clients
Ensure NP changes are applied to services When a Network Policy is changed, services must also be updated, deleting the unnecessary rules that do not match the NP anymore and create needed ones. Closes-Bug: #1811242 Partially Implements: blueprint k8s-network-policies Change-Id: I800477d08fd1f46c2a94d3653496f8f1188a3844
2019-01-10 13:07:03 +00:00
from kuryr_kubernetes import constants
Ensure controller healthchecks passes without CRDs This patch ensures the controller healthchecks do not set the controller as not Ready due to missing CRDs when deploying without namespace and/or policy handlers. In that case the CRDs are not needed Closes-Bug: 1808966 Change-Id: I685f9a47605da86504619983848b8ef73d71b332
2018-12-21 12:02:54 +01:00
from kuryr_kubernetes import exceptions
Ensure NP changes are applied to services When a Network Policy is changed, services must also be updated, deleting the unnecessary rules that do not match the NP anymore and create needed ones. Closes-Bug: #1811242 Partially Implements: blueprint k8s-network-policies Change-Id: I800477d08fd1f46c2a94d3653496f8f1188a3844
2019-01-10 13:07:03 +00:00
from kuryr_kubernetes.objects import lbaas as obj_lbaas
Fix compatiblity with old Pod annotation format We've changed Pod annotation format in Rocky. To support upgrading Kuryr we need to keep compatiblity with that format. This commit implements that. We should also think about creating a tool that will convert all the annotations in a setup. Change-Id: I88e1b318d58d0d90138e347503928da41518a888 Closes-Bug: 1782366
2018-07-20 17:20:24 +02:00
from kuryr_kubernetes.objects import vif
Move function get_subnet to kuryr_kubernetes.utils Since the function _get_subnet is widely used by different components, I move it to kuryr_kubernetes.utils as a part of common utilities. Change-Id: I9a80fb55f5c02274fb50c4c92eb3514ccb42830e
2018-08-09 17:24:17 +08:00
from kuryr_kubernetes import os_vif_util
Support kuryr-daemon when running containerized This commit implements kuryr-daemon support when KURYR_K8S_CONTAINERIZED_DEPLOYMENT=True. It's done by: * CNI docker image installs Kuryr-Kubernetes pip package and adds exectution of kuryr-daemon into entrypoint script. * Hosts /proc and /var/run/openvswitch are mounted into the CNI container. * Code is changed to use /host_proc instead of /proc when in a container (it's impossible to mount host's /proc into container's /proc). Implements: blueprint cni-split-exec-daemon Change-Id: I9155a2cba28f578cee129a4c40066209f7ab543d
2017-11-03 13:25:15 +01:00
CONF = cfg.CONF
kuryr-controller A/P HA This commit implements initial version of high availability support in kuryr-controller - Active/Passive mode. In this mode only one instance of controller is processing the resources while other ones are in standby mode. If current leader dies, one of standbys is taking the leader role and starts processing resources. Please note that as leader election is based on Kubernetes mechanisms, this is only supported when kuryr-controller is run as Pod on Kubernetes cluster. Implements: bp high-availability Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
2018-04-23 12:49:37 +02:00
LOG = log.getLogger(__name__)
Support kuryr-daemon when running containerized This commit implements kuryr-daemon support when KURYR_K8S_CONTAINERIZED_DEPLOYMENT=True. It's done by: * CNI docker image installs Kuryr-Kubernetes pip package and adds exectution of kuryr-daemon into entrypoint script. * Hosts /proc and /var/run/openvswitch are mounted into the CNI container. * Code is changed to use /host_proc instead of /proc when in a container (it's impossible to mount host's /proc into container's /proc). Implements: blueprint cni-split-exec-daemon Change-Id: I9155a2cba28f578cee129a4c40066209f7ab543d
2017-11-03 13:25:15 +01:00
Add multi pools support This patch adds support for nodes with different vif drivers as well as different pool drivers for each vif driver type. Closes-Bug: 1747406 Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
2017-12-15 17:56:07 +01:00
VALID_MULTI_POD_POOLS_OPTS = {'noop': ['neutron-vif',
'nested-vlan',
Add SR-IOV pod vif driver This commit adds SR-IOV driver and new type of VIF to handle SR-IOV requests. This driver can work as a primary driver and only one driver, but only when kubernetes will fully support CNI specification. Now this driver can work in couple with multi vif driver, e.g. NPWGMultiVIFDriver. (see doc/source/installation/multi_vif_with_npwg_spec.rst) Also this driver relies on kubernetes SRIOV device plugin. This commit also adds 'default_physnet_subnets' setting, that should include a mapping of physnets to neutron subnet IDs, it's necessary to specify VIF's physnet (subnet id comes from annotation). To get details how to create pods with sriov interfaces see doc/source/installation/sriov.rst Target bp: kuryr-kubernetes-sriov-support Change-Id: I45c5f1a7fb423ee68731d0ae85f7171e33d0aeeb Signed-off-by: Danil Golov <d.golov@partner.samsung.com> Signed-off-by: Vladimir Kuramshin <v.kuramshin@samsung.com> Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
2017-10-10 14:30:59 +03:00
'nested-macvlan',
'sriov'],
Add multi pools support This patch adds support for nodes with different vif drivers as well as different pool drivers for each vif driver type. Closes-Bug: 1747406 Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
2017-12-15 17:56:07 +01:00
'neutron': ['neutron-vif'],
'nested': ['nested-vlan'],
}
Watcher restarts watching resources in failure kuryr-kubernetes watcher watches k8s resources and trigger registered pipeline. This patch handles restarting watching when watch thread has failed. Change-Id: I27a719a326dc37f97c46b88d0c171d0f12ded605 Closes-Bug: 1739776 Related-Bug: 1705429 Signed-off-by: Eunsoo Park <esevan.park@gmail.com>
2018-02-22 16:12:34 +09:00
DEFAULT_TIMEOUT = 180
DEFAULT_INTERVAL = 3
Add multi pools support This patch adds support for nodes with different vif drivers as well as different pool drivers for each vif driver type. Closes-Bug: 1747406 Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
2017-12-15 17:56:07 +01:00
Move function get_subnet to kuryr_kubernetes.utils Since the function _get_subnet is widely used by different components, I move it to kuryr_kubernetes.utils as a part of common utilities. Change-Id: I9a80fb55f5c02274fb50c4c92eb3514ccb42830e
2018-08-09 17:24:17 +08:00
subnet_caching_opts = [
cfg.BoolOpt('caching', default=True),
cfg.IntOpt('cache_time', default=3600),
]
CONF.register_opts(subnet_caching_opts, "subnet_caching")
cache.configure(CONF)
subnet_cache_region = cache.create_region()
MEMOIZE = cache.get_memoization_decorator(
CONF, subnet_cache_region, "subnet_caching")
cache.configure_cache_region(CONF, subnet_cache_region)
Add asyncio eventloop. This commits introduces the asyncio event loop as well as the base abstract class to define watchers. It is in a very simple approach (it does not reschedule watchers if they fail) but it lets you to see the proposal of hierarchy in watchers as well as the methods that a watcher has to implement (see the pod module). Partial-Implements: blueprint kuryr-k8s-integration Co-Authored-By: Taku Fukushima <f.tac.mac@gmail.com> Co-Authored-By: Antoni Segura Puimedon Change-Id: I91975dd197213c1a6b0e171c1ae218a547722eeb
2016-08-24 15:19:26 +02:00
def utf8_json_decoder(byte_data):
"""Deserializes the bytes into UTF-8 encoded JSON.
:param byte_data: The bytes to be converted into the UTF-8 encoded JSON.
:returns: The UTF-8 encoded JSON represented by Python dictionary format.
"""
return jsonutils.loads(byte_data.decode('utf8'))
Support kuryr-daemon when running containerized This commit implements kuryr-daemon support when KURYR_K8S_CONTAINERIZED_DEPLOYMENT=True. It's done by: * CNI docker image installs Kuryr-Kubernetes pip package and adds exectution of kuryr-daemon into entrypoint script. * Hosts /proc and /var/run/openvswitch are mounted into the CNI container. * Code is changed to use /host_proc instead of /proc when in a container (it's impossible to mount host's /proc into container's /proc). Implements: blueprint cni-split-exec-daemon Change-Id: I9155a2cba28f578cee129a4c40066209f7ab543d
2017-11-03 13:25:15 +01:00
def convert_netns(netns):
"""Convert /proc based netns path to Docker-friendly path.
When CONF.docker_mode is set this method will change /proc to
/CONF.netns_proc_dir. This allows netns manipulations to work when running
in Docker container on Kubernetes host.
:param netns: netns path to convert.
:return: Converted netns path.
"""
if CONF.cni_daemon.docker_mode:
return netns.replace('/proc', CONF.cni_daemon.netns_proc_dir)
else:
return netns
Make CNI Registry Plugin namespace aware As with the k8sCNIRegistryPlugin the watching is for the complete node, instead of per pod and namespace, we need to make registry information to account for the namespace where the pod is created to differentiate between different containers running on the same node, with the same name, but in a different namespace Related-Bug: 1731486 Change-Id: I26e1dec6ae613c5316a45f93563c4a015df59441
2018-02-27 14:46:40 +00:00
def get_pod_unique_name(pod):
"""Returns a unique name for the pod.
It returns a pod unique name for the pod composed of its name and the
namespace it is running on.
:returns: String with namespace/name of the pod
"""
return "%(namespace)s/%(name)s" % pod['metadata']
Add multi pools support This patch adds support for nodes with different vif drivers as well as different pool drivers for each vif driver type. Closes-Bug: 1747406 Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
2017-12-15 17:56:07 +01:00
def check_suitable_multi_pool_driver_opt(pool_driver, pod_driver):
return pod_driver in VALID_MULTI_POD_POOLS_OPTS.get(pool_driver, [])
Watcher restarts watching resources in failure kuryr-kubernetes watcher watches k8s resources and trigger registered pipeline. This patch handles restarting watching when watch thread has failed. Change-Id: I27a719a326dc37f97c46b88d0c171d0f12ded605 Closes-Bug: 1739776 Related-Bug: 1705429 Signed-off-by: Eunsoo Park <esevan.park@gmail.com>
2018-02-22 16:12:34 +09:00
def exponential_sleep(deadline, attempt, interval=DEFAULT_INTERVAL):
"""Sleep for exponential duration.
This implements a variation of exponential backoff algorithm [1] and
ensures that there is a minimal time `interval` to sleep.
(expected backoff E(c) = interval * 2 ** c / 2).
[1] https://en.wikipedia.org/wiki/Exponential_backoff
:param deadline: sleep timeout duration in seconds.
:param attempt: attempt count of sleep function.
:param interval: minimal time interval to sleep
:return: the actual time that we've slept
"""
now = time.time()
seconds_left = deadline - now
if seconds_left <= 0:
return 0
interval = random.randint(1, 2 ** attempt - 1) * DEFAULT_INTERVAL
if interval > seconds_left:
interval = seconds_left
if interval < DEFAULT_INTERVAL:
interval = DEFAULT_INTERVAL
time.sleep(interval)
return interval
kuryr-controller A/P HA This commit implements initial version of high availability support in kuryr-controller - Active/Passive mode. In this mode only one instance of controller is processing the resources while other ones are in standby mode. If current leader dies, one of standbys is taking the leader role and starts processing resources. Please note that as leader election is based on Kubernetes mechanisms, this is only supported when kuryr-controller is run as Pod on Kubernetes cluster. Implements: bp high-availability Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
2018-04-23 12:49:37 +02:00
def get_node_name():
Work out situation with KUBERNETES_NODE_NAME This reverts commit f0cde86ee68027bd66597f2e4b8db4e10fa81e0b as it turns out that variable is actually used by kuryr-daemon and fixes the way kuryr-controller detects its identity to match how leader-elector is doing it. Change-Id: I95c2d3e1760a938d40d57a99fb87b6f02ca7f64a Closes-Bug: 1798835
2018-11-20 17:17:41 +01:00
# leader-elector container based on K8s way of doing leader election is
# assuming that hostname it sees is the node id. Containers within a pod
# are sharing the hostname, so this will match what leader-elector returns.
return socket.gethostname()
kuryr-controller A/P HA This commit implements initial version of high availability support in kuryr-controller - Active/Passive mode. In this mode only one instance of controller is processing the resources while other ones are in standby mode. If current leader dies, one of standbys is taking the leader role and starts processing resources. Please note that as leader election is based on Kubernetes mechanisms, this is only supported when kuryr-controller is run as Pod on Kubernetes cluster. Implements: bp high-availability Change-Id: I2c6c9315612d64158fb9f8284e0abb065aca7208
2018-04-23 12:49:37 +02:00
def get_leader_name():
url = 'http://localhost:%d' % CONF.kubernetes.controller_ha_elector_port
try:
return requests.get(url).json()['name']
except Exception:
LOG.exception('Error when fetching current leader pod name.')
# NOTE(dulek): Assuming there's no leader when we can't contact leader
# elector container.
return None
Move function get_subnet to kuryr_kubernetes.utils Since the function _get_subnet is widely used by different components, I move it to kuryr_kubernetes.utils as a part of common utilities. Change-Id: I9a80fb55f5c02274fb50c4c92eb3514ccb42830e
2018-08-09 17:24:17 +08:00
@MEMOIZE
def get_subnet(subnet_id):
neutron = clients.get_neutron_client()
n_subnet = neutron.show_subnet(subnet_id).get('subnet')
network_id = n_subnet['network_id']
n_network = neutron.show_network(network_id).get('network')
subnet = os_vif_util.neutron_to_osvif_subnet(n_subnet)
network = os_vif_util.neutron_to_osvif_network(n_network)
network.subnets.objects.append(subnet)
return network
Fix compatiblity with old Pod annotation format We've changed Pod annotation format in Rocky. To support upgrading Kuryr we need to keep compatiblity with that format. This commit implements that. We should also think about creating a tool that will convert all the annotations in a setup. Change-Id: I88e1b318d58d0d90138e347503928da41518a888 Closes-Bug: 1782366
2018-07-20 17:20:24 +02:00
Add Network Policy support to services This patch adds support for Network Policy on services. It applies pods' security groups onto the services in front of them. It makes the next assumptions: - All the pods pointed by one svc have the same labels, thus the same sgs being enforced - Only copies the SG rules that have the same protocol and direction as the listener being created - Adds a default rule to NP to enable traffic from services subnet CIDR Partially Implements: blueprint k8s-network-policies Change-Id: Ibd4b51ff40b69af26ab7e7b81d18e63abddf775b
2018-12-24 13:01:12 +01:00
@MEMOIZE
def get_subnet_cidr(subnet_id):
neutron = clients.get_neutron_client()
try:
subnet_obj = neutron.show_subnet(subnet_id)
except n_exc.NeutronClientException:
LOG.exception("Subnet %s CIDR not found!", subnet_id)
raise
return subnet_obj.get('subnet')['cidr']
Fix compatiblity with old Pod annotation format We've changed Pod annotation format in Rocky. To support upgrading Kuryr we need to keep compatiblity with that format. This commit implements that. We should also think about creating a tool that will convert all the annotations in a setup. Change-Id: I88e1b318d58d0d90138e347503928da41518a888 Closes-Bug: 1782366
2018-07-20 17:20:24 +02:00
def extract_pod_annotation(annotation):
obj = objects.base.VersionedObject.obj_from_primitive(annotation)
# FIXME(dulek): This is code to maintain compatibility with Queens. We can
# remove it once we stop supporting upgrading from Queens,
# most likely in Stein. Note that this requires being sure
# that *all* the pod annotations are in new format.
if obj.obj_name() != vif.PodState.obj_name():
# This is old format of annotations - single VIF object. We need to
# pack it in PodState object.
obj = vif.PodState(default_vif=obj)
return obj
Add quota readiness check to controller Currently, if the number of neutron resources requested reaches the quota, kuryr-controller is marked as unhealthy and restarted. In order to avoid the constant restart of the pod, this patch adds a new readiness checks that checks if the resources used by the enabled handlers are over quota. Closes-Bug: 1804310 Change-Id: If4d42f866d2d64cae63736f4c206bedca039258b
2018-11-18 21:02:33 +00:00
def has_limit(quota):
NO_LIMIT = -1
return quota != NO_LIMIT
def is_available(resource, resource_quota, neutron_func):
qnt_resources = len(neutron_func().get(resource))
availability = resource_quota - qnt_resources
if availability <= 0:
LOG.error("Quota exceeded for resource: %s", resource)
return False
return True
Ensure controller healthchecks passes without CRDs This patch ensures the controller healthchecks do not set the controller as not Ready due to missing CRDs when deploying without namespace and/or policy handlers. In that case the CRDs are not needed Closes-Bug: 1808966 Change-Id: I685f9a47605da86504619983848b8ef73d71b332
2018-12-21 12:02:54 +01:00
def has_kuryr_crd(crd_url):
k8s = clients.get_kubernetes_client()
try:
k8s.get(crd_url, json=False, headers={'Connection': 'close'})
except exceptions.K8sClientException:
LOG.exception("Kubernetes Client Exception fetching"
" CRD. %s" % exceptions.K8sClientException)
return False
return True
Ensure NP changes are applied to services When a Network Policy is changed, services must also be updated, deleting the unnecessary rules that do not match the NP anymore and create needed ones. Closes-Bug: #1811242 Partially Implements: blueprint k8s-network-policies Change-Id: I800477d08fd1f46c2a94d3653496f8f1188a3844
2019-01-10 13:07:03 +00:00
def get_lbaas_spec(service):
try:
annotations = service['metadata']['annotations']
annotation = annotations[constants.K8S_ANNOTATION_LBAAS_SPEC]
except KeyError:
return None
obj_dict = jsonutils.loads(annotation)
obj = obj_lbaas.LBaaSServiceSpec.obj_from_primitive(obj_dict)
LOG.debug("Got LBaaSServiceSpec from annotation: %r", obj)
return obj
Fix LBaaS sg rules update on deployment scale When a service is created with a Network Policy applied and deployments are scaled up or down, the LBaaS SG rules should be updated accordindly. Right now, the LBaaS/Service do not react on deployment scales. This commit fixes the issue by ensuring that the LBaaS SG is updated on pod events. Also, when Pods, Network Policies and SVCs are created together it might happen that the LBaaS SG remains with default SG rules, even though the policy is being enforced. This commit ensures the right SG rules are applied on a LBaaS regardless the order of k8s resources creation. This happens by setting the LBaaS Spec annotation whenever a request to update the SG rules has been made and retrieving the Spec again whenever a LBaaS member is created. Change-Id: I1c54d17a5fcff5387ffae2b132f5036ee9bf07ca Closes-Bug: 1816015
2019-02-15 13:41:33 +00:00
def set_lbaas_spec(service, lbaas_spec):
# TODO(ivc): extract annotation interactions
if lbaas_spec is None:
LOG.debug("Removing LBaaSServiceSpec annotation: %r", lbaas_spec)
annotation = None
else:
lbaas_spec.obj_reset_changes(recursive=True)
LOG.debug("Setting LBaaSServiceSpec annotation: %r", lbaas_spec)
annotation = jsonutils.dumps(lbaas_spec.obj_to_primitive(),
sort_keys=True)
svc_link = service['metadata']['selfLink']
ep_link = get_endpoints_link(service)
k8s = clients.get_kubernetes_client()
try:
k8s.annotate(ep_link,
{constants.K8S_ANNOTATION_LBAAS_SPEC: annotation})
except exceptions.K8sResourceNotFound:
raise exceptions.ResourceNotReady(ep_link)
except exceptions.K8sClientException:
LOG.debug("Failed to annotate endpoint %r", ep_link)
raise
k8s.annotate(svc_link,
{constants.K8S_ANNOTATION_LBAAS_SPEC: annotation},
resource_version=service['metadata']['resourceVersion'])
Fix LBaaS SG rules update The LBaaS SG update is failing when the pods selected by the selector in the rule block are removed after the pod, on which the policy is enforced, is removed. This commit fixes the issue by changing from LBaaSServiceSpec object to LBaaSLoadBalancer, which is the object type expected by '_apply_members_security_groups' function. Change-Id: I17f2f632e02bc0f46ccc7434173acce68aef957b Closes-Bug: 1823022
2019-04-03 14:35:22 +00:00
def get_lbaas_state(endpoint):
try:
annotations = endpoint['metadata']['annotations']
annotation = annotations[constants.K8S_ANNOTATION_LBAAS_STATE]
except KeyError:
return None
obj_dict = jsonutils.loads(annotation)
obj = obj_lbaas.LBaaSState.obj_from_primitive(obj_dict)
LOG.debug("Got LBaaSState from annotation: %r", obj)
return obj
def set_lbaas_state(endpoints, lbaas_state):
# TODO(ivc): extract annotation interactions
if lbaas_state is None:
LOG.debug("Removing LBaaSState annotation: %r", lbaas_state)
annotation = None
else:
lbaas_state.obj_reset_changes(recursive=True)
LOG.debug("Setting LBaaSState annotation: %r", lbaas_state)
annotation = jsonutils.dumps(lbaas_state.obj_to_primitive(),
sort_keys=True)
k8s = clients.get_kubernetes_client()
k8s.annotate(endpoints['metadata']['selfLink'],
{constants.K8S_ANNOTATION_LBAAS_STATE: annotation},
resource_version=endpoints['metadata']['resourceVersion'])
Fix LBaaS sg rules update on deployment scale When a service is created with a Network Policy applied and deployments are scaled up or down, the LBaaS SG rules should be updated accordindly. Right now, the LBaaS/Service do not react on deployment scales. This commit fixes the issue by ensuring that the LBaaS SG is updated on pod events. Also, when Pods, Network Policies and SVCs are created together it might happen that the LBaaS SG remains with default SG rules, even though the policy is being enforced. This commit ensures the right SG rules are applied on a LBaaS regardless the order of k8s resources creation. This happens by setting the LBaaS Spec annotation whenever a request to update the SG rules has been made and retrieving the Spec again whenever a LBaaS member is created. Change-Id: I1c54d17a5fcff5387ffae2b132f5036ee9bf07ca Closes-Bug: 1816015
2019-02-15 13:41:33 +00:00
def get_endpoints_link(service):
svc_link = service['metadata']['selfLink']
link_parts = svc_link.split('/')
if link_parts[-2] != 'services':
raise exceptions.IntegrityError(_(
"Unsupported service link: %(link)s") % {
'link': svc_link})
link_parts[-2] = 'endpoints'
return "/".join(link_parts)
Add support for svc with text targetPorts This patch adds support for services that define the targetPort with text (port name), pointing to the same port number as the defined exposed port on the svc. Closes-Bug: 1818969 Change-Id: I7f957d292f7c4a43b759292e5bd04c4db704c4c4
2019-03-07 09:29:06 +01:00
def has_port_changes(service, lbaas_spec):
link = service['metadata']['selfLink']
fields = obj_lbaas.LBaaSPortSpec.fields
svc_port_set = {tuple(port[attr] for attr in fields)
for port in get_service_ports(service)}
spec_port_set = {tuple(getattr(port, attr)
for attr in fields
if port.obj_attr_is_set(attr))
for port in lbaas_spec.ports}
if svc_port_set != spec_port_set:
LOG.debug("LBaaS spec ports %(spec_ports)s != %(svc_ports)s "
"for %(link)s" % {'spec_ports': spec_port_set,
'svc_ports': svc_port_set,
'link': link})
return svc_port_set != spec_port_set
def get_service_ports(service):
return [{'name': port.get('name'),
'protocol': port.get('protocol', 'TCP'),
'port': port['port'],
'targetPort': str(port['targetPort'])}
for port in service['spec']['ports']]
Copy Permalink