Merge "Ensure LB SG is not updated for egress only policy"

2019-11-12 16:27:37 +00:00 · 2019-11-12 16:27:37 +00:00 · 0dacfd3ed7
commit 0dacfd3ed7
parent 779ff98e57 b0b78b423c
4 changed files with 17 additions and 2 deletions
--- a/kuryr_kubernetes/controller/drivers/network_policy_security_groups.py
+++ b/kuryr_kubernetes/controller/drivers/network_policy_security_groups.py
@ -472,6 +472,7 @@ class NetworkPolicySecurityGroupsDriver(base.PodSecurityGroupsDriver):
                driver_utils.patch_kuryrnetworkpolicy_crd(crd, i_rules,
                                                          e_rules,
                                                          crd_selector)
+            if i_matched:
                crd_pod_selectors.append(crd_selector)
        return crd_pod_selectors

@ -498,6 +499,7 @@ class NetworkPolicySecurityGroupsDriver(base.PodSecurityGroupsDriver):
                driver_utils.patch_kuryrnetworkpolicy_crd(crd, i_rules,
                                                          e_rules,
                                                          crd_selector)
+            if i_matched:
                crd_pod_selectors.append(crd_selector)
        return crd_pod_selectors

@ -528,6 +530,7 @@ class NetworkPolicySecurityGroupsDriver(base.PodSecurityGroupsDriver):
            if i_matched or e_matched:
                driver_utils.patch_kuryrnetworkpolicy_crd(
                    crd, i_rules, e_rules, crd_selector)
+            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors

@ -548,6 +551,7 @@ class NetworkPolicySecurityGroupsDriver(base.PodSecurityGroupsDriver):
                driver_utils.patch_kuryrnetworkpolicy_crd(crd, i_rules,
                                                          e_rules,
                                                          crd_selector)
+            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors

--- a/kuryr_kubernetes/controller/drivers/utils.py
+++ b/kuryr_kubernetes/controller/drivers/utils.py
@ -243,6 +243,8 @@ def patch_kuryrnetworkpolicy_crd(crd, i_rules, e_rules, pod_selector,
                              'egressSgRules': e_rules,
                              'podSelector': pod_selector,
                              'networkpolicy_spec': np_spec})
+    except k_exc.K8sResourceNotFound:
+        LOG.debug('KuryrNetPolicy CRD not found %s', crd_name)
    except k_exc.K8sClientException:
        LOG.exception('Error updating kuryrnetpolicy CRD %s', crd_name)
        raise
--- a/kuryr_kubernetes/controller/handlers/policy.py
+++ b/kuryr_kubernetes/controller/handlers/policy.py
@ -79,7 +79,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
            self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)

        if (pods_to_update and
-                oslo_cfg.CONF.octavia_defaults.enforce_sg_rules):
+                oslo_cfg.CONF.octavia_defaults.enforce_sg_rules and
+                not self._is_egress_only_policy(policy)):
            # NOTE(ltomasbo): only need to change services if the pods that
            # they point to are updated
            services = driver_utils.get_services(
@ -123,7 +124,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):

            self._drv_policy.release_network_policy(netpolicy_crd)

-            if oslo_cfg.CONF.octavia_defaults.enforce_sg_rules:
+            if (oslo_cfg.CONF.octavia_defaults.enforce_sg_rules and
+                    not self._is_egress_only_policy(policy)):
                services = driver_utils.get_services(
                    policy['metadata']['namespace'])
                for svc in services.get('items'):
@ -166,3 +168,9 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
            LOG.exception("Kubernetes Client Exception.")
            raise
        return net_crd['spec']['netId']
+
+    def _is_egress_only_policy(self, policy):
+        policy_types = policy['spec'].get('policyTypes', [])
+        return (policy_types == ['Egress'] or
+                (policy['spec'].get('egress') and
+                    not policy['spec'].get('ingress')))
--- a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py
@ -188,6 +188,7 @@ class TestPolicyHandler(test_base.TestCase):
        match_pod = mock.sentinel.match_pod
        m_host_network.return_value = False

+        self._handler._is_egress_only_policy.return_value = False
        self._handler._is_service_affected.return_value = True
        knp_on_ns = self._handler._drv_policy.knps_on_namespace
        knp_on_ns.return_value = True