Make SG modifications for LoadBalancers optional
When ovn-octavia driver is being used there is no need to enforce security groups rules at the loadbalancer SG level, as ovn-octavia is maintaing the source IP, instead of replacing it by amphora VM IP. Change-Id: I39cfc96080594df7515aada92acd8e861cb050e9
This commit is contained in:
Maysa Macedo
parent
e26da782aa
commit
135311fd01
|
|
@ -59,7 +59,7 @@ VAR_RUN_PATH=/usr/local/var/run
|
|||
# KURYR_EP_DRIVER_OCTAVIA_PROVIDER=ovn
|
||||
# KURYR_K8S_OCTAVIA_MEMBER_MODE=L2
|
||||
# KURYR_K8S_OCTAVIA_SG_MODE=create
|
||||
|
||||
# KURYR_ENFORCE_SG_RULES=False
|
||||
|
||||
|
||||
# Octavia LBaaSv2
|
||||
|
|
|
|||
|
|
@ -459,6 +459,7 @@ function configure_neutron_defaults {
|
|||
iniset "$KURYR_CONFIG" neutron_defaults external_svc_net "$ext_svc_net_id"
|
||||
iniset "$KURYR_CONFIG" octavia_defaults member_mode "$KURYR_K8S_OCTAVIA_MEMBER_MODE"
|
||||
iniset "$KURYR_CONFIG" octavia_defaults sg_mode "$KURYR_K8S_OCTAVIA_SG_MODE"
|
||||
iniset "$KURYR_CONFIG" octavia_defaults enforce_sg_rules "$KURYR_ENFORCE_SG_RULES"
|
||||
# Octavia takes a very long time to start the LB in the gate. We need
|
||||
# to tweak the timeout for the LB creation. Let's be generous and give
|
||||
# it up to 20 minutes.
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ OPENSHIFT_CNI_BINARY_URL=${OPENSHIFT_CNI_BINARY_URL:-https://github.com/containe
|
|||
# Octavia
|
||||
KURYR_K8S_OCTAVIA_MEMBER_MODE=${KURYR_K8S_OCTAVIA_MEMBER_MODE:-L3}
|
||||
KURYR_K8S_OCTAVIA_SG_MODE=${KURYR_K8S_OCTAVIA_SG_MODE:-update}
|
||||
KURYR_ENFORCE_SG_RULES=${KURYR_ENFORCE_SG_RULES:-True}
|
||||
|
||||
# Kuryr_ovs_baremetal
|
||||
KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE=${KURYR_CONFIGURE_BAREMETAL_KUBELET_IFACE:-True}
|
||||
|
|
|
|||
|
|
@ -86,6 +86,11 @@ to add the namespace handler and state the namespace subnet driver with::
|
|||
KURYR_SG_DRIVER=namespace
|
||||
KURYR_ENABLED_HANDLERS=vif,lb,lbaasspec,namespace
|
||||
|
||||
.. note::
|
||||
If the loadbalancer maintains the source IP (such as ovn-octavia driver),
|
||||
there is no need to enforce sg rules at the load balancer level.
|
||||
To disable the enforcement, you need to set the following variable:
|
||||
KURYR_ENFORCE_SG_RULES=False
|
||||
|
||||
Testing the network per namespace functionality
|
||||
-----------------------------------------------
|
||||
|
|
|
|||
|
|
@ -66,6 +66,12 @@ to add the policy, pod_label and namespace handler and drivers with::
|
|||
KURYR_SG_DRIVER=policy
|
||||
KURYR_SUBNET_DRIVER=namespace
|
||||
|
||||
.. note::
|
||||
If the loadbalancer maintains the source IP (such as ovn-octavia driver),
|
||||
there is no need to enforce sg rules at the load balancer level.
|
||||
To disable the enforcement, you need to set the following variable:
|
||||
KURYR_ENFORCE_SG_RULES=False
|
||||
|
||||
Testing the network policy support functionality
|
||||
------------------------------------------------
|
||||
|
||||
|
|
|
|||
|
|
@ -225,6 +225,11 @@ octavia_defaults = [
|
|||
choices=[('create', 'replace the VIP SG with a new one'),
|
||||
('update', 'add rules to the existing VIP SG')],
|
||||
default='update'),
|
||||
cfg.BoolOpt('enforce_sg_rules',
|
||||
help=_("Enable the enforcement of SG rules at the LB SG "
|
||||
"in case the LB does not maintain the source IP "
|
||||
"of the caller resource"),
|
||||
default=True),
|
||||
]
|
||||
|
||||
cache_defaults = [
|
||||
|
|
|
|||
|
|
@ -397,10 +397,11 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
|||
CONF.kubernetes.service_security_groups_driver == 'namespace')
|
||||
create_sg = CONF.octavia_defaults.sg_mode == 'create'
|
||||
|
||||
if namespace_isolation and service_type == 'ClusterIP':
|
||||
self._extend_lb_security_group_rules(loadbalancer, listener)
|
||||
elif create_sg:
|
||||
if create_sg:
|
||||
self._create_lb_security_group_rule(loadbalancer, listener)
|
||||
if (namespace_isolation and service_type == 'ClusterIP' and
|
||||
CONF.octavia_defaults.enforce_sg_rules):
|
||||
self._extend_lb_security_group_rules(loadbalancer, listener)
|
||||
|
||||
def ensure_listener(self, loadbalancer, protocol, port,
|
||||
service_type='ClusterIP'):
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
from oslo_config import cfg as oslo_cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_serialization import jsonutils
|
||||
|
||||
|
|
@ -66,8 +66,9 @@ class PodLabelHandler(k8s_base.ResourceEventHandler):
|
|||
self._drv_vif_pool.update_vif_sgs(pod, security_groups)
|
||||
self._set_pod_labels(pod, current_pod_labels)
|
||||
|
||||
services = driver_utils.get_services()
|
||||
self._update_services(services, crd_pod_selectors, project_id)
|
||||
if oslo_cfg.CONF.octavia_defaults.enforce_sg_rules:
|
||||
services = driver_utils.get_services()
|
||||
self._update_services(services, crd_pod_selectors, project_id)
|
||||
|
||||
def _get_pod_labels(self, pod):
|
||||
try:
|
||||
|
|
|
|||
|
|
@ -77,7 +77,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
|
|||
pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
|
||||
self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)
|
||||
|
||||
if pods_to_update:
|
||||
if (pods_to_update and
|
||||
oslo_cfg.CONF.octavia_defaults.enforce_sg_rules):
|
||||
# NOTE(ltomasbo): only need to change services if the pods that
|
||||
# they point to are updated
|
||||
services = driver_utils.get_services(
|
||||
|
|
@ -117,15 +118,16 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
|
|||
|
||||
self._drv_policy.release_network_policy(netpolicy_crd)
|
||||
|
||||
services = driver_utils.get_services(
|
||||
policy['metadata']['namespace'])
|
||||
for service in services.get('items'):
|
||||
if (service['metadata']['name'] == 'kubernetes' or not
|
||||
self._is_service_affected(service, pods_to_update)):
|
||||
continue
|
||||
sgs = self._drv_svc_sg.get_security_groups(service,
|
||||
project_id)
|
||||
self._drv_lbaas.update_lbaas_sg(service, sgs)
|
||||
if oslo_cfg.CONF.octavia_defaults.enforce_sg_rules:
|
||||
services = driver_utils.get_services(
|
||||
policy['metadata']['namespace'])
|
||||
for svc in services.get('items'):
|
||||
if (svc['metadata']['name'] == 'kubernetes' or not
|
||||
self._is_service_affected(svc, pods_to_update)):
|
||||
continue
|
||||
sgs = self._drv_svc_sg.get_security_groups(svc,
|
||||
project_id)
|
||||
self._drv_lbaas.update_lbaas_sg(svc, sgs)
|
||||
|
||||
def is_ready(self, quota):
|
||||
if not utils.has_kuryr_crd(k_const.K8S_API_CRD_KURYRNETPOLICIES):
|
||||
|
|
|
|||
|
|
@ -132,15 +132,15 @@ class VIFHandler(k8s_base.ResourceEventHandler):
|
|||
self._set_pod_state(pod, state)
|
||||
if self._is_network_policy_enabled():
|
||||
crd_pod_selectors = self._drv_sg.create_sg_rules(pod)
|
||||
services = driver_utils.get_services()
|
||||
self._update_services(
|
||||
services, crd_pod_selectors, project_id)
|
||||
if oslo_cfg.CONF.octavia_defaults.enforce_sg_rules:
|
||||
services = driver_utils.get_services()
|
||||
self._update_services(
|
||||
services, crd_pod_selectors, project_id)
|
||||
|
||||
def on_deleted(self, pod):
|
||||
if driver_utils.is_host_network(pod):
|
||||
return
|
||||
|
||||
services = driver_utils.get_services()
|
||||
project_id = self._drv_project.get_project(pod)
|
||||
crd_pod_selectors = self._drv_sg.delete_sg_rules(pod)
|
||||
try:
|
||||
|
|
@ -160,7 +160,9 @@ class VIFHandler(k8s_base.ResourceEventHandler):
|
|||
for ifname, vif in state.vifs.items():
|
||||
self._drv_vif_pool.release_vif(pod, vif, project_id,
|
||||
security_groups)
|
||||
if self._is_network_policy_enabled():
|
||||
if (self._is_network_policy_enabled() and
|
||||
oslo_cfg.CONF.octavia_defaults.enforce_sg_rules):
|
||||
services = driver_utils.get_services()
|
||||
self._update_services(services, crd_pod_selectors, project_id)
|
||||
|
||||
@MEMOIZE
|
||||
|
|
|
|||
Loading…
Reference in New Issue