Browse Source

Merge "Ensure host to pod connectivity for NP"

Zuul 2 months ago
parent
commit
1f43759f69

+ 27
- 13
kuryr_kubernetes/controller/drivers/network_policy.py View File

@@ -120,6 +120,31 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
120 120
             return existing_pod_selector
121 121
         return False
122 122
 
123
+    def _add_default_np_rules(self, sg_id):
124
+        """Add extra SG rule to allow traffic from svcs and host.
125
+
126
+        This method adds the base security group rules for the NP security
127
+        group:
128
+        - Ensure traffic is allowed from the services subnet
129
+        - Ensure traffic is allowed from the host
130
+        """
131
+        default_cidrs = []
132
+        default_cidrs.append(utils.get_subnet_cidr(
133
+            config.CONF.neutron_defaults.service_subnet))
134
+        worker_subnet_id = config.CONF.pod_vif_nested.worker_nodes_subnet
135
+        if worker_subnet_id:
136
+            default_cidrs.append(utils.get_subnet_cidr(worker_subnet_id))
137
+        for cidr in default_cidrs:
138
+            default_rule = {
139
+                u'security_group_rule': {
140
+                    u'ethertype': 'IPv4',
141
+                    u'security_group_id': sg_id,
142
+                    u'direction': 'ingress',
143
+                    u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
144
+                    u'remote_ip_prefix': cidr
145
+                }}
146
+            driver_utils.create_security_group_rule(default_rule)
147
+
123 148
     def create_security_group_rules_from_network_policy(self, policy,
124 149
                                                         project_id):
125 150
         """Create initial security group and rules
@@ -151,19 +176,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
151 176
                 sgr_id = driver_utils.create_security_group_rule(e_rule)
152 177
                 e_rule['security_group_rule']['id'] = sgr_id
153 178
 
154
-            # NOTE(ltomasbo): Add extra SG rule to allow traffic from services
155
-            # subnet
156
-            svc_cidr = utils.get_subnet_cidr(
157
-                config.CONF.neutron_defaults.service_subnet)
158
-            svc_rule = {
159
-                u'security_group_rule': {
160
-                    u'ethertype': 'IPv4',
161
-                    u'security_group_id': sg_id,
162
-                    u'direction': 'ingress',
163
-                    u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
164
-                    u'remote_ip_prefix': svc_cidr
165
-                }}
166
-            driver_utils.create_security_group_rule(svc_rule)
179
+            # Add default rules to allow traffic from host and svc subnet
180
+            self._add_default_np_rules(sg_id)
167 181
         except (n_exc.NeutronClientException, exceptions.ResourceNotReady):
168 182
             LOG.exception("Error creating security group for network policy "
169 183
                           " %s", policy['metadata']['name'])

+ 15
- 3
kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py View File

@@ -180,6 +180,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
180 180
         m_affected.assert_not_called()
181 181
         m_namespaced.assert_called_once_with(self._policy)
182 182
 
183
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
184
+                       '_add_default_np_rules')
183 185
     @mock.patch.object(network_policy.NetworkPolicyDriver,
184 186
                        'get_kuryrnetpolicy_crd')
185 187
     @mock.patch.object(network_policy.NetworkPolicyDriver,
@@ -190,7 +192,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
190 192
     def test_create_security_group_rules_from_network_policy(self, m_utils,
191 193
                                                              m_parse,
192 194
                                                              m_add_crd,
193
-                                                             m_get_crd):
195
+                                                             m_get_crd,
196
+                                                             m_add_default):
194 197
         self._driver.neutron.create_security_group.return_value = {
195 198
             'security_group': {'id': mock.sentinel.id}}
196 199
         m_utils.get_subnet_cidr.return_value = {
@@ -202,7 +205,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
202 205
             self._policy, self._project_id)
203 206
         m_get_crd.assert_called_once()
204 207
         m_add_crd.assert_called_once()
208
+        m_add_default.assert_called_once()
205 209
 
210
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
211
+                       '_add_default_np_rules')
206 212
     @mock.patch.object(network_policy.NetworkPolicyDriver,
207 213
                        'get_kuryrnetpolicy_crd')
208 214
     @mock.patch.object(network_policy.NetworkPolicyDriver,
@@ -211,7 +217,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
211 217
                        'parse_network_policy_rules')
212 218
     @mock.patch.object(utils, 'get_subnet_cidr')
213 219
     def test_create_security_group_rules_with_k8s_exc(self, m_utils, m_parse,
214
-                                                      m_add_crd, m_get_crd):
220
+                                                      m_add_crd, m_get_crd,
221
+                                                      m_add_default):
215 222
         self._driver.neutron.create_security_group.return_value = {
216 223
             'security_group': {'id': mock.sentinel.id}}
217 224
         m_utils.get_subnet_cidr.return_value = {
@@ -225,7 +232,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
225 232
             self._driver.create_security_group_rules_from_network_policy,
226 233
             self._policy, self._project_id)
227 234
         m_add_crd.assert_called_once()
235
+        m_add_default.assert_called_once()
228 236
 
237
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
238
+                       '_add_default_np_rules')
229 239
     @mock.patch.object(network_policy.NetworkPolicyDriver,
230 240
                        'get_kuryrnetpolicy_crd')
231 241
     @mock.patch.object(network_policy.NetworkPolicyDriver,
@@ -234,7 +244,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
234 244
                        'parse_network_policy_rules')
235 245
     @mock.patch.object(utils, 'get_subnet_cidr')
236 246
     def test_create_security_group_rules_error_add_crd(self, m_utils, m_parse,
237
-                                                       m_add_crd, m_get_crd):
247
+                                                       m_add_crd, m_get_crd,
248
+                                                       m_add_default):
238 249
         self._driver.neutron.create_security_group.return_value = {
239 250
             'security_group': {'id': mock.sentinel.id}}
240 251
         m_utils.get_subnet_cidr.return_value = {
@@ -248,6 +259,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
248 259
             self._driver.create_security_group_rules_from_network_policy,
249 260
             self._policy, self._project_id)
250 261
         m_get_crd.assert_not_called()
262
+        m_add_default.assert_called_once()
251 263
 
252 264
     def test_create_security_group_rules_with_n_exc(self):
253 265
         self._driver.neutron.create_security_group.side_effect = (

Loading…
Cancel
Save