Merge "Ensure host to pod connectivity for NP"
This commit is contained in:
commit
1f43759f69
@ -120,6 +120,31 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||||||
return existing_pod_selector
|
return existing_pod_selector
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
def _add_default_np_rules(self, sg_id):
|
||||||
|
"""Add extra SG rule to allow traffic from svcs and host.
|
||||||
|
|
||||||
|
This method adds the base security group rules for the NP security
|
||||||
|
group:
|
||||||
|
- Ensure traffic is allowed from the services subnet
|
||||||
|
- Ensure traffic is allowed from the host
|
||||||
|
"""
|
||||||
|
default_cidrs = []
|
||||||
|
default_cidrs.append(utils.get_subnet_cidr(
|
||||||
|
config.CONF.neutron_defaults.service_subnet))
|
||||||
|
worker_subnet_id = config.CONF.pod_vif_nested.worker_nodes_subnet
|
||||||
|
if worker_subnet_id:
|
||||||
|
default_cidrs.append(utils.get_subnet_cidr(worker_subnet_id))
|
||||||
|
for cidr in default_cidrs:
|
||||||
|
default_rule = {
|
||||||
|
u'security_group_rule': {
|
||||||
|
u'ethertype': 'IPv4',
|
||||||
|
u'security_group_id': sg_id,
|
||||||
|
u'direction': 'ingress',
|
||||||
|
u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
|
||||||
|
u'remote_ip_prefix': cidr
|
||||||
|
}}
|
||||||
|
driver_utils.create_security_group_rule(default_rule)
|
||||||
|
|
||||||
def create_security_group_rules_from_network_policy(self, policy,
|
def create_security_group_rules_from_network_policy(self, policy,
|
||||||
project_id):
|
project_id):
|
||||||
"""Create initial security group and rules
|
"""Create initial security group and rules
|
||||||
@ -151,19 +176,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||||||
sgr_id = driver_utils.create_security_group_rule(e_rule)
|
sgr_id = driver_utils.create_security_group_rule(e_rule)
|
||||||
e_rule['security_group_rule']['id'] = sgr_id
|
e_rule['security_group_rule']['id'] = sgr_id
|
||||||
|
|
||||||
# NOTE(ltomasbo): Add extra SG rule to allow traffic from services
|
# Add default rules to allow traffic from host and svc subnet
|
||||||
# subnet
|
self._add_default_np_rules(sg_id)
|
||||||
svc_cidr = utils.get_subnet_cidr(
|
|
||||||
config.CONF.neutron_defaults.service_subnet)
|
|
||||||
svc_rule = {
|
|
||||||
u'security_group_rule': {
|
|
||||||
u'ethertype': 'IPv4',
|
|
||||||
u'security_group_id': sg_id,
|
|
||||||
u'direction': 'ingress',
|
|
||||||
u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
|
|
||||||
u'remote_ip_prefix': svc_cidr
|
|
||||||
}}
|
|
||||||
driver_utils.create_security_group_rule(svc_rule)
|
|
||||||
except (n_exc.NeutronClientException, exceptions.ResourceNotReady):
|
except (n_exc.NeutronClientException, exceptions.ResourceNotReady):
|
||||||
LOG.exception("Error creating security group for network policy "
|
LOG.exception("Error creating security group for network policy "
|
||||||
" %s", policy['metadata']['name'])
|
" %s", policy['metadata']['name'])
|
||||||
|
@ -180,6 +180,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
m_affected.assert_not_called()
|
m_affected.assert_not_called()
|
||||||
m_namespaced.assert_called_once_with(self._policy)
|
m_namespaced.assert_called_once_with(self._policy)
|
||||||
|
|
||||||
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
|
'_add_default_np_rules')
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
'get_kuryrnetpolicy_crd')
|
'get_kuryrnetpolicy_crd')
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
@ -190,7 +192,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
def test_create_security_group_rules_from_network_policy(self, m_utils,
|
def test_create_security_group_rules_from_network_policy(self, m_utils,
|
||||||
m_parse,
|
m_parse,
|
||||||
m_add_crd,
|
m_add_crd,
|
||||||
m_get_crd):
|
m_get_crd,
|
||||||
|
m_add_default):
|
||||||
self._driver.neutron.create_security_group.return_value = {
|
self._driver.neutron.create_security_group.return_value = {
|
||||||
'security_group': {'id': mock.sentinel.id}}
|
'security_group': {'id': mock.sentinel.id}}
|
||||||
m_utils.get_subnet_cidr.return_value = {
|
m_utils.get_subnet_cidr.return_value = {
|
||||||
@ -202,7 +205,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
self._policy, self._project_id)
|
self._policy, self._project_id)
|
||||||
m_get_crd.assert_called_once()
|
m_get_crd.assert_called_once()
|
||||||
m_add_crd.assert_called_once()
|
m_add_crd.assert_called_once()
|
||||||
|
m_add_default.assert_called_once()
|
||||||
|
|
||||||
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
|
'_add_default_np_rules')
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
'get_kuryrnetpolicy_crd')
|
'get_kuryrnetpolicy_crd')
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
@ -211,7 +217,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
'parse_network_policy_rules')
|
'parse_network_policy_rules')
|
||||||
@mock.patch.object(utils, 'get_subnet_cidr')
|
@mock.patch.object(utils, 'get_subnet_cidr')
|
||||||
def test_create_security_group_rules_with_k8s_exc(self, m_utils, m_parse,
|
def test_create_security_group_rules_with_k8s_exc(self, m_utils, m_parse,
|
||||||
m_add_crd, m_get_crd):
|
m_add_crd, m_get_crd,
|
||||||
|
m_add_default):
|
||||||
self._driver.neutron.create_security_group.return_value = {
|
self._driver.neutron.create_security_group.return_value = {
|
||||||
'security_group': {'id': mock.sentinel.id}}
|
'security_group': {'id': mock.sentinel.id}}
|
||||||
m_utils.get_subnet_cidr.return_value = {
|
m_utils.get_subnet_cidr.return_value = {
|
||||||
@ -225,7 +232,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
self._driver.create_security_group_rules_from_network_policy,
|
self._driver.create_security_group_rules_from_network_policy,
|
||||||
self._policy, self._project_id)
|
self._policy, self._project_id)
|
||||||
m_add_crd.assert_called_once()
|
m_add_crd.assert_called_once()
|
||||||
|
m_add_default.assert_called_once()
|
||||||
|
|
||||||
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
|
'_add_default_np_rules')
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
'get_kuryrnetpolicy_crd')
|
'get_kuryrnetpolicy_crd')
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
@ -234,7 +244,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
'parse_network_policy_rules')
|
'parse_network_policy_rules')
|
||||||
@mock.patch.object(utils, 'get_subnet_cidr')
|
@mock.patch.object(utils, 'get_subnet_cidr')
|
||||||
def test_create_security_group_rules_error_add_crd(self, m_utils, m_parse,
|
def test_create_security_group_rules_error_add_crd(self, m_utils, m_parse,
|
||||||
m_add_crd, m_get_crd):
|
m_add_crd, m_get_crd,
|
||||||
|
m_add_default):
|
||||||
self._driver.neutron.create_security_group.return_value = {
|
self._driver.neutron.create_security_group.return_value = {
|
||||||
'security_group': {'id': mock.sentinel.id}}
|
'security_group': {'id': mock.sentinel.id}}
|
||||||
m_utils.get_subnet_cidr.return_value = {
|
m_utils.get_subnet_cidr.return_value = {
|
||||||
@ -248,6 +259,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
self._driver.create_security_group_rules_from_network_policy,
|
self._driver.create_security_group_rules_from_network_policy,
|
||||||
self._policy, self._project_id)
|
self._policy, self._project_id)
|
||||||
m_get_crd.assert_not_called()
|
m_get_crd.assert_not_called()
|
||||||
|
m_add_default.assert_called_once()
|
||||||
|
|
||||||
def test_create_security_group_rules_with_n_exc(self):
|
def test_create_security_group_rules_with_n_exc(self):
|
||||||
self._driver.neutron.create_security_group.side_effect = (
|
self._driver.neutron.create_security_group.side_effect = (
|
||||||
|
Loading…
Reference in New Issue
Block a user