Browse Source

Ensure reaction to svc target-port update

When the target port of a service is updated and is not allowed
on the pods by the Network Policy, the security group rule needs
to be removed from the LBaaS.

Partially Implements: blueprint k8s-network-policies

Change-Id: Ic0e58aa558ff8497b5090509f5a91d2b3aedc61f
tags/0.6.1
Maysa Macedo 6 months ago
parent
commit
374c5eeaf9
1 changed files with 18 additions and 0 deletions
  1. 18
    0
      kuryr_kubernetes/controller/drivers/lbaasv2.py

+ 18
- 0
kuryr_kubernetes/controller/drivers/lbaasv2.py View File

@@ -200,6 +200,19 @@ class LBaaSv2Driver(base.LBaaSDriver):
200 200
                 LOG.exception('Failed when creating security group rule '
201 201
                               'for listener %s.', listener.name)
202 202
 
203
+    def _get_matched_sg_rule(self, rule, lbaas_sg_rules):
204
+        for lbaas_sg_rule in lbaas_sg_rules:
205
+            if lbaas_sg_rule['remote_ip_prefix'] == rule['remote_ip_prefix']:
206
+                return lbaas_sg_rule
207
+        return None
208
+
209
+    def _delete_sg_rule(self, rule, lbaas_sg_rules):
210
+        neutron = clients.get_neutron_client()
211
+        sg_rule = self._get_matched_sg_rule(rule, lbaas_sg_rules)
212
+        if sg_rule:
213
+            LOG.debug("Deleting sg rule: %r", sg_rule['id'])
214
+            neutron.delete_security_group_rule(sg_rule['id'])
215
+
203 216
     def _apply_members_security_groups(self, loadbalancer, port, target_port,
204 217
                                        protocol, sg_rule_name):
205 218
         neutron = clients.get_neutron_client()
@@ -208,6 +221,9 @@ class LBaaSv2Driver(base.LBaaSDriver):
208 221
         else:
209 222
             sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
210 223
 
224
+        lbaas_sg_rules = neutron.list_security_group_rules(
225
+            security_group_id=sg_id)
226
+
211 227
         # Check if Network Policy allows listener on the pods
212 228
         for sg in loadbalancer.security_groups:
213 229
             if sg != sg_id:
@@ -227,6 +243,8 @@ class LBaaSv2Driver(base.LBaaSDriver):
227 243
                         max_port = rule.get('port_range_max')
228 244
                         if (min_port and target_port not in range(min_port,
229 245
                                                                   max_port+1)):
246
+                            self._delete_sg_rule(
247
+                                rule, lbaas_sg_rules['security_group_rules'])
230 248
                             continue
231 249
                         try:
232 250
                             neutron.create_security_group_rule({

Loading…
Cancel
Save