Ensure reaction to svc target-port update
When the target port of a service is updated and is not allowed on the pods by the Network Policy, the security group rule needs to be removed from the LBaaS. Partially Implements: blueprint k8s-network-policies Change-Id: Ic0e58aa558ff8497b5090509f5a91d2b3aedc61f
This commit is contained in:
parent
7480cc36f8
commit
374c5eeaf9
|
@ -200,6 +200,19 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
||||||
LOG.exception('Failed when creating security group rule '
|
LOG.exception('Failed when creating security group rule '
|
||||||
'for listener %s.', listener.name)
|
'for listener %s.', listener.name)
|
||||||
|
|
||||||
|
def _get_matched_sg_rule(self, rule, lbaas_sg_rules):
|
||||||
|
for lbaas_sg_rule in lbaas_sg_rules:
|
||||||
|
if lbaas_sg_rule['remote_ip_prefix'] == rule['remote_ip_prefix']:
|
||||||
|
return lbaas_sg_rule
|
||||||
|
return None
|
||||||
|
|
||||||
|
def _delete_sg_rule(self, rule, lbaas_sg_rules):
|
||||||
|
neutron = clients.get_neutron_client()
|
||||||
|
sg_rule = self._get_matched_sg_rule(rule, lbaas_sg_rules)
|
||||||
|
if sg_rule:
|
||||||
|
LOG.debug("Deleting sg rule: %r", sg_rule['id'])
|
||||||
|
neutron.delete_security_group_rule(sg_rule['id'])
|
||||||
|
|
||||||
def _apply_members_security_groups(self, loadbalancer, port, target_port,
|
def _apply_members_security_groups(self, loadbalancer, port, target_port,
|
||||||
protocol, sg_rule_name):
|
protocol, sg_rule_name):
|
||||||
neutron = clients.get_neutron_client()
|
neutron = clients.get_neutron_client()
|
||||||
|
@ -208,6 +221,9 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
||||||
else:
|
else:
|
||||||
sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
|
sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
|
||||||
|
|
||||||
|
lbaas_sg_rules = neutron.list_security_group_rules(
|
||||||
|
security_group_id=sg_id)
|
||||||
|
|
||||||
# Check if Network Policy allows listener on the pods
|
# Check if Network Policy allows listener on the pods
|
||||||
for sg in loadbalancer.security_groups:
|
for sg in loadbalancer.security_groups:
|
||||||
if sg != sg_id:
|
if sg != sg_id:
|
||||||
|
@ -227,6 +243,8 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
||||||
max_port = rule.get('port_range_max')
|
max_port = rule.get('port_range_max')
|
||||||
if (min_port and target_port not in range(min_port,
|
if (min_port and target_port not in range(min_port,
|
||||||
max_port+1)):
|
max_port+1)):
|
||||||
|
self._delete_sg_rule(
|
||||||
|
rule, lbaas_sg_rules['security_group_rules'])
|
||||||
continue
|
continue
|
||||||
try:
|
try:
|
||||||
neutron.create_security_group_rule({
|
neutron.create_security_group_rule({
|
||||||
|
|
Loading…
Reference in New Issue