From 60a1e19d49e8aad4f02de12838076b0d094ab526 Mon Sep 17 00:00:00 2001
From: Luis Tomas Bolivar <ltomasbo@redhat.com>
Date: Mon, 21 Jan 2019 17:17:43 +0100
Subject: [PATCH] Avoid octavia default sg rules collision with kuryr ones

Kuryr is adding sg rules to the loadbalancer to ensure namespace
isolation. Octavia is also adding sg rules when creating listeners.
Octavia is checking if a rule in the same protocol, direction and
port is already created before adding its own. However, if by any
chance kuryr is delayed adding its own rules (as it is already
happening in some gates), octavia will add its own first, and then
kuryr-controller will do it two. Thus having extra rules that will
break the isolation enforcement.

Closes-Bug: 1810395
Change-Id: If4760625728539adb336e44ce881e04454c09d40
---
 .../controller/drivers/lbaasv2.py             | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/kuryr_kubernetes/controller/drivers/lbaasv2.py b/kuryr_kubernetes/controller/drivers/lbaasv2.py
index 985527c2b..eee913f53 100644
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@@ -265,6 +265,23 @@ class LBaaSv2Driver(base.LBaaSDriver):
                                               'group rule for listener %s.',
                                               sg_rule_name)
 
+    def _remove_default_octavia_rules(self, sg_id, listener):
+        neutron = clients.get_neutron_client()
+        for remaining in self._provisioning_timer(
+                _ACTIVATION_TIMEOUT, _LB_STS_POLL_SLOW_INTERVAL):
+            listener_rules = neutron.list_security_group_rules(
+                security_group_id=sg_id,
+                protocol=listener.protocol,
+                port_range_min=listener.port,
+                port_range_max=listener.port,
+                direction='ingress')
+            for rule in listener_rules['security_group_rules']:
+                if not (rule.get('remote_group_id') or
+                        rule.get('remote_ip_prefix')):
+                    # remove default sg rules
+                    neutron.delete_security_group_rule(rule['id'])
+                    return
+
     def _extend_lb_security_group_rules(self, loadbalancer, listener):
         neutron = clients.get_neutron_client()
 
@@ -287,6 +304,8 @@ class LBaaSv2Driver(base.LBaaSDriver):
                         'security_groups': loadbalancer.security_groups}})
         else:
             sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
+            # wait until octavia adds default sg rules
+            self._remove_default_octavia_rules(sg_id, listener)
 
         for sg in loadbalancer.security_groups:
             if sg != sg_id: