Avoid octavia default sg rules collision with kuryr ones

Kuryr is adding sg rules to the loadbalancer to ensure namespace
isolation. Octavia is also adding sg rules when creating listeners.
Octavia is checking if a rule in the same protocol, direction and
port is already created before adding its own. However, if by any
chance kuryr is delayed adding its own rules (as it is already
happening in some gates), octavia will add its own first, and then
kuryr-controller will do it two. Thus having extra rules that will
break the isolation enforcement.

Closes-Bug: 1810395
Change-Id: If4760625728539adb336e44ce881e04454c09d40
This commit is contained in:
Luis Tomas Bolivar 2019-01-21 17:17:43 +01:00
parent 571079d9cb
commit 60a1e19d49
1 changed files with 19 additions and 0 deletions

View File

@ -265,6 +265,23 @@ class LBaaSv2Driver(base.LBaaSDriver):
'group rule for listener %s.',
sg_rule_name)
def _remove_default_octavia_rules(self, sg_id, listener):
neutron = clients.get_neutron_client()
for remaining in self._provisioning_timer(
_ACTIVATION_TIMEOUT, _LB_STS_POLL_SLOW_INTERVAL):
listener_rules = neutron.list_security_group_rules(
security_group_id=sg_id,
protocol=listener.protocol,
port_range_min=listener.port,
port_range_max=listener.port,
direction='ingress')
for rule in listener_rules['security_group_rules']:
if not (rule.get('remote_group_id') or
rule.get('remote_ip_prefix')):
# remove default sg rules
neutron.delete_security_group_rule(rule['id'])
return
def _extend_lb_security_group_rules(self, loadbalancer, listener):
neutron = clients.get_neutron_client()
@ -287,6 +304,8 @@ class LBaaSv2Driver(base.LBaaSDriver):
'security_groups': loadbalancer.security_groups}})
else:
sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
# wait until octavia adds default sg rules
self._remove_default_octavia_rules(sg_id, listener)
for sg in loadbalancer.security_groups:
if sg != sg_id: