Ensure no LBaaS SG update is triggered for SVCs without selectors and ports

When a Network Policy is enforced we shouldn't try to update the SG of a LBaaS that would map to a SVC without selector, as this kind of SVC is not wired by Kuryr. Also, we shouldn't try to update the LBaaS SG when no ports are defined in the SVC spec. Closes-Bug: 1845917 Change-Id: I94a288f2b66bd2444d177931f509e1b6ef250235
2019-09-29 21:58:40 +00:00 · 2019-09-29 21:58:40 +00:00 · 68145b9b58
parent 3208b192ad
commit 68145b9b58
6 changed files with 14 additions and 11 deletions
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@ -955,7 +955,7 @@ class LBaaSv2Driver(base.LBaaSDriver):

        svc_namespace = service['metadata']['namespace']
        svc_name = service['metadata']['name']
-        svc_ports = service['spec']['ports']
+        svc_ports = service['spec'].get('ports', [])

        lbaas_name = "%s/%s" % (svc_namespace, svc_name)

--- a/kuryr_kubernetes/controller/drivers/utils.py
+++ b/kuryr_kubernetes/controller/drivers/utils.py
@ -444,6 +444,8 @@ def service_matches_affected_pods(service, pod_selectors):
            and False otherwise.
    """
    svc_selector = service['spec'].get('selector')
+    if not svc_selector:
+        return False
    for selector in pod_selectors:
        if match_selector(selector, svc_selector):
            return True
--- a/kuryr_kubernetes/controller/handlers/pod_label.py
+++ b/kuryr_kubernetes/controller/handlers/pod_label.py
@ -103,9 +103,8 @@ class PodLabelHandler(k8s_base.ResourceEventHandler):

    def _update_services(self, services, crd_pod_selectors, project_id):
        for service in services.get('items'):
-            if (service['metadata']['name'] == 'kubernetes' or not
-                    driver_utils.service_matches_affected_pods(
-                        service, crd_pod_selectors)):
+            if not driver_utils.service_matches_affected_pods(
+                    service, crd_pod_selectors):
                continue
            sgs = self._drv_svc_sg.get_security_groups(service,
                                                       project_id)
--- a/kuryr_kubernetes/controller/handlers/policy.py
+++ b/kuryr_kubernetes/controller/handlers/policy.py
@ -86,7 +86,7 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
            for service in services.get('items'):
                # TODO(ltomasbo): Skip other services that are not affected
                # by the policy
-                if (service['metadata']['name'] == 'kubernetes' or not
+                if (not service['spec'].get('selector') or not
                        self._is_service_affected(service, pods_to_update)):
                    continue
                sgs = self._drv_svc_sg.get_security_groups(service,
@ -122,7 +122,7 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
                services = driver_utils.get_services(
                    policy['metadata']['namespace'])
                for svc in services.get('items'):
-                    if (svc['metadata']['name'] == 'kubernetes' or not
+                    if (not svc['spec'].get('selector') or not
                            self._is_service_affected(svc, pods_to_update)):
                        continue
                    sgs = self._drv_svc_sg.get_security_groups(svc,
--- a/kuryr_kubernetes/controller/handlers/vif.py
+++ b/kuryr_kubernetes/controller/handlers/vif.py
@ -251,9 +251,8 @@ class VIFHandler(k8s_base.ResourceEventHandler):

    def _update_services(self, services, crd_pod_selectors, project_id):
        for service in services.get('items'):
-            if (service['metadata']['name'] == 'kubernetes' or not
-                    driver_utils.service_matches_affected_pods(
-                        service, crd_pod_selectors)):
+            if not driver_utils.service_matches_affected_pods(
+                    service, crd_pod_selectors):
                continue
            sgs = self._drv_svc_sg.get_security_groups(service,
                                                       project_id)
--- a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py
@ -186,6 +186,7 @@ class TestPolicyHandler(test_base.TestCase):
        match_pod = mock.sentinel.match_pod
        m_host_network.return_value = False

+        self._handler._is_service_affected.return_value = True
        knp_on_ns = self._handler._drv_policy.knps_on_namespace
        knp_on_ns.return_value = True
        namespaced_pods = self._handler._drv_policy.namespaced_pods
@ -196,7 +197,8 @@ class TestPolicyHandler(test_base.TestCase):
        sg1 = [mock.sentinel.sg1]
        sg2 = [mock.sentinel.sg2]
        self._get_security_groups.side_effect = [sg1, sg2]
-        service = {'metadata': {'name': 'service-test'}}
+        service = {'metadata': {'name': 'service-test'},
+                   'spec': {'selector': mock.sentinel.selector}}
        m_get_services.return_value = {'items': [service]}

        policy.NetworkPolicyHandler.on_present(self._handler, self._policy)
@ -208,9 +210,10 @@ class TestPolicyHandler(test_base.TestCase):
        calls = [mock.call(modified_pod, self._project_id),
                 mock.call(match_pod, self._project_id)]
        self._get_security_groups.assert_has_calls(calls)
-
        calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)]
        self._update_vif_sgs.assert_has_calls(calls)
+        self._handler._is_service_affected.assert_called_once_with(
+            service, [modified_pod, match_pod])
        self._update_lbaas_sg.assert_called_once()

    @mock.patch('kuryr_kubernetes.controller.drivers.utils.get_services')