diff --git a/kuryr_kubernetes/controller/drivers/lbaasv2.py b/kuryr_kubernetes/controller/drivers/lbaasv2.py index 9620ee509..986e2a3da 100644 --- a/kuryr_kubernetes/controller/drivers/lbaasv2.py +++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py @@ -955,7 +955,7 @@ class LBaaSv2Driver(base.LBaaSDriver): svc_namespace = service['metadata']['namespace'] svc_name = service['metadata']['name'] - svc_ports = service['spec']['ports'] + svc_ports = service['spec'].get('ports', []) lbaas_name = "%s/%s" % (svc_namespace, svc_name) diff --git a/kuryr_kubernetes/controller/drivers/utils.py b/kuryr_kubernetes/controller/drivers/utils.py index d08cc5b55..5d9f795ca 100644 --- a/kuryr_kubernetes/controller/drivers/utils.py +++ b/kuryr_kubernetes/controller/drivers/utils.py @@ -444,6 +444,8 @@ def service_matches_affected_pods(service, pod_selectors): and False otherwise. """ svc_selector = service['spec'].get('selector') + if not svc_selector: + return False for selector in pod_selectors: if match_selector(selector, svc_selector): return True diff --git a/kuryr_kubernetes/controller/handlers/pod_label.py b/kuryr_kubernetes/controller/handlers/pod_label.py index ee1fecd02..df08714f2 100644 --- a/kuryr_kubernetes/controller/handlers/pod_label.py +++ b/kuryr_kubernetes/controller/handlers/pod_label.py @@ -103,9 +103,8 @@ class PodLabelHandler(k8s_base.ResourceEventHandler): def _update_services(self, services, crd_pod_selectors, project_id): for service in services.get('items'): - if (service['metadata']['name'] == 'kubernetes' or not - driver_utils.service_matches_affected_pods( - service, crd_pod_selectors)): + if not driver_utils.service_matches_affected_pods( + service, crd_pod_selectors): continue sgs = self._drv_svc_sg.get_security_groups(service, project_id) diff --git a/kuryr_kubernetes/controller/handlers/policy.py b/kuryr_kubernetes/controller/handlers/policy.py index 4a92fdbd5..5d1718c55 100644 --- a/kuryr_kubernetes/controller/handlers/policy.py +++ b/kuryr_kubernetes/controller/handlers/policy.py @@ -86,7 +86,7 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler): for service in services.get('items'): # TODO(ltomasbo): Skip other services that are not affected # by the policy - if (service['metadata']['name'] == 'kubernetes' or not + if (not service['spec'].get('selector') or not self._is_service_affected(service, pods_to_update)): continue sgs = self._drv_svc_sg.get_security_groups(service, @@ -122,7 +122,7 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler): services = driver_utils.get_services( policy['metadata']['namespace']) for svc in services.get('items'): - if (svc['metadata']['name'] == 'kubernetes' or not + if (not svc['spec'].get('selector') or not self._is_service_affected(svc, pods_to_update)): continue sgs = self._drv_svc_sg.get_security_groups(svc, diff --git a/kuryr_kubernetes/controller/handlers/vif.py b/kuryr_kubernetes/controller/handlers/vif.py index 12a7d7f98..33c85bb4f 100644 --- a/kuryr_kubernetes/controller/handlers/vif.py +++ b/kuryr_kubernetes/controller/handlers/vif.py @@ -251,9 +251,8 @@ class VIFHandler(k8s_base.ResourceEventHandler): def _update_services(self, services, crd_pod_selectors, project_id): for service in services.get('items'): - if (service['metadata']['name'] == 'kubernetes' or not - driver_utils.service_matches_affected_pods( - service, crd_pod_selectors)): + if not driver_utils.service_matches_affected_pods( + service, crd_pod_selectors): continue sgs = self._drv_svc_sg.get_security_groups(service, project_id) diff --git a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py index 9b066c007..0ea7f1e88 100644 --- a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py +++ b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py @@ -186,6 +186,7 @@ class TestPolicyHandler(test_base.TestCase): match_pod = mock.sentinel.match_pod m_host_network.return_value = False + self._handler._is_service_affected.return_value = True knp_on_ns = self._handler._drv_policy.knps_on_namespace knp_on_ns.return_value = True namespaced_pods = self._handler._drv_policy.namespaced_pods @@ -196,7 +197,8 @@ class TestPolicyHandler(test_base.TestCase): sg1 = [mock.sentinel.sg1] sg2 = [mock.sentinel.sg2] self._get_security_groups.side_effect = [sg1, sg2] - service = {'metadata': {'name': 'service-test'}} + service = {'metadata': {'name': 'service-test'}, + 'spec': {'selector': mock.sentinel.selector}} m_get_services.return_value = {'items': [service]} policy.NetworkPolicyHandler.on_present(self._handler, self._policy) @@ -208,9 +210,10 @@ class TestPolicyHandler(test_base.TestCase): calls = [mock.call(modified_pod, self._project_id), mock.call(match_pod, self._project_id)] self._get_security_groups.assert_has_calls(calls) - calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)] self._update_vif_sgs.assert_has_calls(calls) + self._handler._is_service_affected.assert_called_once_with( + service, [modified_pod, match_pod]) self._update_lbaas_sg.assert_called_once() @mock.patch('kuryr_kubernetes.controller.drivers.utils.get_services')