Ensure no LBaaS SG update is triggered for SVCs without selectors and ports
When a Network Policy is enforced we shouldn't try to update the SG of a LBaaS that would map to a SVC without selector, as this kind of SVC is not wired by Kuryr. Also, we shouldn't try to update the LBaaS SG when no ports are defined in the SVC spec. Closes-Bug: 1845917 Change-Id: I94a288f2b66bd2444d177931f509e1b6ef250235
This commit is contained in:
parent
3208b192ad
commit
68145b9b58
|
@ -955,7 +955,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
|||
|
||||
svc_namespace = service['metadata']['namespace']
|
||||
svc_name = service['metadata']['name']
|
||||
svc_ports = service['spec']['ports']
|
||||
svc_ports = service['spec'].get('ports', [])
|
||||
|
||||
lbaas_name = "%s/%s" % (svc_namespace, svc_name)
|
||||
|
||||
|
|
|
@ -444,6 +444,8 @@ def service_matches_affected_pods(service, pod_selectors):
|
|||
and False otherwise.
|
||||
"""
|
||||
svc_selector = service['spec'].get('selector')
|
||||
if not svc_selector:
|
||||
return False
|
||||
for selector in pod_selectors:
|
||||
if match_selector(selector, svc_selector):
|
||||
return True
|
||||
|
|
|
@ -103,9 +103,8 @@ class PodLabelHandler(k8s_base.ResourceEventHandler):
|
|||
|
||||
def _update_services(self, services, crd_pod_selectors, project_id):
|
||||
for service in services.get('items'):
|
||||
if (service['metadata']['name'] == 'kubernetes' or not
|
||||
driver_utils.service_matches_affected_pods(
|
||||
service, crd_pod_selectors)):
|
||||
if not driver_utils.service_matches_affected_pods(
|
||||
service, crd_pod_selectors):
|
||||
continue
|
||||
sgs = self._drv_svc_sg.get_security_groups(service,
|
||||
project_id)
|
||||
|
|
|
@ -86,7 +86,7 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
|
|||
for service in services.get('items'):
|
||||
# TODO(ltomasbo): Skip other services that are not affected
|
||||
# by the policy
|
||||
if (service['metadata']['name'] == 'kubernetes' or not
|
||||
if (not service['spec'].get('selector') or not
|
||||
self._is_service_affected(service, pods_to_update)):
|
||||
continue
|
||||
sgs = self._drv_svc_sg.get_security_groups(service,
|
||||
|
@ -122,7 +122,7 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
|
|||
services = driver_utils.get_services(
|
||||
policy['metadata']['namespace'])
|
||||
for svc in services.get('items'):
|
||||
if (svc['metadata']['name'] == 'kubernetes' or not
|
||||
if (not svc['spec'].get('selector') or not
|
||||
self._is_service_affected(svc, pods_to_update)):
|
||||
continue
|
||||
sgs = self._drv_svc_sg.get_security_groups(svc,
|
||||
|
|
|
@ -251,9 +251,8 @@ class VIFHandler(k8s_base.ResourceEventHandler):
|
|||
|
||||
def _update_services(self, services, crd_pod_selectors, project_id):
|
||||
for service in services.get('items'):
|
||||
if (service['metadata']['name'] == 'kubernetes' or not
|
||||
driver_utils.service_matches_affected_pods(
|
||||
service, crd_pod_selectors)):
|
||||
if not driver_utils.service_matches_affected_pods(
|
||||
service, crd_pod_selectors):
|
||||
continue
|
||||
sgs = self._drv_svc_sg.get_security_groups(service,
|
||||
project_id)
|
||||
|
|
|
@ -186,6 +186,7 @@ class TestPolicyHandler(test_base.TestCase):
|
|||
match_pod = mock.sentinel.match_pod
|
||||
m_host_network.return_value = False
|
||||
|
||||
self._handler._is_service_affected.return_value = True
|
||||
knp_on_ns = self._handler._drv_policy.knps_on_namespace
|
||||
knp_on_ns.return_value = True
|
||||
namespaced_pods = self._handler._drv_policy.namespaced_pods
|
||||
|
@ -196,7 +197,8 @@ class TestPolicyHandler(test_base.TestCase):
|
|||
sg1 = [mock.sentinel.sg1]
|
||||
sg2 = [mock.sentinel.sg2]
|
||||
self._get_security_groups.side_effect = [sg1, sg2]
|
||||
service = {'metadata': {'name': 'service-test'}}
|
||||
service = {'metadata': {'name': 'service-test'},
|
||||
'spec': {'selector': mock.sentinel.selector}}
|
||||
m_get_services.return_value = {'items': [service]}
|
||||
|
||||
policy.NetworkPolicyHandler.on_present(self._handler, self._policy)
|
||||
|
@ -208,9 +210,10 @@ class TestPolicyHandler(test_base.TestCase):
|
|||
calls = [mock.call(modified_pod, self._project_id),
|
||||
mock.call(match_pod, self._project_id)]
|
||||
self._get_security_groups.assert_has_calls(calls)
|
||||
|
||||
calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)]
|
||||
self._update_vif_sgs.assert_has_calls(calls)
|
||||
self._handler._is_service_affected.assert_called_once_with(
|
||||
service, [modified_pod, match_pod])
|
||||
self._update_lbaas_sg.assert_called_once()
|
||||
|
||||
@mock.patch('kuryr_kubernetes.controller.drivers.utils.get_services')
|
||||
|
|
Loading…
Reference in New Issue