NP: Create allow-all SG and add it to pod SG's

In order to be compliant with how network policies are supposed to work
in K8s, we need to allow all ingress and egress traffic for pods without
any NP applied. This patch ensures such behavior in DevStack by making
it create an allow-all SG and adding it to pod_security_groups when
network policy support is enabled.

Change-Id: I76c9082c52c17c833a22751f4352d0c469f573bd
Closes-Bug: 1822170
This commit is contained in:
Michał Dulko 2019-03-28 19:02:01 +01:00
parent 4a3b23d17b
commit 69a02f654c
2 changed files with 29 additions and 2 deletions

View File

@ -299,7 +299,7 @@ function configure_neutron_defaults {
service_subnet_id="$(openstack subnet show -c id -f value \
"${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}")"
if [ "$KURYR_SG_DRIVER" != "namespace" ]; then
if [[ "$KURYR_SG_DRIVER" == "default" ]]; then
sg_ids=$(echo $(openstack security group list \
--project "$project_id" -c ID -f value) | tr ' ' ',')
fi
@ -380,7 +380,6 @@ function configure_neutron_defaults {
iniset "$KURYR_CONFIG" neutron_defaults project "$project_id"
iniset "$KURYR_CONFIG" neutron_defaults pod_subnet "$pod_subnet_id"
iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"
iniset "$KURYR_CONFIG" neutron_defaults service_subnet "$service_subnet_id"
if [ "$KURYR_SUBNET_DRIVER" == "namespace" ]; then
iniset "$KURYR_CONFIG" namespace_subnet pod_subnet_pool "$subnetpool_id"
@ -426,7 +425,26 @@ function configure_neutron_defaults {
iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_namespaces "$allow_namespace_sg_id"
iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_default "$allow_default_sg_id"
elif [[ "$KURYR_SG_DRIVER" == "policy" ]]; then
# NOTE(dulek): Using the default DevStack's SG is not enough to match
# the NP specification. We need to open ingress to everywhere, so we
# create allow-all group.
allow_all_sg_id=$(openstack --os-cloud devstack-admin \
--os-region "$REGION_NAME" \
security group create --project "$project_id" \
allow-all -f value -c id)
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
security group rule create --project "$project_id" \
--description "allow all ingress traffic" \
--ethertype IPv4 --ingress --protocol any \
"$allow_all_sg_id"
if [ -n "$sg_ids" ]; then
sg_ids+=",${allow_all_sg_id}"
else
sg_ids="${allow_all_sg_id}"
fi
fi
iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"
if [[ "$KURYR_SG_DRIVER" == "namespace" || "$KURYR_SG_DRIVER" == "policy" ]]; then
# NOTE(ltomasbo): As more security groups and rules are created, there

View File

@ -15,6 +15,15 @@ After that, enable also the security group drivers for policies::
service_security_groups_driver = policy
pod_security_groups_driver = policy
.. warning::
The correct behavior for pods that have no network policy applied is to allow
all ingress and egress traffic. If you want that to be enforced, please make
sure to create an SG allowing all traffic and add it to
``[neutron_defaults]pod_security_groups`` setting in ``kuryr.conf``::
[neutron_defaults]
pod_security_groups = ALLOW_ALL_SG_ID
Enable the namespace subnet driver by modifying the default pod_subnet_driver
option::