NP: Create allow-all SG and add it to pod SG's
In order to be compliant with how network policies are supposed to work in K8s, we need to allow all ingress and egress traffic for pods without any NP applied. This patch ensures such behavior in DevStack by making it create an allow-all SG and adding it to pod_security_groups when network policy support is enabled. Change-Id: I76c9082c52c17c833a22751f4352d0c469f573bd Closes-Bug: 1822170
This commit is contained in:
parent
4a3b23d17b
commit
69a02f654c
|
@ -299,7 +299,7 @@ function configure_neutron_defaults {
|
|||
service_subnet_id="$(openstack subnet show -c id -f value \
|
||||
"${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}")"
|
||||
|
||||
if [ "$KURYR_SG_DRIVER" != "namespace" ]; then
|
||||
if [[ "$KURYR_SG_DRIVER" == "default" ]]; then
|
||||
sg_ids=$(echo $(openstack security group list \
|
||||
--project "$project_id" -c ID -f value) | tr ' ' ',')
|
||||
fi
|
||||
|
@ -380,7 +380,6 @@ function configure_neutron_defaults {
|
|||
|
||||
iniset "$KURYR_CONFIG" neutron_defaults project "$project_id"
|
||||
iniset "$KURYR_CONFIG" neutron_defaults pod_subnet "$pod_subnet_id"
|
||||
iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"
|
||||
iniset "$KURYR_CONFIG" neutron_defaults service_subnet "$service_subnet_id"
|
||||
if [ "$KURYR_SUBNET_DRIVER" == "namespace" ]; then
|
||||
iniset "$KURYR_CONFIG" namespace_subnet pod_subnet_pool "$subnetpool_id"
|
||||
|
@ -426,7 +425,26 @@ function configure_neutron_defaults {
|
|||
|
||||
iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_namespaces "$allow_namespace_sg_id"
|
||||
iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_default "$allow_default_sg_id"
|
||||
elif [[ "$KURYR_SG_DRIVER" == "policy" ]]; then
|
||||
# NOTE(dulek): Using the default DevStack's SG is not enough to match
|
||||
# the NP specification. We need to open ingress to everywhere, so we
|
||||
# create allow-all group.
|
||||
allow_all_sg_id=$(openstack --os-cloud devstack-admin \
|
||||
--os-region "$REGION_NAME" \
|
||||
security group create --project "$project_id" \
|
||||
allow-all -f value -c id)
|
||||
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
|
||||
security group rule create --project "$project_id" \
|
||||
--description "allow all ingress traffic" \
|
||||
--ethertype IPv4 --ingress --protocol any \
|
||||
"$allow_all_sg_id"
|
||||
if [ -n "$sg_ids" ]; then
|
||||
sg_ids+=",${allow_all_sg_id}"
|
||||
else
|
||||
sg_ids="${allow_all_sg_id}"
|
||||
fi
|
||||
fi
|
||||
iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"
|
||||
|
||||
if [[ "$KURYR_SG_DRIVER" == "namespace" || "$KURYR_SG_DRIVER" == "policy" ]]; then
|
||||
# NOTE(ltomasbo): As more security groups and rules are created, there
|
||||
|
|
|
@ -15,6 +15,15 @@ After that, enable also the security group drivers for policies::
|
|||
service_security_groups_driver = policy
|
||||
pod_security_groups_driver = policy
|
||||
|
||||
.. warning::
|
||||
The correct behavior for pods that have no network policy applied is to allow
|
||||
all ingress and egress traffic. If you want that to be enforced, please make
|
||||
sure to create an SG allowing all traffic and add it to
|
||||
``[neutron_defaults]pod_security_groups`` setting in ``kuryr.conf``::
|
||||
|
||||
[neutron_defaults]
|
||||
pod_security_groups = ALLOW_ALL_SG_ID
|
||||
|
||||
Enable the namespace subnet driver by modifying the default pod_subnet_driver
|
||||
option::
|
||||
|
||||
|
|
Loading…
Reference in New Issue