From 69a02f654ccfc1be61f79e858595ad299c04f3d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Dulko?= Date: Thu, 28 Mar 2019 19:02:01 +0100 Subject: [PATCH] NP: Create allow-all SG and add it to pod SG's In order to be compliant with how network policies are supposed to work in K8s, we need to allow all ingress and egress traffic for pods without any NP applied. This patch ensures such behavior in DevStack by making it create an allow-all SG and adding it to pod_security_groups when network policy support is enabled. Change-Id: I76c9082c52c17c833a22751f4352d0c469f573bd Closes-Bug: 1822170 --- devstack/plugin.sh | 22 ++++++++++++++++++++-- doc/source/installation/network_policy.rst | 9 +++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index b09bd0810..50b7f8d8e 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -299,7 +299,7 @@ function configure_neutron_defaults { service_subnet_id="$(openstack subnet show -c id -f value \ "${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}")" - if [ "$KURYR_SG_DRIVER" != "namespace" ]; then + if [[ "$KURYR_SG_DRIVER" == "default" ]]; then sg_ids=$(echo $(openstack security group list \ --project "$project_id" -c ID -f value) | tr ' ' ',') fi @@ -380,7 +380,6 @@ function configure_neutron_defaults { iniset "$KURYR_CONFIG" neutron_defaults project "$project_id" iniset "$KURYR_CONFIG" neutron_defaults pod_subnet "$pod_subnet_id" - iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids" iniset "$KURYR_CONFIG" neutron_defaults service_subnet "$service_subnet_id" if [ "$KURYR_SUBNET_DRIVER" == "namespace" ]; then iniset "$KURYR_CONFIG" namespace_subnet pod_subnet_pool "$subnetpool_id" @@ -426,7 +425,26 @@ function configure_neutron_defaults { iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_namespaces "$allow_namespace_sg_id" iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_default "$allow_default_sg_id" + elif [[ "$KURYR_SG_DRIVER" == "policy" ]]; then + # NOTE(dulek): Using the default DevStack's SG is not enough to match + # the NP specification. We need to open ingress to everywhere, so we + # create allow-all group. + allow_all_sg_id=$(openstack --os-cloud devstack-admin \ + --os-region "$REGION_NAME" \ + security group create --project "$project_id" \ + allow-all -f value -c id) + openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \ + security group rule create --project "$project_id" \ + --description "allow all ingress traffic" \ + --ethertype IPv4 --ingress --protocol any \ + "$allow_all_sg_id" + if [ -n "$sg_ids" ]; then + sg_ids+=",${allow_all_sg_id}" + else + sg_ids="${allow_all_sg_id}" + fi fi + iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids" if [[ "$KURYR_SG_DRIVER" == "namespace" || "$KURYR_SG_DRIVER" == "policy" ]]; then # NOTE(ltomasbo): As more security groups and rules are created, there diff --git a/doc/source/installation/network_policy.rst b/doc/source/installation/network_policy.rst index 0d5fbf809..f726e10ca 100644 --- a/doc/source/installation/network_policy.rst +++ b/doc/source/installation/network_policy.rst @@ -15,6 +15,15 @@ After that, enable also the security group drivers for policies:: service_security_groups_driver = policy pod_security_groups_driver = policy +.. warning:: + The correct behavior for pods that have no network policy applied is to allow + all ingress and egress traffic. If you want that to be enforced, please make + sure to create an SG allowing all traffic and add it to + ``[neutron_defaults]pod_security_groups`` setting in ``kuryr.conf``:: + + [neutron_defaults] + pod_security_groups = ALLOW_ALL_SG_ID + Enable the namespace subnet driver by modifying the default pod_subnet_driver option::