From b653be469b7c3d47b6cf82d075dc8474ab00c10e Mon Sep 17 00:00:00 2001 From: Luis Tomas Bolivar Date: Fri, 29 Mar 2019 15:12:06 +0100 Subject: [PATCH] Add support for policyTypes at Network Policies This patch adds support to consider policyTypes when applying network policies. It ensures ingress/egress traffic is allowed when the network policy is not affecting them if not targetted by the policyTypes Closes-Bug: 1822333 Change-Id: I3281e1ca2c4dcaf38ac9bd220eb4e91b5484904d --- .../controller/drivers/network_policy.py | 38 ++++++++++++++++++- .../controller/drivers/test_network_policy.py | 6 +-- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py index 130f71932..d7f12858a 100644 --- a/kuryr_kubernetes/controller/drivers/network_policy.py +++ b/kuryr_kubernetes/controller/drivers/network_policy.py @@ -296,8 +296,42 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): return allow_all, selectors, allowed_cidrs def _parse_sg_rules(self, sg_rule_body_list, direction, policy, sg_id): + """Parse policy into security group rules. + + This method inspects the policy object and create the equivalent + security group rules associating them to the referenced sg_id. + It returns the rules by adding them to the sg_rule_body_list list, + for the stated direction. + + It accounts for special cases, such as: + - PolicyTypes stating only Egress: ensuring ingress is not restricted + - PolicyTypes not including Egress: ensuring egress is not restricted + - {} ingress/egress rules: applying default open for all + """ rule_list = policy['spec'].get(direction) if not rule_list: + policy_types = policy['spec'].get('policyTypes') + if direction == 'ingress': + if len(policy_types) == 1 and policy_types[0] == 'Egress': + # NOTE(ltomasbo): add default rule to enable all ingress + # traffic as NP policy is not affecting ingress + LOG.debug('Applying default all open for ingress for ' + 'policy %s', policy['metadata']['selfLink']) + rule = driver_utils.create_security_group_rule_body( + sg_id, direction) + sg_rule_body_list.append(rule) + elif direction == 'egress': + if policy_types and 'Egress' not in policy_types: + # NOTE(ltomasbo): add default rule to enable all egress + # traffic as NP policy is not affecting egress + LOG.debug('Applying default all open for egress for ' + 'policy %s', policy['metadata']['selfLink']) + rule = driver_utils.create_security_group_rule_body( + sg_id, direction) + sg_rule_body_list.append(rule) + else: + LOG.warning('Not supported policyType at network policy %s', + policy['metadata']['selfLink']) return policy_namespace = policy['metadata']['namespace'] @@ -308,8 +342,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): if rule_list[0] == {}: LOG.debug('Applying default all open policy from %s', policy['metadata']['selfLink']) - rule = driver_utils.create_security_group_rule_body( - sg_id, direction, port_range_min=1, port_range_max=65535) + rule = driver_utils.create_security_group_rule_body(sg_id, + direction) sg_rule_body_list.append(rule) for rule_block in rule_list: diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py index f5a680af9..9a3078c9f 100644 --- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py +++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py @@ -362,10 +362,8 @@ class TestNetworkPolicyDriver(test_base.TestCase): policy['spec']['egress'] = [{}] self._driver.parse_network_policy_rules(policy, self._sg_id) m_get_ns_cidr.assert_not_called() - calls = [mock.call(self._sg_id, 'ingress', port_range_min=1, - port_range_max=65535), - mock.call(self._sg_id, 'egress', port_range_min=1, - port_range_max=65535)] + calls = [mock.call(self._sg_id, 'ingress'), + mock.call(self._sg_id, 'egress')] m_create.assert_has_calls(calls) @mock.patch.object(network_policy.NetworkPolicyDriver,