Merge "Add support for policyTypes at Network Policies"
This commit is contained in:
commit
6e6d74b875
@ -296,8 +296,42 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||||||
return allow_all, selectors, allowed_cidrs
|
return allow_all, selectors, allowed_cidrs
|
||||||
|
|
||||||
def _parse_sg_rules(self, sg_rule_body_list, direction, policy, sg_id):
|
def _parse_sg_rules(self, sg_rule_body_list, direction, policy, sg_id):
|
||||||
|
"""Parse policy into security group rules.
|
||||||
|
|
||||||
|
This method inspects the policy object and create the equivalent
|
||||||
|
security group rules associating them to the referenced sg_id.
|
||||||
|
It returns the rules by adding them to the sg_rule_body_list list,
|
||||||
|
for the stated direction.
|
||||||
|
|
||||||
|
It accounts for special cases, such as:
|
||||||
|
- PolicyTypes stating only Egress: ensuring ingress is not restricted
|
||||||
|
- PolicyTypes not including Egress: ensuring egress is not restricted
|
||||||
|
- {} ingress/egress rules: applying default open for all
|
||||||
|
"""
|
||||||
rule_list = policy['spec'].get(direction)
|
rule_list = policy['spec'].get(direction)
|
||||||
if not rule_list:
|
if not rule_list:
|
||||||
|
policy_types = policy['spec'].get('policyTypes')
|
||||||
|
if direction == 'ingress':
|
||||||
|
if len(policy_types) == 1 and policy_types[0] == 'Egress':
|
||||||
|
# NOTE(ltomasbo): add default rule to enable all ingress
|
||||||
|
# traffic as NP policy is not affecting ingress
|
||||||
|
LOG.debug('Applying default all open for ingress for '
|
||||||
|
'policy %s', policy['metadata']['selfLink'])
|
||||||
|
rule = driver_utils.create_security_group_rule_body(
|
||||||
|
sg_id, direction)
|
||||||
|
sg_rule_body_list.append(rule)
|
||||||
|
elif direction == 'egress':
|
||||||
|
if policy_types and 'Egress' not in policy_types:
|
||||||
|
# NOTE(ltomasbo): add default rule to enable all egress
|
||||||
|
# traffic as NP policy is not affecting egress
|
||||||
|
LOG.debug('Applying default all open for egress for '
|
||||||
|
'policy %s', policy['metadata']['selfLink'])
|
||||||
|
rule = driver_utils.create_security_group_rule_body(
|
||||||
|
sg_id, direction)
|
||||||
|
sg_rule_body_list.append(rule)
|
||||||
|
else:
|
||||||
|
LOG.warning('Not supported policyType at network policy %s',
|
||||||
|
policy['metadata']['selfLink'])
|
||||||
return
|
return
|
||||||
|
|
||||||
policy_namespace = policy['metadata']['namespace']
|
policy_namespace = policy['metadata']['namespace']
|
||||||
@ -308,8 +342,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||||||
if rule_list[0] == {}:
|
if rule_list[0] == {}:
|
||||||
LOG.debug('Applying default all open policy from %s',
|
LOG.debug('Applying default all open policy from %s',
|
||||||
policy['metadata']['selfLink'])
|
policy['metadata']['selfLink'])
|
||||||
rule = driver_utils.create_security_group_rule_body(
|
rule = driver_utils.create_security_group_rule_body(sg_id,
|
||||||
sg_id, direction, port_range_min=1, port_range_max=65535)
|
direction)
|
||||||
sg_rule_body_list.append(rule)
|
sg_rule_body_list.append(rule)
|
||||||
|
|
||||||
for rule_block in rule_list:
|
for rule_block in rule_list:
|
||||||
|
@ -362,10 +362,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
policy['spec']['egress'] = [{}]
|
policy['spec']['egress'] = [{}]
|
||||||
self._driver.parse_network_policy_rules(policy, self._sg_id)
|
self._driver.parse_network_policy_rules(policy, self._sg_id)
|
||||||
m_get_ns_cidr.assert_not_called()
|
m_get_ns_cidr.assert_not_called()
|
||||||
calls = [mock.call(self._sg_id, 'ingress', port_range_min=1,
|
calls = [mock.call(self._sg_id, 'ingress'),
|
||||||
port_range_max=65535),
|
mock.call(self._sg_id, 'egress')]
|
||||||
mock.call(self._sg_id, 'egress', port_range_min=1,
|
|
||||||
port_range_max=65535)]
|
|
||||||
m_create.assert_has_calls(calls)
|
m_create.assert_has_calls(calls)
|
||||||
|
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
|
Loading…
Reference in New Issue
Block a user