Ensure network policies are not applied on pod with host networking
This ensures kuryr-controller is not trying to add security groups to the pods with host networking as those are not mananged by kuryr cni Partially Implements: blueprint k8s-network-policies Change-Id: Ie43a6783675c6870e2f93ac6902cfdcdd500caa4
This commit is contained in:
parent
30369502bb
commit
74fdd3c833
@ -19,6 +19,7 @@ from oslo_log import log as logging
|
||||
from kuryr_kubernetes import clients
|
||||
from kuryr_kubernetes import constants as k_const
|
||||
from kuryr_kubernetes.controller.drivers import base as drivers
|
||||
from kuryr_kubernetes.controller.drivers import utils as driver_utils
|
||||
from kuryr_kubernetes.handlers import k8s_base
|
||||
from kuryr_kubernetes import utils
|
||||
|
||||
@ -70,6 +71,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
|
||||
pods_to_update.extend(matched_pods)
|
||||
|
||||
for pod in pods_to_update:
|
||||
if driver_utils.is_host_network(pod):
|
||||
continue
|
||||
pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
|
||||
self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)
|
||||
|
||||
@ -80,6 +83,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
|
||||
netpolicy_crd = self._drv_policy.get_kuryrnetpolicy_crd(policy)
|
||||
crd_sg = netpolicy_crd['spec'].get('securityGroupId')
|
||||
for pod in pods_to_update:
|
||||
if driver_utils.is_host_network(pod):
|
||||
continue
|
||||
pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
|
||||
if crd_sg in pod_sgs:
|
||||
pod_sgs.remove(crd_sg)
|
||||
|
@ -108,9 +108,11 @@ class TestPolicyHandler(test_base.TestCase):
|
||||
handler._drv_project)
|
||||
self.assertEqual(m_get_policy_driver.return_value, handler._drv_policy)
|
||||
|
||||
def test_on_present(self):
|
||||
@mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
|
||||
def test_on_present(self, m_host_network):
|
||||
modified_pod = mock.sentinel.modified_pod
|
||||
match_pod = mock.sentinel.match_pod
|
||||
m_host_network.return_value = False
|
||||
|
||||
knp_on_ns = self._handler._drv_policy.knps_on_namespace
|
||||
knp_on_ns.return_value = True
|
||||
@ -136,9 +138,11 @@ class TestPolicyHandler(test_base.TestCase):
|
||||
calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)]
|
||||
self._update_vif_sgs.assert_has_calls(calls)
|
||||
|
||||
def test_on_present_without_knps_on_namespace(self):
|
||||
@mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
|
||||
def test_on_present_without_knps_on_namespace(self, m_host_network):
|
||||
modified_pod = mock.sentinel.modified_pod
|
||||
match_pod = mock.sentinel.match_pod
|
||||
m_host_network.return_value = False
|
||||
|
||||
ensure_nw_policy = self._handler._drv_policy.ensure_network_policy
|
||||
ensure_nw_policy.return_value = [modified_pod]
|
||||
@ -161,9 +165,11 @@ class TestPolicyHandler(test_base.TestCase):
|
||||
mock.call(match_pod, sg3)]
|
||||
self._update_vif_sgs.assert_has_calls(calls)
|
||||
|
||||
def test_on_deleted(self):
|
||||
@mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
|
||||
def test_on_deleted(self, m_host_network):
|
||||
namespace_pod = mock.sentinel.namespace_pod
|
||||
match_pod = mock.sentinel.match_pod
|
||||
m_host_network.return_value = False
|
||||
affected_pods = self._handler._drv_policy.affected_pods
|
||||
affected_pods.return_value = [match_pod]
|
||||
get_knp_crd = self._handler._drv_policy.get_kuryrnetpolicy_crd
|
||||
|
Loading…
Reference in New Issue
Block a user