Ensure LB sg rules use IPv6 when enabled
When IPv6 and Network Policy are enabled we must ensure the amphora SG is updated with sg rules using IPv6. Implements: blueprint kuryr-ipv6-support Change-Id: Id89b6c02e85d7faa75be6182c9d82ee7f32ff909
This commit is contained in:
parent
1c1559854e
commit
7fb7d96c21
|
@ -66,6 +66,10 @@ KURYR_VIF_TYPE_SRIOV = 'sriov'
|
|||
OCTAVIA_L2_MEMBER_MODE = "L2"
|
||||
OCTAVIA_L3_MEMBER_MODE = "L3"
|
||||
NEUTRON_LBAAS_HAPROXY_PROVIDER = 'haproxy'
|
||||
IPv4 = 'IPv4'
|
||||
IPv6 = 'IPv6'
|
||||
IP_VERSION_4 = 4
|
||||
IP_VERSION_6 = 6
|
||||
|
||||
VIF_POOL_POPULATE = '/populatePool'
|
||||
VIF_POOL_FREE = '/freePool'
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import ipaddress
|
||||
import random
|
||||
from six.moves import http_client as httplib
|
||||
import time
|
||||
|
@ -31,6 +32,7 @@ from oslo_utils import versionutils
|
|||
|
||||
from kuryr_kubernetes import clients
|
||||
from kuryr_kubernetes import config
|
||||
from kuryr_kubernetes import constants as k_const
|
||||
from kuryr_kubernetes.controller.drivers import base
|
||||
from kuryr_kubernetes.controller.drivers import utils as c_utils
|
||||
from kuryr_kubernetes import exceptions as k_exc
|
||||
|
@ -307,11 +309,14 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
|||
max_port+1)):
|
||||
continue
|
||||
all_pod_rules.append(rule)
|
||||
sg_rule_ethertype = ipaddress.ip_network(
|
||||
rule.remote_ip_prefix).version
|
||||
try:
|
||||
LOG.debug("Creating LBaaS sg rule for sg: %r",
|
||||
lb_sg)
|
||||
os_net.create_security_group_rule(
|
||||
direction='ingress',
|
||||
ether_type=sg_rule_ethertype,
|
||||
port_range_min=port,
|
||||
port_range_max=port,
|
||||
protocol=protocol,
|
||||
|
@ -338,9 +343,13 @@ class LBaaSv2Driver(base.LBaaSDriver):
|
|||
self._delete_rule_if_no_match(rule, all_pod_rules)
|
||||
|
||||
if add_default_rules:
|
||||
sg_rule_ethertype = k_const.IPv4
|
||||
if utils.get_service_subnet_version() == k_const.IP_VERSION_6:
|
||||
sg_rule_ethertype = k_const.IPv6
|
||||
try:
|
||||
LOG.debug("Restoring default LBaaS sg rule for sg: %r", lb_sg)
|
||||
os_net.create_security_group_rule(direction='ingress',
|
||||
ether_type=sg_rule_ethertype,
|
||||
port_range_min=port,
|
||||
port_range_max=port,
|
||||
protocol=protocol,
|
||||
|
|
|
@ -355,3 +355,15 @@ def get_service_ports(service):
|
|||
'port': port['port'],
|
||||
'targetPort': str(port['targetPort'])}
|
||||
for port in service['spec']['ports']]
|
||||
|
||||
|
||||
@MEMOIZE
|
||||
def get_service_subnet_version():
|
||||
os_net = clients.get_network_client()
|
||||
svc_subnet_id = CONF.neutron_defaults.service_subnet
|
||||
try:
|
||||
svc_subnet = os_net.get_subnet(svc_subnet_id)
|
||||
except os_exc.ResourceNotFound:
|
||||
LOG.exception("Service subnet %s not found", svc_subnet_id)
|
||||
raise
|
||||
return svc_subnet.ip_version
|
||||
|
|
Loading…
Reference in New Issue