Ensure LB sg rules use IPv6 when enabled

When IPv6 and Network Policy are enabled we must ensure the
amphora SG is updated with sg rules using IPv6.

Implements: blueprint kuryr-ipv6-support

Change-Id: Id89b6c02e85d7faa75be6182c9d82ee7f32ff909
This commit is contained in:
Maysa Macedo 2020-02-27 17:03:55 +00:00 committed by Maysa de Macedo Souza
parent 1c1559854e
commit 7fb7d96c21
3 changed files with 25 additions and 0 deletions

View File

@ -66,6 +66,10 @@ KURYR_VIF_TYPE_SRIOV = 'sriov'
OCTAVIA_L2_MEMBER_MODE = "L2"
OCTAVIA_L3_MEMBER_MODE = "L3"
NEUTRON_LBAAS_HAPROXY_PROVIDER = 'haproxy'
IPv4 = 'IPv4'
IPv6 = 'IPv6'
IP_VERSION_4 = 4
IP_VERSION_6 = 6
VIF_POOL_POPULATE = '/populatePool'
VIF_POOL_FREE = '/freePool'

View File

@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
import ipaddress
import random
from six.moves import http_client as httplib
import time
@ -31,6 +32,7 @@ from oslo_utils import versionutils
from kuryr_kubernetes import clients
from kuryr_kubernetes import config
from kuryr_kubernetes import constants as k_const
from kuryr_kubernetes.controller.drivers import base
from kuryr_kubernetes.controller.drivers import utils as c_utils
from kuryr_kubernetes import exceptions as k_exc
@ -307,11 +309,14 @@ class LBaaSv2Driver(base.LBaaSDriver):
max_port+1)):
continue
all_pod_rules.append(rule)
sg_rule_ethertype = ipaddress.ip_network(
rule.remote_ip_prefix).version
try:
LOG.debug("Creating LBaaS sg rule for sg: %r",
lb_sg)
os_net.create_security_group_rule(
direction='ingress',
ether_type=sg_rule_ethertype,
port_range_min=port,
port_range_max=port,
protocol=protocol,
@ -338,9 +343,13 @@ class LBaaSv2Driver(base.LBaaSDriver):
self._delete_rule_if_no_match(rule, all_pod_rules)
if add_default_rules:
sg_rule_ethertype = k_const.IPv4
if utils.get_service_subnet_version() == k_const.IP_VERSION_6:
sg_rule_ethertype = k_const.IPv6
try:
LOG.debug("Restoring default LBaaS sg rule for sg: %r", lb_sg)
os_net.create_security_group_rule(direction='ingress',
ether_type=sg_rule_ethertype,
port_range_min=port,
port_range_max=port,
protocol=protocol,

View File

@ -355,3 +355,15 @@ def get_service_ports(service):
'port': port['port'],
'targetPort': str(port['targetPort'])}
for port in service['spec']['ports']]
@MEMOIZE
def get_service_subnet_version():
os_net = clients.get_network_client()
svc_subnet_id = CONF.neutron_defaults.service_subnet
try:
svc_subnet = os_net.get_subnet(svc_subnet_id)
except os_exc.ResourceNotFound:
LOG.exception("Service subnet %s not found", svc_subnet_id)
raise
return svc_subnet.ip_version