Add ipBlock support to NP

This commit adds support for ipBlocks when using Network Policies with Kuryr-Kubernetes. Partially Implements: blueprint k8s-network-policies Change-Id: I4f9078420190521fcba7bbc02540b616c479c0d3
2019-03-21 11:34:51 +00:00 · 2019-03-21 11:34:51 +00:00 · 9b3182cfeb
parent 562376610d
commit 9b3182cfeb
3 changed files with 40 additions and 0 deletions
--- a/kuryr_kubernetes/controller/drivers/network_policy.py
+++ b/kuryr_kubernetes/controller/drivers/network_policy.py
@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import netaddr
 from oslo_log import log as logging

 from neutronclient.common import exceptions as n_exc
@ -352,6 +353,23 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
            allow_all, selectors, allowed_cidrs = self._parse_selectors(
                rule_block, rule_direction, policy_namespace)

+            ipblock_list = []
+
+            if rule_direction in rule_block:
+                ipblock_list = [ipblock.get('ipBlock') for ipblock in
+                                rule_block[rule_direction] if 'ipBlock'
+                                in ipblock]
+
+            for ipblock in ipblock_list:
+                if ipblock.get('except'):
+                    for cidr_except in ipblock.get('except'):
+                        cidr_list = netaddr.cidr_exclude(
+                            ipblock.get('cidr'), cidr_except)
+                        cidr_list = [{'cidr': str(cidr)} for cidr in cidr_list]
+                        allowed_cidrs.extend(cidr_list)
+                else:
+                    allowed_cidrs.append(ipblock)
+
            if 'ports' in rule_block:
                for port in rule_block['ports']:
                    if allowed_cidrs or allow_all or selectors:
--- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
@ -381,6 +381,27 @@ class TestNetworkPolicyDriver(test_base.TestCase):
        m_create.assert_called()
        m_get_ns_cidr.assert_not_called()

+    @mock.patch.object(network_policy.NetworkPolicyDriver,
+                       '_get_namespaces_cidr')
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.'
+                'create_security_group_rule_body')
+    def test_parse_network_policy_rules_with_ipblock(self, m_create,
+                                                     m_get_ns_cidr):
+        policy = self._policy.copy()
+        policy['spec']['ingress'] = [{'from':
+                                      [{'ipBlock':
+                                        {'cidr': '172.17.0.0/16',
+                                         'except': ['172.17.1.0/24']}}],
+                                      'ports': [{'port': 6379,
+                                                 'protocol': 'TCP'}]}]
+        policy['spec']['egress'] = [{'ports': [{'port': 5978, 'protocol':
+                                                'TCP'}],
+                                     'to': [{'ipBlock':
+                                             {'cidr': '10.0.0.0/24'}}]}]
+        self._driver.parse_network_policy_rules(policy, self._sg_id)
+        m_create.assert_called()
+        m_get_ns_cidr.assert_not_called()
+
    @mock.patch.object(network_policy.NetworkPolicyDriver,
                       '_get_namespaces_cidr')
    @mock.patch('kuryr_kubernetes.controller.drivers.utils.'
--- a/requirements.txt
+++ b/requirements.txt
@ -8,6 +8,7 @@ kuryr-lib>=0.5.0 # Apache-2.0
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 requests>=2.14.2 # Apache-2.0
 eventlet!=0.18.3,!=0.20.1,!=0.21.0,>=0.18.2 # MIT
+netaddr>=0.7.19 # BSD
 openstacksdk>=0.13.0  # Apache-2.0
 oslo.cache>=1.26.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0