Add ipBlock support to NP
This commit adds support for ipBlocks when using Network Policies with Kuryr-Kubernetes. Partially Implements: blueprint k8s-network-policies Change-Id: I4f9078420190521fcba7bbc02540b616c479c0d3
This commit is contained in:
Daniel Mellado
@@ -12,6 +12,7 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
import netaddr
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
|
||||||
from neutronclient.common import exceptions as n_exc
|
from neutronclient.common import exceptions as n_exc
|
||||||
@@ -352,6 +353,23 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||||||
allow_all, selectors, allowed_cidrs = self._parse_selectors(
|
allow_all, selectors, allowed_cidrs = self._parse_selectors(
|
||||||
rule_block, rule_direction, policy_namespace)
|
rule_block, rule_direction, policy_namespace)
|
||||||
|
|
||||||
|
ipblock_list = []
|
||||||
|
|
||||||
|
if rule_direction in rule_block:
|
||||||
|
ipblock_list = [ipblock.get('ipBlock') for ipblock in
|
||||||
|
rule_block[rule_direction] if 'ipBlock'
|
||||||
|
in ipblock]
|
||||||
|
|
||||||
|
for ipblock in ipblock_list:
|
||||||
|
if ipblock.get('except'):
|
||||||
|
for cidr_except in ipblock.get('except'):
|
||||||
|
cidr_list = netaddr.cidr_exclude(
|
||||||
|
ipblock.get('cidr'), cidr_except)
|
||||||
|
cidr_list = [{'cidr': str(cidr)} for cidr in cidr_list]
|
||||||
|
allowed_cidrs.extend(cidr_list)
|
||||||
|
else:
|
||||||
|
allowed_cidrs.append(ipblock)
|
||||||
|
|
||||||
if 'ports' in rule_block:
|
if 'ports' in rule_block:
|
||||||
for port in rule_block['ports']:
|
for port in rule_block['ports']:
|
||||||
if allowed_cidrs or allow_all or selectors:
|
if allowed_cidrs or allow_all or selectors:
|
||||||
|
|||||||
@@ -381,6 +381,27 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||||||
m_create.assert_called()
|
m_create.assert_called()
|
||||||
m_get_ns_cidr.assert_not_called()
|
m_get_ns_cidr.assert_not_called()
|
||||||
|
|
||||||
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
|
'_get_namespaces_cidr')
|
||||||
|
@mock.patch('kuryr_kubernetes.controller.drivers.utils.'
|
||||||
|
'create_security_group_rule_body')
|
||||||
|
def test_parse_network_policy_rules_with_ipblock(self, m_create,
|
||||||
|
m_get_ns_cidr):
|
||||||
|
policy = self._policy.copy()
|
||||||
|
policy['spec']['ingress'] = [{'from':
|
||||||
|
[{'ipBlock':
|
||||||
|
{'cidr': '172.17.0.0/16',
|
||||||
|
'except': ['172.17.1.0/24']}}],
|
||||||
|
'ports': [{'port': 6379,
|
||||||
|
'protocol': 'TCP'}]}]
|
||||||
|
policy['spec']['egress'] = [{'ports': [{'port': 5978, 'protocol':
|
||||||
|
'TCP'}],
|
||||||
|
'to': [{'ipBlock':
|
||||||
|
{'cidr': '10.0.0.0/24'}}]}]
|
||||||
|
self._driver.parse_network_policy_rules(policy, self._sg_id)
|
||||||
|
m_create.assert_called()
|
||||||
|
m_get_ns_cidr.assert_not_called()
|
||||||
|
|
||||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||||
'_get_namespaces_cidr')
|
'_get_namespaces_cidr')
|
||||||
@mock.patch('kuryr_kubernetes.controller.drivers.utils.'
|
@mock.patch('kuryr_kubernetes.controller.drivers.utils.'
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ kuryr-lib>=0.5.0 # Apache-2.0
|
|||||||
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
||||||
requests>=2.14.2 # Apache-2.0
|
requests>=2.14.2 # Apache-2.0
|
||||||
eventlet!=0.18.3,!=0.20.1,!=0.21.0,>=0.18.2 # MIT
|
eventlet!=0.18.3,!=0.20.1,!=0.21.0,>=0.18.2 # MIT
|
||||||
|
netaddr>=0.7.19 # BSD
|
||||||
openstacksdk>=0.13.0 # Apache-2.0
|
openstacksdk>=0.13.0 # Apache-2.0
|
||||||
oslo.cache>=1.26.0 # Apache-2.0
|
oslo.cache>=1.26.0 # Apache-2.0
|
||||||
oslo.config>=5.2.0 # Apache-2.0
|
oslo.config>=5.2.0 # Apache-2.0
|
||||||
|
|||||||
Reference in New Issue
Block a user