Merge "NP: Delete default egress rules"
This commit is contained in:
commit
abcb1863e2
|
@ -168,6 +168,15 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||
sg = self.neutron.create_security_group(body=security_group_body)
|
||||
sg_id = sg['security_group']['id']
|
||||
driver_utils.tag_neutron_resources('security-groups', [sg_id])
|
||||
# NOTE(dulek): Neutron populates every new SG with two rules
|
||||
# allowing egress on IPv4 and IPv6. This collides with
|
||||
# how network policies are supposed to work, because
|
||||
# initially even egress traffic should be blocked.
|
||||
# To work around this we will delete those two SG
|
||||
# rules just after creation.
|
||||
for sgr in sg['security_group']['security_group_rules']:
|
||||
self.neutron.delete_security_group_rule(sgr['id'])
|
||||
|
||||
i_rules, e_rules = self.parse_network_policy_rules(policy, sg_id)
|
||||
for i_rule in i_rules:
|
||||
sgr_id = driver_utils.create_security_group_rule(i_rule)
|
||||
|
|
|
@ -196,7 +196,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
'security_group': {'id': mock.sentinel.id,
|
||||
'security_group_rules': []}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
'subnet': {'cidr': mock.sentinel.cidr}}
|
||||
m_parse.return_value = (self._i_rules, self._e_rules)
|
||||
|
@ -221,7 +222,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_add_crd, m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
'security_group': {'id': mock.sentinel.id,
|
||||
'security_group_rules': []}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
'subnet': {'cidr': mock.sentinel.cidr}}
|
||||
m_parse.return_value = (self._i_rules, self._e_rules)
|
||||
|
@ -248,7 +250,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_add_crd, m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
'security_group': {'id': mock.sentinel.id,
|
||||
'security_group_rules': []}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
'subnet': {'cidr': mock.sentinel.cidr}}
|
||||
m_parse.return_value = (self._i_rules, self._e_rules)
|
||||
|
|
Loading…
Reference in New Issue