Merge "NP: Delete default egress rules"

2019-04-05 12:47:06 +00:00 · 2019-04-05 12:47:06 +00:00 · abcb1863e2
parent b35b08724b d29e150252
commit abcb1863e2
2 changed files with 15 additions and 3 deletions
--- a/kuryr_kubernetes/controller/drivers/network_policy.py
+++ b/kuryr_kubernetes/controller/drivers/network_policy.py
@ -168,6 +168,15 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
            sg = self.neutron.create_security_group(body=security_group_body)
            sg_id = sg['security_group']['id']
            driver_utils.tag_neutron_resources('security-groups', [sg_id])
+            # NOTE(dulek): Neutron populates every new SG with two rules
+            #              allowing egress on IPv4 and IPv6. This collides with
+            #              how network policies are supposed to work, because
+            #              initially even egress traffic should be blocked.
+            #              To work around this we will delete those two SG
+            #              rules just after creation.
+            for sgr in sg['security_group']['security_group_rules']:
+                self.neutron.delete_security_group_rule(sgr['id'])
+
            i_rules, e_rules = self.parse_network_policy_rules(policy, sg_id)
            for i_rule in i_rules:
                sgr_id = driver_utils.create_security_group_rule(i_rule)
--- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
@ -196,7 +196,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                             m_get_crd,
                                                             m_add_default):
        self._driver.neutron.create_security_group.return_value = {
-            'security_group': {'id': mock.sentinel.id}}
+            'security_group': {'id': mock.sentinel.id,
+                               'security_group_rules': []}}
        m_utils.get_subnet_cidr.return_value = {
            'subnet': {'cidr': mock.sentinel.cidr}}
        m_parse.return_value = (self._i_rules, self._e_rules)
@ -221,7 +222,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                      m_add_crd, m_get_crd,
                                                      m_add_default):
        self._driver.neutron.create_security_group.return_value = {
-            'security_group': {'id': mock.sentinel.id}}
+            'security_group': {'id': mock.sentinel.id,
+                               'security_group_rules': []}}
        m_utils.get_subnet_cidr.return_value = {
            'subnet': {'cidr': mock.sentinel.cidr}}
        m_parse.return_value = (self._i_rules, self._e_rules)
@ -248,7 +250,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                       m_add_crd, m_get_crd,
                                                       m_add_default):
        self._driver.neutron.create_security_group.return_value = {
-            'security_group': {'id': mock.sentinel.id}}
+            'security_group': {'id': mock.sentinel.id,
+                               'security_group_rules': []}}
        m_utils.get_subnet_cidr.return_value = {
            'subnet': {'cidr': mock.sentinel.cidr}}
        m_parse.return_value = (self._i_rules, self._e_rules)