Browse Source

Merge "Ensure lb sg rules are deleted when no longer allowed"

Zuul 2 months ago
parent
commit
ae8b5773a9
1 changed files with 19 additions and 0 deletions
  1. 19
    0
      kuryr_kubernetes/controller/drivers/lbaasv2.py

+ 19
- 0
kuryr_kubernetes/controller/drivers/lbaasv2.py View File

@@ -147,6 +147,9 @@ class LBaaSv2Driver(base.LBaaSDriver):
147 147
         else:
148 148
             sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
149 149
 
150
+        lbaas_sg_rules = neutron.list_security_group_rules(
151
+            security_group_id=sg_id)
152
+        all_pod_rules = []
150 153
         # Check if Network Policy allows listener on the pods
151 154
         for sg in loadbalancer.security_groups:
152 155
             if sg != sg_id:
@@ -167,6 +170,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
167 170
                         if (min_port and target_port not in range(min_port,
168 171
                                                                   max_port+1)):
169 172
                             continue
173
+                        all_pod_rules.append(rule)
170 174
                         try:
171 175
                             neutron.create_security_group_rule({
172 176
                                 'security_group_rule': {
@@ -186,6 +190,21 @@ class LBaaSv2Driver(base.LBaaSDriver):
186 190
                                               'group rule for listener %s.',
187 191
                                               sg_rule_name)
188 192
 
193
+        for rule in lbaas_sg_rules['security_group_rules']:
194
+            if (rule.get('protocol') != protocol.lower() or
195
+                    rule.get('port_range_min') != port or
196
+                    not rule.get('remote_ip_prefix')):
197
+                continue
198
+            self._delete_rule_if_no_match(rule, all_pod_rules)
199
+
200
+    def _delete_rule_if_no_match(self, rule, all_pod_rules):
201
+        for pod_rule in all_pod_rules:
202
+            if pod_rule['remote_ip_prefix'] == rule['remote_ip_prefix']:
203
+                return
204
+        neutron = clients.get_neutron_client()
205
+        LOG.debug("Deleting sg rule: %r", rule['id'])
206
+        neutron.delete_security_group_rule(rule['id'])
207
+
189 208
     def _remove_default_octavia_rules(self, sg_id, listener):
190 209
         neutron = clients.get_neutron_client()
191 210
         for remaining in self._provisioning_timer(

Loading…
Cancel
Save