Browse Source

Merge "Skip exception in case kuryrnetpolicy CRD is already deleted"

Zuul 1 month ago
parent
commit
c4d7f5e7ee

+ 1
- 1
.zuul.d/octavia.yaml View File

@@ -123,7 +123,7 @@
123 123
     vars:
124 124
       tempest_test_regex: '^(kuryr_tempest_plugin.tests.scenario.test_network_policy.TestNetworkPolicyScenario)'
125 125
       devstack_localrc:
126
-        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy
126
+        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy
127 127
         KURYR_SG_DRIVER: policy
128 128
         KURYR_SUBNET_DRIVER: namespace
129 129
     voting: false

+ 1
- 1
doc/source/installation/network_policy.rst View File

@@ -7,7 +7,7 @@ handlers at kuryr.conf (further info on how to do this can be found  at
7 7
 :doc:`./devstack/containerized`)::
8 8
 
9 9
     [kubernetes]
10
-    enabled_handlers=vif,lb,lbaasspec,policy,pod_label,namespace
10
+    enabled_handlers=vif,lb,lbaasspec,policy,pod_label,namespace,kuryrnetpolicy
11 11
 
12 12
 After that, enable also the security group drivers for policies::
13 13
 

+ 19
- 14
kuryr_kubernetes/controller/drivers/network_policy.py View File

@@ -370,22 +370,24 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
370 370
 
371 371
         return ingress_sg_rule_body_list, egress_sg_rule_body_list
372 372
 
373
+    def delete_np_sg(self, sg_id):
374
+        try:
375
+            self.neutron.delete_security_group(sg_id)
376
+        except n_exc.NotFound:
377
+            LOG.debug("Security Group not found: %s", sg_id)
378
+        except n_exc.Conflict:
379
+            LOG.debug("Security Group already in use: %s", sg_id)
380
+            # raising ResourceNotReady to retry this action in case ports
381
+            # associated to affected pods are not updated on time, i.e.,
382
+            # they are still using the security group to be removed
383
+            raise exceptions.ResourceNotReady(sg_id)
384
+        except n_exc.NeutronClientException:
385
+            LOG.exception("Error deleting security group %s.", sg_id)
386
+            raise
387
+
373 388
     def release_network_policy(self, netpolicy_crd):
374 389
         if netpolicy_crd is not None:
375
-            try:
376
-                sg_id = netpolicy_crd['spec']['securityGroupId']
377
-                self.neutron.delete_security_group(sg_id)
378
-            except n_exc.NotFound:
379
-                LOG.debug("Security Group not found: %s", sg_id)
380
-            except n_exc.Conflict:
381
-                LOG.debug("Security Group already in use: %s", sg_id)
382
-                # raising ResourceNotReady to retry this action in case ports
383
-                # associated to affected pods are not updated on time, i.e.,
384
-                # they are still using the security group to be removed
385
-                raise exceptions.ResourceNotReady(sg_id)
386
-            except n_exc.NeutronClientException:
387
-                LOG.exception("Error deleting security group %s.", sg_id)
388
-                raise
390
+            self.delete_np_sg(netpolicy_crd['spec']['securityGroupId'])
389 391
             self._del_kuryrnetpolicy_crd(
390 392
                 netpolicy_crd['metadata']['name'],
391 393
                 netpolicy_crd['metadata']['namespace'])
@@ -470,6 +472,9 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
470 472
             LOG.exception("Kubernetes Client Exception deleting kuryrnetpolicy"
471 473
                           " CRD.")
472 474
             raise
475
+        except n_exc.NotFound:
476
+            LOG.debug("KuryrNetPolicy CRD Object not found: %s",
477
+                      netpolicy_crd_name)
473 478
 
474 479
     def affected_pods(self, policy, selector=None):
475 480
         if selector:

+ 37
- 0
kuryr_kubernetes/controller/handlers/kuryrnetpolicy.py View File

@@ -0,0 +1,37 @@
1
+# Copyright 2019 Red Hat, Inc.
2
+#
3
+# Licensed under the Apache License, Version 2.0 (the "License");
4
+# you may not use this file except in compliance with the License.
5
+# You may obtain a copy of the License at
6
+#
7
+#   http://www.apache.org/licenses/LICENSE-2.0
8
+#
9
+# Unless required by applicable law or agreed to in writing, software
10
+# distributed under the License is distributed on an "AS IS" BASIS,
11
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+# See the License for the specific language governing permissions and
13
+# limitations under the License.
14
+
15
+from kuryr_kubernetes import constants
16
+from kuryr_kubernetes.controller.drivers import base as drivers
17
+from kuryr_kubernetes.handlers import k8s_base
18
+
19
+
20
+class KuryrNetPolicyHandler(k8s_base.ResourceEventHandler):
21
+    """Controller side of KuryrNetPolicy process for Kubernetes pods.
22
+
23
+    `KuryrNetPolicyHandler` runs on the Kuryr-Kubernetes controller and is
24
+    responsible for deleting associated security groups upon namespace
25
+    deletion.
26
+    """
27
+    OBJECT_KIND = constants.K8S_OBJ_KURYRNETPOLICY
28
+    OBJECT_WATCH_PATH = constants.K8S_API_CRD_KURYRNETPOLICIES
29
+
30
+    def __init__(self):
31
+        super(KuryrNetPolicyHandler, self).__init__()
32
+        self._drv_policy = drivers.NetworkPolicyDriver.get_instance()
33
+
34
+    def on_deleted(self, netpolicy_crd):
35
+        crd_sg = netpolicy_crd['spec'].get('securityGroupId')
36
+        if crd_sg:
37
+            self._drv_policy.delete_np_sg(crd_sg)

+ 24
- 20
kuryr_kubernetes/controller/handlers/policy.py View File

@@ -96,29 +96,33 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
96 96
         project_id = self._drv_project.get_project(policy)
97 97
         pods_to_update = self._drv_policy.affected_pods(policy)
98 98
         netpolicy_crd = self._drv_policy.get_kuryrnetpolicy_crd(policy)
99
-        crd_sg = netpolicy_crd['spec'].get('securityGroupId')
100
-        for pod in pods_to_update:
101
-            if driver_utils.is_host_network(pod):
102
-                continue
103
-            pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
104
-            if crd_sg in pod_sgs:
105
-                pod_sgs.remove(crd_sg)
106
-            if not pod_sgs:
107
-                pod_sgs = oslo_cfg.CONF.neutron_defaults.pod_security_groups
99
+        if netpolicy_crd:
100
+            crd_sg = netpolicy_crd['spec'].get('securityGroupId')
101
+            for pod in pods_to_update:
102
+                if driver_utils.is_host_network(pod):
103
+                    continue
104
+                pod_sgs = self._drv_pod_sg.get_security_groups(pod,
105
+                                                               project_id)
106
+                if crd_sg in pod_sgs:
107
+                    pod_sgs.remove(crd_sg)
108 108
                 if not pod_sgs:
109
-                    raise oslo_cfg.RequiredOptError('pod_security_groups',
110
-                                                    oslo_cfg.OptGroup(
111
-                                                        'neutron_defaults'))
112
-            self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)
109
+                    pod_sgs = (
110
+                        oslo_cfg.CONF.neutron_defaults.pod_security_groups)
111
+                    if not pod_sgs:
112
+                        raise oslo_cfg.RequiredOptError(
113
+                            'pod_security_groups',
114
+                            oslo_cfg.OptGroup('neutron_defaults'))
115
+                self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)
113 116
 
114
-        self._drv_policy.release_network_policy(netpolicy_crd)
117
+            self._drv_policy.release_network_policy(netpolicy_crd)
115 118
 
116
-        services = self._get_services(policy['metadata']['namespace'])
117
-        for service in services.get('items'):
118
-            if service['metadata']['name'] == 'kubernetes':
119
-                continue
120
-            sgs = self._drv_svc_sg.get_security_groups(service, project_id)
121
-            self._drv_lbaas.update_lbaas_sg(service, sgs)
119
+            services = self._get_services(policy['metadata']['namespace'])
120
+            for service in services.get('items'):
121
+                if service['metadata']['name'] == 'kubernetes':
122
+                    continue
123
+                sgs = self._drv_svc_sg.get_security_groups(service,
124
+                                                           project_id)
125
+                self._drv_lbaas.update_lbaas_sg(service, sgs)
122 126
 
123 127
     def is_ready(self, quota):
124 128
         if not utils.has_kuryr_crd(k_const.K8S_API_CRD_KURYRNETPOLICIES):

+ 16
- 0
kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py View File

@@ -96,6 +96,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
96 96
 
97 97
         self._crd = {
98 98
             'metadata': {'name': mock.sentinel.name,
99
+                         'namespace': u'default',
99 100
                          'selfLink': mock.sentinel.selfLink},
100 101
             'spec': {
101 102
                 'egressSgRules': [
@@ -440,3 +441,18 @@ class TestNetworkPolicyDriver(test_base.TestCase):
440 441
 
441 442
         resp = self._driver.namespaced_pods(self._policy)
442 443
         self.assertEqual([], resp)
444
+
445
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
446
+                       '_del_kuryrnetpolicy_crd', return_value=False)
447
+    def test_release_network_policy(self, m_del_crd):
448
+        self._driver.release_network_policy(self._crd)
449
+        self.neutron.delete_security_group.assert_called_once_with(
450
+            self._crd['spec']['securityGroupId'])
451
+        m_del_crd.assert_called_once_with(self._crd['metadata']['name'],
452
+                                          self._crd['metadata']['namespace'])
453
+
454
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
455
+                       '_del_kuryrnetpolicy_crd', return_value=False)
456
+    def test_release_network_policy_removed_crd(self, m_del_crd):
457
+        self._driver.release_network_policy(None)
458
+        m_del_crd.assert_not_called()

+ 1
- 0
setup.cfg View File

@@ -103,6 +103,7 @@ kuryr_kubernetes.controller.handlers =
103 103
     ocproute  = kuryr_kubernetes.platform.ocp.controller.handlers.route:OcpRouteHandler
104 104
     policy = kuryr_kubernetes.controller.handlers.policy:NetworkPolicyHandler
105 105
     pod_label = kuryr_kubernetes.controller.handlers.pod_label:PodLabelHandler
106
+    kuryrnetpolicy = kuryr_kubernetes.controller.handlers.kuryrnetpolicy:KuryrNetPolicyHandler
106 107
     test_handler = kuryr_kubernetes.tests.unit.controller.handlers.test_fake_handler:TestHandler
107 108
 
108 109
 kuryr_kubernetes.controller.drivers.multi_vif =

Loading…
Cancel
Save