From dabb2a70ea46b5e8accee44a69a22c97bdb028d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Dulko?= Date: Wed, 19 Aug 2020 17:23:29 +0200 Subject: [PATCH] NP: Don't add pods without IP to affectedPods We use affectedPods to comfortably track the list of the pods that the NetworkPolicy indirectly targets (i.e. matches their ports). It doesn't make sense to put pods without IP there, as well as it is impossible now with new KuryrNetworkPolicy CRD. We haven't seen that problem on previous CRD as we've used a weird format to save that info: {'': ' was None, json.dumps serialized that into {'null': ''}, which was as happily accepted by K8s API as it was utterly useless. This commit makes sure we only put pods with IP on affectedPods field. Please also note that we already have protection in place to make sure we won't create rules for pods without IP (those rules would effectively open too much traffic), so that is already covered. Change-Id: Ie82a153c89119fc8f70071353c8e46b27d643935 Closes-Bug: 1892208 --- kuryr_kubernetes/controller/drivers/network_policy.py | 2 ++ kuryr_kubernetes/controller/drivers/utils.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py index b92da637e..4cfe901c5 100644 --- a/kuryr_kubernetes/controller/drivers/network_policy.py +++ b/kuryr_kubernetes/controller/drivers/network_policy.py @@ -69,6 +69,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): if 'remote_ip_prefixes' in rule: result['affectedPods'] = [] for ip, namespace in rule['remote_ip_prefixes']: + if not ip: + continue result['affectedPods'].append({ 'podIP': ip, 'podNamespace': namespace, diff --git a/kuryr_kubernetes/controller/drivers/utils.py b/kuryr_kubernetes/controller/drivers/utils.py index b3cedd43c..6c154bdc9 100644 --- a/kuryr_kubernetes/controller/drivers/utils.py +++ b/kuryr_kubernetes/controller/drivers/utils.py @@ -269,7 +269,7 @@ def create_security_group_rule_body( security_group_rule_body['namespace'] = namespace if pods: security_group_rule_body['affectedPods'] = [ - {'podIP': ip, 'podNamespace': ns} for ip, ns in pods.items()] + {'podIP': ip, 'podNamespace': ns} for ip, ns in pods.items() if ip] LOG.debug("Creating sg rule body %s", security_group_rule_body) return security_group_rule_body