Default pod security groups driver

This patch adds a new driver type used to determine Neutron security groups that should be used for Kubernetes pods. This patch also provides a default driver implementation that uses a list of security groups set in configuration file. Change-Id: Id76f70b8a99ffa8372dfd3d199371e7db46fb812 Partially-Implements: blueprint kuryr-k8s-integration
2016-11-18 13:43:46 +03:00 · 2016-11-18 13:43:46 +03:00 · d20a512600
parent 9e078d4a5c
commit d20a512600
5 changed files with 106 additions and 0 deletions
--- a/kuryr_kubernetes/config.py
+++ b/kuryr_kubernetes/config.py
@ -39,6 +39,9 @@ k8s_opts = [
    cfg.StrOpt('pod_subnets_driver',
        help=_("The driver to determine Neutron subnets for pod ports"),
        default='default'),
+    cfg.StrOpt('pod_security_groups_driver',
+        help=_("The driver to determine Neutron security groups for pods"),
+        default='default'),
 ]

 neutron_defaults = [
@ -46,6 +49,8 @@ neutron_defaults = [
        help=_("Default OpenStack project ID for Kubernetes resources")),
    cfg.StrOpt('pod_subnet',
        help=_("Default Neutron subnet ID for Kubernetes pods")),
+    cfg.ListOpt('pod_security_groups',
+        help=_("Default Neutron security groups' IDs for Kubernetes pods")),
 ]

 CONF = cfg.CONF
--- a/kuryr_kubernetes/controller/drivers/base.py
+++ b/kuryr_kubernetes/controller/drivers/base.py
@ -113,3 +113,20 @@ class PodSubnetsDriver(DriverBase):
                 `os_vif.subnet.Subnet` object corresponding to the 'subnet_id'
        """
        raise NotImplementedError()
+
+
+@six.add_metaclass(abc.ABCMeta)
+class PodSecurityGroupsDriver(DriverBase):
+    """Provides security groups for Kubernetes Pods."""
+
+    ALIAS = 'pod_security_groups'
+
+    @abc.abstractmethod
+    def get_security_groups(self, pod, project_id):
+        """Get a list of security groups' IDs for Pod.
+
+        :param pod: dict containing Kubernetes Pod object
+        :param project_id: OpenStack project ID
+        :return: list containing security groups' IDs
+        """
+        raise NotImplementedError()
--- a/kuryr_kubernetes/controller/drivers/default_security_groups.py
+++ b/kuryr_kubernetes/controller/drivers/default_security_groups.py
@ -0,0 +1,36 @@
+# Copyright (c) 2016 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_config import cfg
+
+from kuryr_kubernetes import config
+from kuryr_kubernetes.controller.drivers import base
+
+
+class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
+    """Provides security groups for Pod based on a configuration option."""
+
+    def get_security_groups(self, pod, project_id):
+        sg_list = config.CONF.neutron_defaults.pod_security_groups
+
+        if not sg_list:
+            # NOTE(ivc): this option is only required for
+            # DefaultPodSecurityGroupsDriver and its subclasses, but it may be
+            # optional for other drivers (e.g. when each namespace has own
+            # set of security groups)
+            raise cfg.RequiredOptError('pod_security_groups',
+                                       'neutron_defaults')
+
+        return sg_list[:]
--- a/kuryr_kubernetes/tests/unit/controller/drivers/test_default_security_groups.py
+++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_default_security_groups.py
@ -0,0 +1,45 @@
+# Copyright (c) 2016 Mirantis, Inc.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import mock
+
+from oslo_config import cfg
+
+from kuryr_kubernetes.controller.drivers import default_security_groups
+from kuryr_kubernetes.tests import base as test_base
+
+
+class TestDefaultPodSecurityGroupsDriver(test_base.TestCase):
+
+    @mock.patch('kuryr_kubernetes.config.CONF')
+    def test_get_security_groups(self, m_cfg):
+        sg_list = [mock.sentinel.sg_id]
+        project_id = mock.sentinel.project_id
+        pod = mock.sentinel.pod
+        m_cfg.neutron_defaults.pod_security_groups = sg_list
+        driver = default_security_groups.DefaultPodSecurityGroupsDriver()
+
+        ret = driver.get_security_groups(pod, project_id)
+
+        self.assertEqual(sg_list, ret)
+        self.assertIsNot(sg_list, ret)
+
+    def test_get_security_groups_not_set(self):
+        project_id = mock.sentinel.project_id
+        pod = mock.sentinel.pod
+        driver = default_security_groups.DefaultPodSecurityGroupsDriver()
+
+        self.assertRaises(cfg.RequiredOptError, driver.get_security_groups,
+                          pod, project_id)
--- a/setup.cfg
+++ b/setup.cfg
@ -32,6 +32,9 @@ kuryr_kubernetes.controller.drivers.pod_project =
 kuryr_kubernetes.controller.drivers.pod_subnets =
    default = kuryr_kubernetes.controller.drivers.default_subnet:DefaultPodSubnetDriver

+kuryr_kubernetes.controller.drivers.pod_security_groups =
+    default = kuryr_kubernetes.controller.drivers.default_security_groups:DefaultPodSecurityGroupsDriver
+
 [files]
 packages =
    kuryr_kubernetes