Default pod security groups driver
This patch adds a new driver type used to determine Neutron security groups that should be used for Kubernetes pods. This patch also provides a default driver implementation that uses a list of security groups set in configuration file. Change-Id: Id76f70b8a99ffa8372dfd3d199371e7db46fb812 Partially-Implements: blueprint kuryr-k8s-integration
This commit is contained in:
parent
9e078d4a5c
commit
d20a512600
|
@ -39,6 +39,9 @@ k8s_opts = [
|
|||
cfg.StrOpt('pod_subnets_driver',
|
||||
help=_("The driver to determine Neutron subnets for pod ports"),
|
||||
default='default'),
|
||||
cfg.StrOpt('pod_security_groups_driver',
|
||||
help=_("The driver to determine Neutron security groups for pods"),
|
||||
default='default'),
|
||||
]
|
||||
|
||||
neutron_defaults = [
|
||||
|
@ -46,6 +49,8 @@ neutron_defaults = [
|
|||
help=_("Default OpenStack project ID for Kubernetes resources")),
|
||||
cfg.StrOpt('pod_subnet',
|
||||
help=_("Default Neutron subnet ID for Kubernetes pods")),
|
||||
cfg.ListOpt('pod_security_groups',
|
||||
help=_("Default Neutron security groups' IDs for Kubernetes pods")),
|
||||
]
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
|
|
@ -113,3 +113,20 @@ class PodSubnetsDriver(DriverBase):
|
|||
`os_vif.subnet.Subnet` object corresponding to the 'subnet_id'
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class PodSecurityGroupsDriver(DriverBase):
|
||||
"""Provides security groups for Kubernetes Pods."""
|
||||
|
||||
ALIAS = 'pod_security_groups'
|
||||
|
||||
@abc.abstractmethod
|
||||
def get_security_groups(self, pod, project_id):
|
||||
"""Get a list of security groups' IDs for Pod.
|
||||
|
||||
:param pod: dict containing Kubernetes Pod object
|
||||
:param project_id: OpenStack project ID
|
||||
:return: list containing security groups' IDs
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
# Copyright (c) 2016 Mirantis, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from kuryr_kubernetes import config
|
||||
from kuryr_kubernetes.controller.drivers import base
|
||||
|
||||
|
||||
class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
|
||||
"""Provides security groups for Pod based on a configuration option."""
|
||||
|
||||
def get_security_groups(self, pod, project_id):
|
||||
sg_list = config.CONF.neutron_defaults.pod_security_groups
|
||||
|
||||
if not sg_list:
|
||||
# NOTE(ivc): this option is only required for
|
||||
# DefaultPodSecurityGroupsDriver and its subclasses, but it may be
|
||||
# optional for other drivers (e.g. when each namespace has own
|
||||
# set of security groups)
|
||||
raise cfg.RequiredOptError('pod_security_groups',
|
||||
'neutron_defaults')
|
||||
|
||||
return sg_list[:]
|
|
@ -0,0 +1,45 @@
|
|||
# Copyright (c) 2016 Mirantis, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import mock
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from kuryr_kubernetes.controller.drivers import default_security_groups
|
||||
from kuryr_kubernetes.tests import base as test_base
|
||||
|
||||
|
||||
class TestDefaultPodSecurityGroupsDriver(test_base.TestCase):
|
||||
|
||||
@mock.patch('kuryr_kubernetes.config.CONF')
|
||||
def test_get_security_groups(self, m_cfg):
|
||||
sg_list = [mock.sentinel.sg_id]
|
||||
project_id = mock.sentinel.project_id
|
||||
pod = mock.sentinel.pod
|
||||
m_cfg.neutron_defaults.pod_security_groups = sg_list
|
||||
driver = default_security_groups.DefaultPodSecurityGroupsDriver()
|
||||
|
||||
ret = driver.get_security_groups(pod, project_id)
|
||||
|
||||
self.assertEqual(sg_list, ret)
|
||||
self.assertIsNot(sg_list, ret)
|
||||
|
||||
def test_get_security_groups_not_set(self):
|
||||
project_id = mock.sentinel.project_id
|
||||
pod = mock.sentinel.pod
|
||||
driver = default_security_groups.DefaultPodSecurityGroupsDriver()
|
||||
|
||||
self.assertRaises(cfg.RequiredOptError, driver.get_security_groups,
|
||||
pod, project_id)
|
|
@ -32,6 +32,9 @@ kuryr_kubernetes.controller.drivers.pod_project =
|
|||
kuryr_kubernetes.controller.drivers.pod_subnets =
|
||||
default = kuryr_kubernetes.controller.drivers.default_subnet:DefaultPodSubnetDriver
|
||||
|
||||
kuryr_kubernetes.controller.drivers.pod_security_groups =
|
||||
default = kuryr_kubernetes.controller.drivers.default_security_groups:DefaultPodSecurityGroupsDriver
|
||||
|
||||
[files]
|
||||
packages =
|
||||
kuryr_kubernetes
|
||||
|
|
Loading…
Reference in New Issue