NP: Delete default egress rules

When an SG is created, Neutron populates it with egress rules allowing it to call anything. This isn't compliant with how network policies are supposed to work in K8s. In order to correctly block all traffic we need to remove those rules when creating the SG and this patch implements it. Change-Id: I20860a52af843f770b6af5db65cfd9fb3e42ccfd Closes-Bug: 1822174
2019-03-28 19:21:52 +01:00 · 2019-03-28 19:21:52 +01:00 · d29e150252
parent 4a3b23d17b
commit d29e150252
2 changed files with 15 additions and 3 deletions
--- a/kuryr_kubernetes/controller/drivers/network_policy.py
+++ b/kuryr_kubernetes/controller/drivers/network_policy.py
@ -168,6 +168,15 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
            sg = self.neutron.create_security_group(body=security_group_body)
            sg_id = sg['security_group']['id']
            driver_utils.tag_neutron_resources('security-groups', [sg_id])
+            # NOTE(dulek): Neutron populates every new SG with two rules
+            #              allowing egress on IPv4 and IPv6. This collides with
+            #              how network policies are supposed to work, because
+            #              initially even egress traffic should be blocked.
+            #              To work around this we will delete those two SG
+            #              rules just after creation.
+            for sgr in sg['security_group']['security_group_rules']:
+                self.neutron.delete_security_group_rule(sgr['id'])
+
            i_rules, e_rules = self.parse_network_policy_rules(policy, sg_id)
            for i_rule in i_rules:
                sgr_id = driver_utils.create_security_group_rule(i_rule)
--- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
@ -196,7 +196,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                             m_get_crd,
                                                             m_add_default):
        self._driver.neutron.create_security_group.return_value = {
-            'security_group': {'id': mock.sentinel.id}}
+            'security_group': {'id': mock.sentinel.id,
+                               'security_group_rules': []}}
        m_utils.get_subnet_cidr.return_value = {
            'subnet': {'cidr': mock.sentinel.cidr}}
        m_parse.return_value = (self._i_rules, self._e_rules)
@ -221,7 +222,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                      m_add_crd, m_get_crd,
                                                      m_add_default):
        self._driver.neutron.create_security_group.return_value = {
-            'security_group': {'id': mock.sentinel.id}}
+            'security_group': {'id': mock.sentinel.id,
+                               'security_group_rules': []}}
        m_utils.get_subnet_cidr.return_value = {
            'subnet': {'cidr': mock.sentinel.cidr}}
        m_parse.return_value = (self._i_rules, self._e_rules)
@ -248,7 +250,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                       m_add_crd, m_get_crd,
                                                       m_add_default):
        self._driver.neutron.create_security_group.return_value = {
-            'security_group': {'id': mock.sentinel.id}}
+            'security_group': {'id': mock.sentinel.id,
+                               'security_group_rules': []}}
        m_utils.get_subnet_cidr.return_value = {
            'subnet': {'cidr': mock.sentinel.cidr}}
        m_parse.return_value = (self._i_rules, self._e_rules)