NP: Delete default egress rules
When an SG is created, Neutron populates it with egress rules allowing it to call anything. This isn't compliant with how network policies are supposed to work in K8s. In order to correctly block all traffic we need to remove those rules when creating the SG and this patch implements it. Change-Id: I20860a52af843f770b6af5db65cfd9fb3e42ccfd Closes-Bug: 1822174
This commit is contained in:
parent
4a3b23d17b
commit
d29e150252
|
@ -168,6 +168,15 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||
sg = self.neutron.create_security_group(body=security_group_body)
|
||||
sg_id = sg['security_group']['id']
|
||||
driver_utils.tag_neutron_resources('security-groups', [sg_id])
|
||||
# NOTE(dulek): Neutron populates every new SG with two rules
|
||||
# allowing egress on IPv4 and IPv6. This collides with
|
||||
# how network policies are supposed to work, because
|
||||
# initially even egress traffic should be blocked.
|
||||
# To work around this we will delete those two SG
|
||||
# rules just after creation.
|
||||
for sgr in sg['security_group']['security_group_rules']:
|
||||
self.neutron.delete_security_group_rule(sgr['id'])
|
||||
|
||||
i_rules, e_rules = self.parse_network_policy_rules(policy, sg_id)
|
||||
for i_rule in i_rules:
|
||||
sgr_id = driver_utils.create_security_group_rule(i_rule)
|
||||
|
|
|
@ -196,7 +196,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
'security_group': {'id': mock.sentinel.id,
|
||||
'security_group_rules': []}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
'subnet': {'cidr': mock.sentinel.cidr}}
|
||||
m_parse.return_value = (self._i_rules, self._e_rules)
|
||||
|
@ -221,7 +222,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_add_crd, m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
'security_group': {'id': mock.sentinel.id,
|
||||
'security_group_rules': []}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
'subnet': {'cidr': mock.sentinel.cidr}}
|
||||
m_parse.return_value = (self._i_rules, self._e_rules)
|
||||
|
@ -248,7 +250,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_add_crd, m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
'security_group': {'id': mock.sentinel.id,
|
||||
'security_group_rules': []}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
'subnet': {'cidr': mock.sentinel.cidr}}
|
||||
m_parse.return_value = (self._i_rules, self._e_rules)
|
||||
|
|
Loading…
Reference in New Issue