From 16d14d6bcb6165cd83c26fb921ea85443bab357a Mon Sep 17 00:00:00 2001 From: Maysa Macedo Date: Wed, 22 May 2019 04:19:36 -0400 Subject: [PATCH] Fix Multiple SG rules created when Pod creation follows a NP creation If a pod is created right after a Network Policy that allows traffic from a pod on a port is created, and the pod is selected by the policy rules, it's possible that while handling the NP creation event the pod still does not have an IP assigned to it, causing a rule to be created without a remote_ip defined and thus result on allow from everywhere in the specific port SG rule. Prior to creating a SG rule, the existence of the cidr associated to the k8s resources needs to be validated. Change-Id: Id8692d06de4d3dbdfc6a719d4502ecc9aac933af Closes-Bug: 1829998 --- kuryr_kubernetes/controller/drivers/network_policy.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py index b1478a9d4..01cd3c29c 100644 --- a/kuryr_kubernetes/controller/drivers/network_policy.py +++ b/kuryr_kubernetes/controller/drivers/network_policy.py @@ -305,7 +305,7 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): matched_pods[container_port].update(pod_info) else: matched_pods[container_port] = pod_info - if not allow_all and matched_pods: + if not allow_all and matched_pods and cidr: for container_port, pods in matched_pods.items(): sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, @@ -373,6 +373,11 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): direction, port, sg_rule_body_list): for resource in allowed_resources: cidr, ns = self._get_resource_details(resource) + # NOTE(maysams): Skipping resource that do not have + # an IP assigned. The security group rule creation + # will be triggered again after the resource is running. + if not cidr: + continue sg_rule = ( driver_utils.create_security_group_rule_body( sg_id, direction, port.get('port'),