Browse Source

Merge "Fix SG rules to be created twice for the services."

changes/83/760683/1
Zuul 5 months ago
committed by Gerrit Code Review
parent
commit
e1c7abac56
2 changed files with 3 additions and 27 deletions
  1. +0
    -13
      kuryr_kubernetes/controller/drivers/network_policy.py
  2. +3
    -14
      kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py

+ 0
- 13
kuryr_kubernetes/controller/drivers/network_policy.py View File

@ -341,7 +341,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
crd_rules, direction, port, pod_selector,
policy_namespace)
if allow_all:
container_port = None
for container_port, pods in matched_pods.items():
for ethertype in (constants.IPv4, constants.IPv6):
sg_rule = driver_utils.create_security_group_rule_body(
@ -350,10 +349,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
ethertype=ethertype,
pods=pods)
crd_rules.append(sg_rule)
if direction == 'egress':
self._create_svc_egress_sg_rule(
policy_namespace, crd_rules,
port=container_port, protocol=port.get('protocol'))
def _create_sg_rule_on_number_port(self, allowed_resources,
direction, port, sg_rule_body_list,
@ -395,11 +390,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
ethertype=ethertype,
protocol=port.get('protocol')))
sg_rule_body_list.append(sg_rule)
if direction == 'egress':
self._create_svc_egress_sg_rule(
policy_namespace, sg_rule_body_list,
port=port.get('port'),
protocol=port.get('protocol'))
def _create_default_sg_rule(self, direction, sg_rule_body_list):
for ethertype in (constants.IPv4, constants.IPv6):
@ -532,9 +522,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
port_range_max=65535,
ethertype=ethertype)
sg_rule_body_list.append(rule)
if direction == 'egress':
self._create_svc_egress_sg_rule(policy_namespace,
sg_rule_body_list)
else:
LOG.debug('This network policy specifies no %(direction)s '
'%(rule_direction)s and no ports: %(policy)s',


+ 3
- 14
kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py View File

@ -524,15 +524,12 @@ class TestNetworkPolicyDriver(test_base.TestCase):
m_get_ports.assert_called_with(resources[0], port)
@mock.patch('kuryr_kubernetes.controller.drivers.utils.'
'create_security_group_rule_body')
@mock.patch.object(network_policy.NetworkPolicyDriver,
'_create_sg_rules_with_container_ports')
@mock.patch('kuryr_kubernetes.controller.drivers.utils.get_ports')
def test__create_sg_rule_body_on_text_port_egress_all(self,
m_get_ports,
m_create_sgr_cont,
m_create_sgr):
m_create_sgr_cont):
port = {'protocol': 'TCP', 'port': 22}
container_ports = mock.sentinel.ports
resources = [{'spec': 'foo'}]
@ -552,9 +549,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
allow_all=True)
m_get_ports.assert_called_with(resources[0], port)
m_create_sgr.assert_called_once_with('egress', None, cidr=mock.ANY,
protocol='TCP')
self.assertEqual(len(crd_rules), 1)
self.assertEqual(len(crd_rules), 0)
@mock.patch('kuryr_kubernetes.utils.get_subnet_cidr')
@mock.patch('kuryr_kubernetes.controller.drivers.utils.'
@ -600,14 +595,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
calls = [mock.call(direction, container_ports[0][1],
protocol=port['protocol'], ethertype=e,
pods='foo') for e in ('IPv4', 'IPv6')]
calls.append(mock.call(direction, container_ports[0][1],
protocol=port['protocol'],
cidr='10.0.0.128/26'))
m_create_sgr.assert_has_calls(calls)
# NOTE(gryf): there are 3 rules created in case of egress direction,
# since additional one is created for specific cidr in service subnet.
self.assertEqual(len(crd_rules), 3)
self.assertEqual(len(crd_rules), 2)
def test__create_all_pods_sg_rules(self):
port = {'protocol': 'TCP', 'port': 22}


Loading…
Cancel
Save