diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py index ce2f74b33..3a2ef3265 100644 --- a/kuryr_kubernetes/controller/drivers/network_policy.py +++ b/kuryr_kubernetes/controller/drivers/network_policy.py @@ -341,7 +341,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): crd_rules, direction, port, pod_selector, policy_namespace) if allow_all: - container_port = None for container_port, pods in matched_pods.items(): for ethertype in (constants.IPv4, constants.IPv6): sg_rule = driver_utils.create_security_group_rule_body( @@ -350,10 +349,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): ethertype=ethertype, pods=pods) crd_rules.append(sg_rule) - if direction == 'egress': - self._create_svc_egress_sg_rule( - policy_namespace, crd_rules, - port=container_port, protocol=port.get('protocol')) def _create_sg_rule_on_number_port(self, allowed_resources, direction, port, sg_rule_body_list, @@ -395,11 +390,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): ethertype=ethertype, protocol=port.get('protocol'))) sg_rule_body_list.append(sg_rule) - if direction == 'egress': - self._create_svc_egress_sg_rule( - policy_namespace, sg_rule_body_list, - port=port.get('port'), - protocol=port.get('protocol')) def _create_default_sg_rule(self, direction, sg_rule_body_list): for ethertype in (constants.IPv4, constants.IPv6): @@ -532,9 +522,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): port_range_max=65535, ethertype=ethertype) sg_rule_body_list.append(rule) - if direction == 'egress': - self._create_svc_egress_sg_rule(policy_namespace, - sg_rule_body_list) else: LOG.debug('This network policy specifies no %(direction)s ' '%(rule_direction)s and no ports: %(policy)s', diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py index 2232f5104..2fd1d7e8c 100644 --- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py +++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py @@ -524,15 +524,12 @@ class TestNetworkPolicyDriver(test_base.TestCase): m_get_ports.assert_called_with(resources[0], port) - @mock.patch('kuryr_kubernetes.controller.drivers.utils.' - 'create_security_group_rule_body') @mock.patch.object(network_policy.NetworkPolicyDriver, '_create_sg_rules_with_container_ports') @mock.patch('kuryr_kubernetes.controller.drivers.utils.get_ports') def test__create_sg_rule_body_on_text_port_egress_all(self, m_get_ports, - m_create_sgr_cont, - m_create_sgr): + m_create_sgr_cont): port = {'protocol': 'TCP', 'port': 22} container_ports = mock.sentinel.ports resources = [{'spec': 'foo'}] @@ -552,9 +549,7 @@ class TestNetworkPolicyDriver(test_base.TestCase): allow_all=True) m_get_ports.assert_called_with(resources[0], port) - m_create_sgr.assert_called_once_with('egress', None, cidr=mock.ANY, - protocol='TCP') - self.assertEqual(len(crd_rules), 1) + self.assertEqual(len(crd_rules), 0) @mock.patch('kuryr_kubernetes.utils.get_subnet_cidr') @mock.patch('kuryr_kubernetes.controller.drivers.utils.' @@ -600,14 +595,8 @@ class TestNetworkPolicyDriver(test_base.TestCase): calls = [mock.call(direction, container_ports[0][1], protocol=port['protocol'], ethertype=e, pods='foo') for e in ('IPv4', 'IPv6')] - calls.append(mock.call(direction, container_ports[0][1], - protocol=port['protocol'], - cidr='10.0.0.128/26')) m_create_sgr.assert_has_calls(calls) - - # NOTE(gryf): there are 3 rules created in case of egress direction, - # since additional one is created for specific cidr in service subnet. - self.assertEqual(len(crd_rules), 3) + self.assertEqual(len(crd_rules), 2) def test__create_all_pods_sg_rules(self): port = {'protocol': 'TCP', 'port': 22}