Merge "Ensure LB sg rules use IPv6 when enabled"

2020-03-12 18:15:06 +00:00 · 2020-03-12 18:15:06 +00:00 · e461600ffa
parent 04e61fb82c 7fb7d96c21
commit e461600ffa
3 changed files with 25 additions and 0 deletions
--- a/kuryr_kubernetes/constants.py
+++ b/kuryr_kubernetes/constants.py
@ -66,6 +66,10 @@ KURYR_VIF_TYPE_SRIOV = 'sriov'
 OCTAVIA_L2_MEMBER_MODE = "L2"
 OCTAVIA_L3_MEMBER_MODE = "L3"
 NEUTRON_LBAAS_HAPROXY_PROVIDER = 'haproxy'
+IPv4 = 'IPv4'
+IPv6 = 'IPv6'
+IP_VERSION_4 = 4
+IP_VERSION_6 = 6

 VIF_POOL_POPULATE = '/populatePool'
 VIF_POOL_FREE = '/freePool'
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import ipaddress
 import random
 import time

@ -24,6 +25,7 @@ from oslo_utils import versionutils

 from kuryr_kubernetes import clients
 from kuryr_kubernetes import config
+from kuryr_kubernetes import constants as k_const
 from kuryr_kubernetes.controller.drivers import base
 from kuryr_kubernetes.controller.drivers import utils as c_utils
 from kuryr_kubernetes import exceptions as k_exc
@ -299,11 +301,14 @@ class LBaaSv2Driver(base.LBaaSDriver):
                                                                  max_port+1)):
                            continue
                        all_pod_rules.append(rule)
+                        sg_rule_ethertype = ipaddress.ip_network(
+                            rule.remote_ip_prefix).version
                        try:
                            LOG.debug("Creating LBaaS sg rule for sg: %r",
                                      lb_sg)
                            os_net.create_security_group_rule(
                                direction='ingress',
+                                ether_type=sg_rule_ethertype,
                                port_range_min=port,
                                port_range_max=port,
                                protocol=protocol,
@ -330,9 +335,13 @@ class LBaaSv2Driver(base.LBaaSDriver):
            self._delete_rule_if_no_match(rule, all_pod_rules)

        if add_default_rules:
+            sg_rule_ethertype = k_const.IPv4
+            if utils.get_service_subnet_version() == k_const.IP_VERSION_6:
+                sg_rule_ethertype = k_const.IPv6
            try:
                LOG.debug("Restoring default LBaaS sg rule for sg: %r", lb_sg)
                os_net.create_security_group_rule(direction='ingress',
+                                                  ether_type=sg_rule_ethertype,
                                                  port_range_min=port,
                                                  port_range_max=port,
                                                  protocol=protocol,
--- a/kuryr_kubernetes/utils.py
+++ b/kuryr_kubernetes/utils.py
@ -353,3 +353,15 @@ def get_service_ports(service):
             'port': port['port'],
             'targetPort': str(port['targetPort'])}
            for port in service['spec']['ports']]
+
+
+@MEMOIZE
+def get_service_subnet_version():
+    os_net = clients.get_network_client()
+    svc_subnet_id = CONF.neutron_defaults.service_subnet
+    try:
+        svc_subnet = os_net.get_subnet(svc_subnet_id)
+    except os_exc.ResourceNotFound:
+        LOG.exception("Service subnet %s not found", svc_subnet_id)
+        raise
+    return svc_subnet.ip_version