Seems like the set of resources we gather from K8s for CI gates
debugging purposes was outdated. This commit updates it to make sure
we're also getting NPs and KLBs, while removing Ingress, KuryrNet and
KuryrNetPolicy that are obsolete today.
Besides that KuryrNet and KuryrNetPolicy CRD definitions are removed as
we're not using them for a long time now.
Change-Id: Ia7ecd8f79b6ac0a8172cf108e228e2ea1cb7a0d5
Recent versions of cri-o and containerd are passing K8S_POD_UID as a CNI
argument, alongside with K8S_POD_NAMESPACE and K8S_POD_NAME. As both
latter variables cannot be used to safely identify a pod in the API
(StatefulSet recreates pods with the same name), we were prone to race
conditions in the CNI code that we could only workaround. The end effect
was mostly IP conflict.
Now that the UID argument is passed, we're able to compare the UID from
the request with the one in the API to make sure we're wiring the
correct pod. This commit implements that by making sure to move the
check to the code actually waiting for the pod to appear in the
registry. In case of K8S_POD_UID missing from the CNI request, API call
to retrieve Pod is used as a fallback.
We also know that this check doesn't work for static pods, so CRD and
controller needed to be updated to include information if the pod is
static on the KuryrPort spec, so that we can skip the check for the
static pods without the need to fetch Pod from the API.
Closes-Bug: 1963677
Change-Id: I5ef6a8212c535e90dee049a579c1483644d56db8
The timeout-client-data and timeout-member-data configurations
for Octavia listeners default to 50 seconds for load balancers
created by Kuryr. This patch allows the creation and modification
of load balancers handled by Kuryr with different timeouts values.
Implements: blueprint configure-lb-listeners-timeout
Change-Id: I99016001c2263023d1fa2637d7b5aeb23b3b2d9d
In theory with the usage of Finalizers having leaks of loadbalancers
is not possible anymore, and if the CRD is deleted it gets recreated
and also the loadbalancer is recreated.
This commit is deleting ensure_release_lbaas and _cleanup_leftover_lbaas
functions.
Change-Id: I0db62a845b23a32eef4358368332c4da2cad5460
I newly added CRD, KuryrPort, we noticed, that vifs key, which is now
under 'spec' object, is rather a thing which could be represented as the
CRD status.
In this patch we propose to move vifs data under the status key.
Depends-On: I2cb66e25534e44b79f660b10498086aa88ad805c
Change-Id: I71385799775f9f9cc928e4d39a0fd443c98b53c6
This commit is a huge refactoring of how we handle network policies. In
general:
* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
This means that in order to trigger SG rules recalculation on Pod ang
Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
KuryrNetworkPolicy objects, so that objects cannot get removed before
KuryrNetworkPolicyHandler won't process deletion correctly.
Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
This commit adds support for creation of loadbalancer, listeners,
members, pools with using the CRD, it is also filling the status
field in the CRD.
Depends-On: https://review.opendev.org/#/c/743214/
Change-Id: I42f90c836397b0d71969642d6ba31bfb49786a43
Till now, we were using pod annotations to store information regarding
state of the associated VIFs to pod. This alone have its own issues and
it's prone to the inconsistency in case of controller failures.
In this patch we propose new CRD called KuryrPort for storage the
information about VIFs.
Depends-On: If639b63dcf660ed709623c8d5f788026619c895c
Change-Id: I1e76ea949120f819dcab6d07714522a576e426f2
The remote_ip_prefixes field in KuryrNetPolicy CRD is an object. As it's
not defined with correct schema, it needs
x-kubernetes-preserve-unknown-fields property. This commit fixes that.
I'm not defining the field correctly as we're moving to new CRD anyway.
Change-Id: I71a7bd16ca8e6b7d9acb7398360b58694ede073f
This patch moves the namespace handling to be more aligned
with the k8s style.
Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250
Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
Seems like we don't need sgId on KuryrNet CRD, it's not written anywhere
and only read in one place. This patch removes it.
Change-Id: Ia5a0f0dd89d72b16189cb33e97720bc6171239ac
In Kubernetes 1.16 CRDs got out of beta and added to regular
apiextensions.k8s.io/v1. This was accompanied with some format changes.
This patch updates our CRD definitions to new version.
Change-Id: Ib5e64fe72581ef601e5df2e317900566cd476470
NetworkPolicy can replicate what namespace isolation does (and much
more), so we are removing the code that is not needed
Change-Id: Ib79c21cb92c522744658a204001383b6c0e98846
This commit adds CRD to Kuryr that contains informations about
service's annotations and endpoints' annotations, also it is
ensured that CRD is created on the cluster when using devstack.
Partially-Implements: blueprint move-svc-annotations-to-crds
Change-Id: I4088ad09efe96b2d395fb892750adcb39abee3a4
This commit implements NP driver actions for creating/updating SG and SG
rules. It also creates KuryrNetPolicy as a CRD so we don't have to rely
on the slow neutron API for time-costly operations such as listing SG
and so.
Security group rules and label matching will be handled in a follow-up
patch, as well as storing CRD object_id in a network policy annotation.
Unit tests will also be added after some more functionality is added
with the remaining patch series.
Partially-Implements: bp/k8s-network-policies
Change-Id: I6d45a462e812b24073b529144fc0843e8725a06e
In devstack plugin, add KURYR_MULTI_VIF_DRIVER parameter to
specify which multi-vif driver to be enabled. If it's NPWG
driver, the network attachemnt definition CRD is created in
Kubernetes cluster.
Change-Id: I260a44880b9cfb3686843504bd29649e5d0518d0
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e