There were two situations, where we were missing security group, one for
LB VIP port, which have security group list empty, and on the request
VIF in kuryrport, where we cannot create port, because SG was gone
during that process.
Closes-Bug: 1903641
Change-Id: I6958ebc4ce888e5d8d68e6458e2a6a270fe6c834
It may happen that there's an unscheduled pod matching a policy when NP
is getting deleted. In that case we'll get a traceback as pod has no
nodeName set. This commit fixes that by making sure we skip unscheduled
pods when detaching SGs from ports on NP deletion.
Change-Id: I5b712ba97e030192d1d24cce2585724a78408e23
Closes-Bug: 1904040
match_selector() has a bug causing it to return True for any
podSelector with any matchLabel and pods without labels at all. This is
totally incorrect, casues issues like applying NPs to pods that should
not be affected by them and probably others.
Change-Id: I47d7e61787675252cf16a9b4ae51871d8a31dc0a
Closes-Bug: 1903067
Closes-Bug: 1903572
CNI spec defines the way to return errors from the CNI plugin, along
with well-defined error codes that can be used by the CNI to decide
how to treat the error. This change updates service.py and main.go
to return CNI errors in the specified form.
Change-Id: Ib76debb56aeb746b92c8260be00f3445cca5948f
Closes-Bug: #1899489
test_network_policy_add_remove_pod is often not finishing in 20 minutes
in the gate, effectively timing out the tempest default timeout. This
commit increases the timeout to 30 minutes to avoid that.
Change-Id: I3bbac8e90553be9424fa0ecdb4c05e096da8f2d7
Python modules related to coding style checks (listed in blacklist.txt
in openstack/requirements repo) are dropped from lower-constraints.txt
as they are not actually used in tests
Change-Id: Ib5aba86111d9f18724a7bcf87cd64c6b3768d82c
This commit adds a release note announcing the update
of the mtu config value and the reason behind it.
Change-Id: Ieeea42a49e358f48f0d567d9450dc9b2dcc14173
Removing references to deprecated sg_mode config option and its DevStack
setting correspondent, KURYR_K8S_OCTAVIA_SG_MODE. The LB sg creation was
previously removed, so these references were no longer in use in te
code.
Change-Id: I45c60a6c55f50453e811201ffb763d70d7e985ad
Closes-bug: #1900420
Repeated rules are being created for the service while not needed, but
on the downside it cause increased number of calls to the Neutron. In
this patch we're being polite to Neutron by not creating them.
Closes-Bug: 1888407
Change-Id: I4e64fb00666f0d8ebcb757d77b5cbc81bd69f9d3
In our client, for OpenStack client, we created a workaround for missing
bulk port create (at that time). Turns out, that running out of the
OpenStack resources, there could be SDKException thrown, which is fine,
although due to the mistake, message wasn't informative at all.
This patch is fixing this.
Closes-Bug: 1901666
Change-Id: Iba0744840231088018ec37cb6e3d98e1df6916fa
The vagrant-devstack-Kuryr-Kubernetes 'Vagrant Options available' in
the README stated that the default VAGRANT_KURYR_VM_MEMORY is 4096,
this change updates it to 6144. And mentions that for a lighter
devstack installation ovn and ovn-octavia driver can be used.
This change also updates the url for atlas.
Change-Id: Idb20cc2c89043a2aaf13335aec44acced283baf4
Closes-Bug: 1901558
Follow up patch for "split kuryr-cni and kuryr-controller service
account". Removes reference to service_account.yml
Change-Id: I17abb6c4e343ef6fdd29f5fdc74dc89dce55c469
updates the documentation about enabling the network policy
support to include the option to set enforce_sg_rules to false.
Change-Id: Ic7247718d7d179e87ea84bbc21a022791091c439
Closes-Bug: #1901097
In case of using amphora with Octavia, and network policy, which
blocking the traffic within the namespace, LB listener was set to
offline state. After removal of the NP, listener state still was
offline. In this patch we fix that case.
Change-Id: I406cdc7d368122c6f828e9fa481d267e56b22ca6
Closes-Bug: 1899148
The same ServiceAccount was used for kuryr-controller and kuryr-cni.
This change splits the ServiceAccount, generates two ServiceAccounts,
controller_service_account.yaml and cni_service_account.yaml and
applies them.The documentation, Kuryr installation as kubernetes addon
network addon was also updated to reflect this change.
Change-Id: I567aaa38f5498af4641e06002b808915dd467aec
Closes-Bug: #1764783
I've removed the outdated ENV variable KURYR_K8S_LBAAS_USE_OCTAVIA
reference from the documentation. As this was misleading and not been
enforced anywhere.
Closes-Bug: #1901081
Change-Id: I7b114de5913eeeb9e0caa4bebef39ca5038d6dc4
We should allow the user to config the mtu
for the namespace networks and for VIFs when
the bridge driver is used.
Change-Id: I1685e31825f15387b6486713ce007b62e915df28
The _generate_lbaas_port_specs method on the lbaas handler
is not used anymore, it should be removed along with
the unit tests for it.
Change-Id: I3982fc6c292a2823c4581897569e885a27b9e406
Closes-Bug: #1901161
Due to bug 1899182 we were creating KuryrPorts and in consequence
Neutron ports for host networking pods. This is totally unnecessary and
those ports were not used at all. This commit makes sure even if version
with the bug was run, on kuryr-controller update those ports will get
deleted automatically.
Change-Id: I5f7047cb6bee1879dc37cbba1b6248e0a5086322
Related-Bug: 1899182
The kuryr-cni.conf file was removed and is no longer provided in the ConfigMap
(kuryr-config). The only file present in the ConfigMap is the kuryr.conf file.
The Kuryr-Kubernetes documentation for containerized installation and how to
enable ports pool support was updated to reflect this change.
Change-Id: I1afbd1db9e90727b2f3dbed3a1341f99550b3a2b
Closes-Bug: #1900723
The infamous `NetlinkError: (17, 'File exists')` started to bug us again
due to changes in when cri-o is deleting network namespaces. This patch
is an ultimate brute-force attempt to fix the problem. The idea is that
on NetlinkError kuryr-daemon will iterate over *all* network namespaces
in the system and delete interfaces that have the conflicting VLAN ID.
Closes-Bug: 1892388
Change-Id: I6672ed0e0db99a91b68cc4d9e74a33d8a9bcf0ca
The lbaasv2 haproxy driver was removed and deprecated,
and the only supported option at the moment is octavia.
The Kuryr-Kubernetes documentation for Kubernetes services networking was
updated to reflect this change.
Change-Id: I72811ae0b9d15c781a7cce567d29c8189832fcb7
Closes-Bug: #1899284
This commit fixes the order of enabling the IPv6 support on DevStack.
Otherwise installation fails.
Change-Id: Ibfd23c108dd2d4718744099cb288cb063e679826
The handlers that need to be enabled to correctly handle
Kubernetes Services events are (endpoints,service,kuryrloadbalancer)
and not (lb,lbaasspec) as placed in most of the docs.
This was due to the recent movement to KuryrLoadBalancer custom
resources definitions (CRD).
Change-Id: I0eff3b68839a659d39650e2cb22956e30d2c7332
Closes-Bug: #1899013
Current DevStack version does not support Ubuntu Xenial,
we should update the Vagrantfile to use Bionic instead.
Also, current DevStack requires IPv6 to be enabled on
the VM, let's make sure that is present.
Change-Id: I6fad390367476ed50cac38d84edee4387c2275f1
Roman Dobosz
Maysa Macedo
Michał Dulko
Zuul
Tabitha
wu.shiming
liviacavalcanti
Kafilat Adeleke
AghaSaad04
liujinxin