In network policy driver we are using security groups for the OpenStack
side to create appropriate port ranges to be open for certain hosts (or
all hosts). In this patch we add a mechanism for selecting right IP
version to the rule, or create rules for both (IPv4 and IPv6) network
types.
Implements: blueprint kuryr-ipv6-support
Change-Id: Ie7544aeebb1d18038ebc19c8f815b69213b55a88
Sometimes we create a lot of security group rules, which might exceed
the quotas. In this patch we propose to distinguish conflict exceptions
for quota exceeding from rule already exists.
Change-Id: Icea686ec9d1fcb701f1853c40d6cfd4ca20fd0ac
get_pod_ip() does not make any API calls and just gets the IP from VIF
annotation. Maybe it would make some sense to cache it to avoid several
dict lookups, but current version bases cache on whole pod object, which
we know may change often over time, so I don't think there's a point in
keeping the cache here.
Change-Id: Id441700ac7add94a675c3a38434abae0b826b766
This patch moves the namespace handling to be more aligned
with the k8s style.
Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250
Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
Since we already migrated fully to Python3, it's time to also remove
bits needed for Python2. One of those libs is six.
Change-Id: Ib984d7b4b3c1048ed091c78986c634689a8ace8c
Our hacking module is ancient and makes Python 3.6's f-strings to fail
PEP8 check. This commit bumps hacking to newer version and fixes
violations found by it.
Change-Id: If8769f7657676d71bcf84c08108e728836071425
get_ports_by_attrs was using neutron client for obtaining ports with
specified attribites. OpenStackSDK have this OOTB, so that one can query
for ports simply by using os.network.ports(name=…, tags=[…], …), so,
there is no need for additional function.
Also, make use of previously added real port object in tests. By using
openstack.network.v2.port.Port objects we gain such confidence
that we are dealing with an port object, dict, tuple, or any other data
type, so that we can treat it accordingly in the code.
Implements: blueprint switch-to-openstacksdk
Change-Id: I7b597f7229113a598de631641bde04e083fea4b5
Besides refactor itself, there was several issues resolved, like
appropriate data handling - because macvlan driver is still using
neutron client, we have to deal with dict data and openstacksdk objects
at the same time in couple of helper methods in os_vif_util module.
Furthermore, helper method for creating port object for test purposes
was moved to fake module, since it is also utilized in test for os vif
utils.
Change-Id: Iefc758ac22e1688ca9d017d5a4c1d32c4cf0583a
Implements: blueprint switch-to-openstacksdk
Besides driver itself, there was a change also for utils/os_vif_util
modules, since while changing neutron objects to OpenStackSDK objects,
signature has also changed.
Also, favor of using attribute based access for Munch objects (all
OpenStackSDK objects are basically Munch based), so that we can also
have these working in older version of OpenStackSDK.
Implements: blueprint switch-to-openstacksdk
Change-Id: I7db217aa9f2b09b38d5e8709cf3712646f6b6893
This is result of running 2to3 without dict fix (as it seems
unnecessary for most of our cases).
In Python 3 {}.values() returns a view that is not indexable. This
commit uses list() on that to make AddHandler.should_callback compatible
with Python 3.
Change-Id: I354597f43d43630f9fb875dd8c9ab741c35af723
When an egress Network Policy is enforced, there is no
need to allow the update of the LB SG. Right now, as this
operation is being allowed, we can end up with ingress
rules being removed from the LB.
Closes-Bug: 1850715
Change-Id: Idcdef5c4f2f47a165bfb9b38779b591d5b995216
In case the KuryrNet CRD addition is being handled and the
namespace is not present on the cluster anymore, the Kuryr Controller
is marked as unhealthy and restarted. This commit ensures
any event that tries to get a not present namespace is skipped.
Closes-Bug: 1846525
Change-Id: I9468785e79c5692709e5c50a3b92cc30f6a37fd8
When a Network Policy is enforced we shouldn't try to update the
SG of a LBaaS that would map to a SVC without selector, as this
kind of SVC is not wired by Kuryr. Also, we shouldn't try to update
the LBaaS SG when no ports are defined in the SVC spec.
Closes-Bug: 1845917
Change-Id: I94a288f2b66bd2444d177931f509e1b6ef250235
We are retrieving the pod IP from a nonexistent annotation
field, when should be from the annotations in the pod metadata.
Also, when this information is not present we keep retrying with
the same pod object, which doesn't contains an annotation
causing the controller restart.
Closes-Bug: 1845635
Change-Id: I04095a7d36219175c09d4503f2347ab035d3e242
This patch sets ensures kuryrnet handler does not start with the
pools prepopulation for a newly created subnets as soon as the
kuryrnet crd object is created, but waits for the namespace handler
to complete the namespace creation actions (subnet creations, sgs,
and finally namespace annotations with kuryrnetcrd)
Change-Id: Id85eace3763a67d404e3785003490478734af3c9
When a pod takes a while to get annotated with the VIF information,
the retrieval of the pod IP from the annotations might fail due to
missing annotation, causing the controller to restart.
This commit fixes the issue by ensuring the pod IP is only retrieved
after the pod is annotated.
Change-Id: Iac1570b76783d532b77e7d8be96f2b71a19f8409
Closes-Bug: 1841758
In case of kuryr-controller crash/restart while creating a namespace
it may happen that some network resources are leftover as the kuryr
net crd was not yet created. This may lead to a waste of OpenStack
network resources (networks, subnets). This patch ensures the namespace
is cleaned up before creating the resources in case a previous attempt
was made without completing the kuryr net crd creation.
Change-Id: Iddc03090dc8a847abe4afa2bed0900f0c7cf6936
This patch makes use of the KuryrNet CRD spec to ensure pools
population actions on a new namespace only happen once.
Closes-Bug: 1833032
Change-Id: Ia561833d594c55c17a9dc1a588d39bf3410cdf81
The LBaaS SG is not updated when a pod that is referenced by a
service has a network policy that restrict/accept traffic from
pods in different namespaces. For example: pod-A on namespace-A is
created and according to a network policy should affects the traffic
to pod-B on namespace-B, and consequently to the service that has
pod B as a backend pod.
Change-Id: Idb3365e70e66dd8544f5b97aece312bc18c57ee5
Closes-Bug: 1830598
This commit updates neutron sriov ports when
POD that contains it is in Running state.
It makes request to neutron API to update ports
with binding:profile information.
Due to this it is required to make actions with
privileged user having admin rights.
Change-Id: Iade446cefd78b494291729939db7db75692392c9
Closes-Bug: 1818606
Signed-off-by: Danil Golov <d.golov@samsung.com>
This commit adds support for Network Policies that define ports
with text. In the case of ingress rule with named port, the pods
selected by NetworkPolicySpec's podSelector has its containers
verified to check for ports with same name. In case of egress rule
all the pods selected by the NetworkPolicyEgressRule's selector
have its containers verified to check if the containers ports
have the same name as the ones defined in policy rule ports.
If matched, a security Group rule with
a 'remote_ip_prefixes' field pointing to that pod is created.
Change-Id: If1eddc3e6cc4884ca53e81e4f87b5fae80fed70e
Closes-Bug: 1818983
Ensure port_range_min can be skip as the default value (all ports)
is considered anyway.
Closes-Bug: 1824366
Change-Id: Ic0e724458176b451c3e67413d27a12885f965b99
When Pods or Network Policies are created/updated/deleted, only the affected
service(s) should have the SG updated. Right now, all the services are updated.
This commit fixes the issue, on the Network Policy side, by checking if any of
the pods selected by a Service is also selected by a Network Policy, and if so
update the SG of that LBaaS.
And on the Pods side, by matching the Service selectors and Network Policy
selectors, when this NP got the pointed pods SG updated. If the selectors
match the LBaaS SG is updated.
Closes-Bug: 1818203
Change-Id: Id996651a7d03bc7621e57b46825ddfa9d98e48ce
When a service is created with a Network Policy applied and
deployments are scaled up or down, the LBaaS SG rules should be
updated accordindly. Right now, the LBaaS/Service do not react on
deployment scales.
This commit fixes the issue by ensuring that the LBaaS SG is updated
on pod events.
Also, when Pods, Network Policies and SVCs are created together it might
happen that the LBaaS SG remains with default SG rules, even though
the policy is being enforced. This commit ensures the right SG rules
are applied on a LBaaS regardless the order of k8s resources creation.
This happens by setting the LBaaS Spec annotation whenever a request
to update the SG rules has been made and retrieving the Spec again
whenever a LBaaS member is created.
Change-Id: I1c54d17a5fcff5387ffae2b132f5036ee9bf07ca
Closes-Bug: 1816015
If we consider a K8s cluster running on OpenStack VM's, which is a
perfect use case for Kuryr-Kubernetes, we can easily imagine creating
multiple clusters in a single OpenStack public or private cloud. In such
use case those K8s clusters may come and go. As Kuryr is creating some
OpenStack resources, such as ports, networks, subnets, floating IP's or
SG's, it's useful to have a way of identifying those Kuryr-created
resources to delete them along with the K8s cluster that used them.
This commit makes that possible by adding an option to add tag to all
Neutron resources created by Kuryr.
Change-Id: If75028e17d13ec62fb414fa9797ee7ac02d948d1
Implements: blueprint kuryr-resources-tagging
When the podSelector of a NP is updated, the podSelector
on the respective CRD must also be updated with the same
value. However, this do not happen in case the field of a label
is updated, for example: Label {'app: demo'} is updated to
{'context:demo'} the result given is {'app: demo', 'context:demo'}
when should be {'context:demo'}. And after that, if the updated label
{'context:demo'} is removed from the NP, it will not be removed from the CRD.
These cases happen because the podSelector field is a dict and not
a list.
This commit fixes the issue by changing the merge strategy to
JSON Patch, instead of JSON Merge Patch.
Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3
Closes-Bug: 1810394
When a namespace is created, deleted or updated and
its labels matches the namespaceSelector of a NP,
the CRD and the respective sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: I515de28647f5f06248555733c27dd4f5a56149ec
This patch adds support for Network Policy on services. It
applies pods' security groups onto the services in front of them.
It makes the next assumptions:
- All the pods pointed by one svc have the same labels, thus the same
sgs being enforced
- Only copies the SG rules that have the same protocol and direction
as the listener being created
- Adds a default rule to NP to enable traffic from services subnet CIDR
Partially Implements: blueprint k8s-network-policies
Change-Id: Ibd4b51ff40b69af26ab7e7b81d18e63abddf775b
When a pod gets created, deleted or updated and its labels
matches the PodSelector of a NP, the sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: Ic0dd3bc93e2453460c4d8dea360efd414b6ae42b
This include support for both types, when pod selector is used alone
or together with a namespace selector.
TODO in follow up patch sets:
- React to new pods/namespaces created with labels
- React to pod/namespaces relabeling/deletion
Partially Implements: blueprint k8s-network-policies
Change-Id: Ie29b9da64fcd5df7b9a0e9af7b4835208f76da66
This commit adds support to match expressions and redesigns how
Security Groups are fetched and applied to pods that matches
a Network Policy.
Change-Id: I5d2831b09e24a2adc3c26aa29f1e7b131e9314ba
This patch set ensures that:
- A new network policy is applied to existing pods
- A modification on the network policy selector gets applied on the
associated pods
- Deleting a network policy updated the access policies on the
associated pods
- There is no race at deleting the network policy, ensuring the
security group is first deleted from the ports and then removed
as part of the network policy deletion process
Partially Implements: blueprint k8s-network-policies
Change-Id: I25aa23b87947662333c021b9df3e83b9de2515e2
Several functions, such as _get_network_id, _get_port_name,
_get_device_id, _get_host_id were member of NeutronPodVIFDriver, but
didn't use neither state of class instance nor class itself. These
functions will be used in several places e.g. SriovVIFDriver.
Also there was code duplication in vif_pool.py.
Not all functions, that work with pod and doesn't touch class/instance state,
will be moved to utils.py, due to these functions aren't used somewhere else.
Change-Id: Id9dcb2ab2aeffc74b15cface18659557b2efb3b7
Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
