openstack
/
qinling
Code Issues Proposed changes

Remove the network policy creation in k8s orchestrator 

Previously, the network policy(based on ipBlock) is created during k8s
orchestrator initialization to restrict the function pod access from
outside.

However, the network policy is actually designed to use inside the k8s
cluster, it doesn't make sense to define the network policy in order to
restrict the inbound traffic from outside. A typical example is when
Calico is used as network plugin in the k8s cluster, the source IP
address from the pod's perspective is coming from the worker node rather
than the original IP address of outside.

We need to remove the network policy creation for now and leave that
part of security concerns to the future design.

The config option `CONF.kubernetes.trusted_cidrs` is deprecated for
removal.

Change-Id: I91905ba36b36f152a987ce2b742de33e423ed2db
Story: #2005777
Task: #33500
Story: #2005710
Task: #31036
This commit is contained in:
Lingxian Kong 2019-05-27 11:58:04 +12:00
parent f8e1567659
commit 6e56154652
5 changed files with 1 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
devstack/plugin.sh
View File

@ -147,12 +147,6 @@ function configure_qinling {
fi
iniset $QINLING_CONF_FILE kubernetes replicas 5
if [ -n ${QINLING_TRUSTED_CIDRS} ]; then
iniset $QINLING_CONF_FILE kubernetes trusted_cidrs ${QINLING_TRUSTED_CIDRS}
else
iniset $QINLING_CONF_FILE kubernetes trusted_cidrs "${HOST_IP}/32,127.0.0.1/32"
fi
}

1
devstack/settings
View File

@ -28,4 +28,3 @@ QINLING_SIDECAR_IMAGE=${QINLING_SIDECAR_IMAGE:-openstackqinling/sidecar:0.0.2}
QINLING_INSTALL_K8S=${QINLING_INSTALL_K8S:-True}
QINLING_K8S_APISERVER_TLS=${QINLING_K8S_APISERVER_TLS:-True}
QINLING_TRUSTED_CIDRS=${QINLING_TRUSTED_CIDRS:-""}

1
qinling/config.py
View File

@ -184,6 +184,7 @@ kubernetes_opts = [
),
cfg.ListOpt(
'trusted_cidrs',
deprecated_for_removal=True,
item_type=cfg.types.String(),
default=[],
help='List of CIDR that have access to the services in '

41
qinling/orchestrator/kubernetes/manager.py
View File

@ -20,7 +20,6 @@ import time
import jinja2
from kubernetes.client import V1DeleteOptions
from oslo_log import log as logging
from oslo_utils import netutils
import requests
import tenacity
import yaml
@ -50,9 +49,6 @@ class KubernetesManager(base.OrchestratorBase):
# Create namespace if not exists
self._ensure_namespace()
# Create the network policy if not exists
self._ensure_network_policy()
# Get templates.
template_loader = jinja2.FileSystemLoader(
searchpath=os.path.dirname(TEMPLATES_DIR)
@ -91,43 +87,6 @@ class KubernetesManager(base.OrchestratorBase):
LOG.info('Namespace %s created.', self.conf.kubernetes.namespace)
def _ensure_network_policy(self):
policy_name = 'allow-qinling-engine-only'
namespace = self.conf.kubernetes.namespace
ret = self.v1extension.list_namespaced_network_policy(namespace)
policies = [i.metadata.name for i in ret.items]
if policy_name not in policies:
if len(self.conf.kubernetes.trusted_cidrs) != 0:
cidrs = self.conf.kubernetes.trusted_cidrs
else:
host_ip = netutils.get_my_ipv4()
cidrs = ["%s/32" % host_ip]
LOG.info('Creating network policy %s(allow %s) in namespace %s',
policy_name, cidrs, namespace)
from_def = []
for cidr in cidrs:
from_def.append({'ipBlock': {'cidr': cidr}})
policy_body = {
'apiVersion': 'extensions/v1beta1',
'kind': 'NetworkPolicy',
'metadata': {'name': policy_name},
'spec': {
'podSelector': {},
'policyTypes': ["Ingress"],
'ingress': [{'from': from_def}]
}
}
self.v1extension.create_namespaced_network_policy(
namespace, policy_body)
LOG.info('Network policy %s in namespace %s created.',
policy_name, namespace)
@tenacity.retry(
wait=tenacity.wait_fixed(2),
stop=tenacity.stop_after_delay(600),

53
qinling/tests/unit/orchestrator/kubernetes/test_manager.py
View File

@ -18,7 +18,6 @@ import yaml
import mock
from oslo_config import cfg
from oslo_utils import netutils
from qinling import config
from qinling import exceptions as exc
@ -62,14 +61,6 @@ class TestKubernetesManager(base.DbTestCase):
namespaces.items = [namespace]
self.k8s_v1_api.list_namespace.return_value = namespaces
network_policy = mock.Mock()
network_policy.metadata.name = 'allow-qinling-engine-only'
network_policies = mock.Mock()
network_policies.items = [network_policy]
self.k8s_v1_ext.list_namespaced_network_policy.return_value = (
network_policies
)
self.manager = k8s_manager.KubernetesManager(self.conf,
self.qinling_endpoint)
@ -141,50 +132,6 @@ class TestKubernetesManager(base.DbTestCase):
self.assertEqual(2, self.k8s_v1_api.list_namespace.call_count)
self.k8s_v1_api.create_namespace.assert_not_called()
def test__ensure_network_policy(self):
# self.manager is not used in this test.
network_policies = mock.Mock()
network_policies.items = []
v1ext = self.k8s_v1_ext
v1ext.list_namespaced_network_policy.return_value = network_policies
k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint)
host_ip = netutils.get_my_ipv4()
cidr = "%s/32" % host_ip
network_policy_body = {
'apiVersion': 'extensions/v1beta1',
'kind': 'NetworkPolicy',
'metadata': {'name': 'allow-qinling-engine-only'},
'spec': {
'podSelector': {},
'policyTypes': ["Ingress"],
'ingress': [{'from': [{'ipBlock': {'cidr': cidr}}]}]
}
}
v1ext.list_namespaced_network_policy.assert_called_with(
self.fake_namespace
)
v1ext.create_namespaced_network_policy.assert_called_once_with(
self.fake_namespace, network_policy_body)
def test__ensure_network_policy_not_create(self):
# self.manager is not used in this test.
item = mock.Mock()
item.metadata.name = 'allow-qinling-engine-only'
network_policies = mock.Mock()
network_policies.items = [item]
v1ext = self.k8s_v1_ext
v1ext.list_namespaced_network_policy.return_value = network_policies
k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint)
v1ext.list_namespaced_network_policy.assert_called_with(
self.fake_namespace
)
v1ext.create_namespaced_network_policy.assert_not_called()
def test_create_pool(self):
ret = mock.Mock()
ret.status.replicas = 5