diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 2caec72e..1c4ec3cf 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -147,12 +147,6 @@ function configure_qinling { fi iniset $QINLING_CONF_FILE kubernetes replicas 5 - - if [ -n ${QINLING_TRUSTED_CIDRS} ]; then - iniset $QINLING_CONF_FILE kubernetes trusted_cidrs ${QINLING_TRUSTED_CIDRS} - else - iniset $QINLING_CONF_FILE kubernetes trusted_cidrs "${HOST_IP}/32,127.0.0.1/32" - fi } diff --git a/devstack/settings b/devstack/settings index 43b4e048..0e2424ee 100644 --- a/devstack/settings +++ b/devstack/settings @@ -28,4 +28,3 @@ QINLING_SIDECAR_IMAGE=${QINLING_SIDECAR_IMAGE:-openstackqinling/sidecar:0.0.2} QINLING_INSTALL_K8S=${QINLING_INSTALL_K8S:-True} QINLING_K8S_APISERVER_TLS=${QINLING_K8S_APISERVER_TLS:-True} -QINLING_TRUSTED_CIDRS=${QINLING_TRUSTED_CIDRS:-""} diff --git a/qinling/config.py b/qinling/config.py index 4575c6cc..cfb44234 100644 --- a/qinling/config.py +++ b/qinling/config.py @@ -184,6 +184,7 @@ kubernetes_opts = [ ), cfg.ListOpt( 'trusted_cidrs', + deprecated_for_removal=True, item_type=cfg.types.String(), default=[], help='List of CIDR that have access to the services in ' diff --git a/qinling/orchestrator/kubernetes/manager.py b/qinling/orchestrator/kubernetes/manager.py index f3587cfd..f37adfbe 100644 --- a/qinling/orchestrator/kubernetes/manager.py +++ b/qinling/orchestrator/kubernetes/manager.py @@ -20,7 +20,6 @@ import time import jinja2 from kubernetes.client import V1DeleteOptions from oslo_log import log as logging -from oslo_utils import netutils import requests import tenacity import yaml @@ -50,9 +49,6 @@ class KubernetesManager(base.OrchestratorBase): # Create namespace if not exists self._ensure_namespace() - # Create the network policy if not exists - self._ensure_network_policy() - # Get templates. template_loader = jinja2.FileSystemLoader( searchpath=os.path.dirname(TEMPLATES_DIR) @@ -91,43 +87,6 @@ class KubernetesManager(base.OrchestratorBase): LOG.info('Namespace %s created.', self.conf.kubernetes.namespace) - def _ensure_network_policy(self): - policy_name = 'allow-qinling-engine-only' - namespace = self.conf.kubernetes.namespace - ret = self.v1extension.list_namespaced_network_policy(namespace) - policies = [i.metadata.name for i in ret.items] - - if policy_name not in policies: - if len(self.conf.kubernetes.trusted_cidrs) != 0: - cidrs = self.conf.kubernetes.trusted_cidrs - else: - host_ip = netutils.get_my_ipv4() - cidrs = ["%s/32" % host_ip] - - LOG.info('Creating network policy %s(allow %s) in namespace %s', - policy_name, cidrs, namespace) - - from_def = [] - for cidr in cidrs: - from_def.append({'ipBlock': {'cidr': cidr}}) - - policy_body = { - 'apiVersion': 'extensions/v1beta1', - 'kind': 'NetworkPolicy', - 'metadata': {'name': policy_name}, - 'spec': { - 'podSelector': {}, - 'policyTypes': ["Ingress"], - 'ingress': [{'from': from_def}] - } - } - - self.v1extension.create_namespaced_network_policy( - namespace, policy_body) - - LOG.info('Network policy %s in namespace %s created.', - policy_name, namespace) - @tenacity.retry( wait=tenacity.wait_fixed(2), stop=tenacity.stop_after_delay(600), diff --git a/qinling/tests/unit/orchestrator/kubernetes/test_manager.py b/qinling/tests/unit/orchestrator/kubernetes/test_manager.py index f5891f0f..a984a834 100644 --- a/qinling/tests/unit/orchestrator/kubernetes/test_manager.py +++ b/qinling/tests/unit/orchestrator/kubernetes/test_manager.py @@ -18,7 +18,6 @@ import yaml import mock from oslo_config import cfg -from oslo_utils import netutils from qinling import config from qinling import exceptions as exc @@ -62,14 +61,6 @@ class TestKubernetesManager(base.DbTestCase): namespaces.items = [namespace] self.k8s_v1_api.list_namespace.return_value = namespaces - network_policy = mock.Mock() - network_policy.metadata.name = 'allow-qinling-engine-only' - network_policies = mock.Mock() - network_policies.items = [network_policy] - self.k8s_v1_ext.list_namespaced_network_policy.return_value = ( - network_policies - ) - self.manager = k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint) @@ -141,50 +132,6 @@ class TestKubernetesManager(base.DbTestCase): self.assertEqual(2, self.k8s_v1_api.list_namespace.call_count) self.k8s_v1_api.create_namespace.assert_not_called() - def test__ensure_network_policy(self): - # self.manager is not used in this test. - network_policies = mock.Mock() - network_policies.items = [] - v1ext = self.k8s_v1_ext - v1ext.list_namespaced_network_policy.return_value = network_policies - - k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint) - - host_ip = netutils.get_my_ipv4() - cidr = "%s/32" % host_ip - - network_policy_body = { - 'apiVersion': 'extensions/v1beta1', - 'kind': 'NetworkPolicy', - 'metadata': {'name': 'allow-qinling-engine-only'}, - 'spec': { - 'podSelector': {}, - 'policyTypes': ["Ingress"], - 'ingress': [{'from': [{'ipBlock': {'cidr': cidr}}]}] - } - } - v1ext.list_namespaced_network_policy.assert_called_with( - self.fake_namespace - ) - v1ext.create_namespaced_network_policy.assert_called_once_with( - self.fake_namespace, network_policy_body) - - def test__ensure_network_policy_not_create(self): - # self.manager is not used in this test. - item = mock.Mock() - item.metadata.name = 'allow-qinling-engine-only' - network_policies = mock.Mock() - network_policies.items = [item] - v1ext = self.k8s_v1_ext - v1ext.list_namespaced_network_policy.return_value = network_policies - - k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint) - - v1ext.list_namespaced_network_policy.assert_called_with( - self.fake_namespace - ) - v1ext.create_namespaced_network_policy.assert_not_called() - def test_create_pool(self): ret = mock.Mock() ret.status.replicas = 5