Remove the network policy creation in k8s orchestrator
Previously, the network policy(based on ipBlock) is created during k8s orchestrator initialization to restrict the function pod access from outside. However, the network policy is actually designed to use inside the k8s cluster, it doesn't make sense to define the network policy in order to restrict the inbound traffic from outside. A typical example is when Calico is used as network plugin in the k8s cluster, the source IP address from the pod's perspective is coming from the worker node rather than the original IP address of outside. We need to remove the network policy creation for now and leave that part of security concerns to the future design. The config option `CONF.kubernetes.trusted_cidrs` is deprecated for removal. Change-Id: I91905ba36b36f152a987ce2b742de33e423ed2db Story: #2005777 Task: #33500 Story: #2005710 Task: #31036
This commit is contained in:
parent
f8e1567659
commit
6e56154652
|
@ -147,12 +147,6 @@ function configure_qinling {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
iniset $QINLING_CONF_FILE kubernetes replicas 5
|
iniset $QINLING_CONF_FILE kubernetes replicas 5
|
||||||
|
|
||||||
if [ -n ${QINLING_TRUSTED_CIDRS} ]; then
|
|
||||||
iniset $QINLING_CONF_FILE kubernetes trusted_cidrs ${QINLING_TRUSTED_CIDRS}
|
|
||||||
else
|
|
||||||
iniset $QINLING_CONF_FILE kubernetes trusted_cidrs "${HOST_IP}/32,127.0.0.1/32"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -28,4 +28,3 @@ QINLING_SIDECAR_IMAGE=${QINLING_SIDECAR_IMAGE:-openstackqinling/sidecar:0.0.2}
|
||||||
|
|
||||||
QINLING_INSTALL_K8S=${QINLING_INSTALL_K8S:-True}
|
QINLING_INSTALL_K8S=${QINLING_INSTALL_K8S:-True}
|
||||||
QINLING_K8S_APISERVER_TLS=${QINLING_K8S_APISERVER_TLS:-True}
|
QINLING_K8S_APISERVER_TLS=${QINLING_K8S_APISERVER_TLS:-True}
|
||||||
QINLING_TRUSTED_CIDRS=${QINLING_TRUSTED_CIDRS:-""}
|
|
||||||
|
|
|
@ -184,6 +184,7 @@ kubernetes_opts = [
|
||||||
),
|
),
|
||||||
cfg.ListOpt(
|
cfg.ListOpt(
|
||||||
'trusted_cidrs',
|
'trusted_cidrs',
|
||||||
|
deprecated_for_removal=True,
|
||||||
item_type=cfg.types.String(),
|
item_type=cfg.types.String(),
|
||||||
default=[],
|
default=[],
|
||||||
help='List of CIDR that have access to the services in '
|
help='List of CIDR that have access to the services in '
|
||||||
|
|
|
@ -20,7 +20,6 @@ import time
|
||||||
import jinja2
|
import jinja2
|
||||||
from kubernetes.client import V1DeleteOptions
|
from kubernetes.client import V1DeleteOptions
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import netutils
|
|
||||||
import requests
|
import requests
|
||||||
import tenacity
|
import tenacity
|
||||||
import yaml
|
import yaml
|
||||||
|
@ -50,9 +49,6 @@ class KubernetesManager(base.OrchestratorBase):
|
||||||
# Create namespace if not exists
|
# Create namespace if not exists
|
||||||
self._ensure_namespace()
|
self._ensure_namespace()
|
||||||
|
|
||||||
# Create the network policy if not exists
|
|
||||||
self._ensure_network_policy()
|
|
||||||
|
|
||||||
# Get templates.
|
# Get templates.
|
||||||
template_loader = jinja2.FileSystemLoader(
|
template_loader = jinja2.FileSystemLoader(
|
||||||
searchpath=os.path.dirname(TEMPLATES_DIR)
|
searchpath=os.path.dirname(TEMPLATES_DIR)
|
||||||
|
@ -91,43 +87,6 @@ class KubernetesManager(base.OrchestratorBase):
|
||||||
|
|
||||||
LOG.info('Namespace %s created.', self.conf.kubernetes.namespace)
|
LOG.info('Namespace %s created.', self.conf.kubernetes.namespace)
|
||||||
|
|
||||||
def _ensure_network_policy(self):
|
|
||||||
policy_name = 'allow-qinling-engine-only'
|
|
||||||
namespace = self.conf.kubernetes.namespace
|
|
||||||
ret = self.v1extension.list_namespaced_network_policy(namespace)
|
|
||||||
policies = [i.metadata.name for i in ret.items]
|
|
||||||
|
|
||||||
if policy_name not in policies:
|
|
||||||
if len(self.conf.kubernetes.trusted_cidrs) != 0:
|
|
||||||
cidrs = self.conf.kubernetes.trusted_cidrs
|
|
||||||
else:
|
|
||||||
host_ip = netutils.get_my_ipv4()
|
|
||||||
cidrs = ["%s/32" % host_ip]
|
|
||||||
|
|
||||||
LOG.info('Creating network policy %s(allow %s) in namespace %s',
|
|
||||||
policy_name, cidrs, namespace)
|
|
||||||
|
|
||||||
from_def = []
|
|
||||||
for cidr in cidrs:
|
|
||||||
from_def.append({'ipBlock': {'cidr': cidr}})
|
|
||||||
|
|
||||||
policy_body = {
|
|
||||||
'apiVersion': 'extensions/v1beta1',
|
|
||||||
'kind': 'NetworkPolicy',
|
|
||||||
'metadata': {'name': policy_name},
|
|
||||||
'spec': {
|
|
||||||
'podSelector': {},
|
|
||||||
'policyTypes': ["Ingress"],
|
|
||||||
'ingress': [{'from': from_def}]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
self.v1extension.create_namespaced_network_policy(
|
|
||||||
namespace, policy_body)
|
|
||||||
|
|
||||||
LOG.info('Network policy %s in namespace %s created.',
|
|
||||||
policy_name, namespace)
|
|
||||||
|
|
||||||
@tenacity.retry(
|
@tenacity.retry(
|
||||||
wait=tenacity.wait_fixed(2),
|
wait=tenacity.wait_fixed(2),
|
||||||
stop=tenacity.stop_after_delay(600),
|
stop=tenacity.stop_after_delay(600),
|
||||||
|
|
|
@ -18,7 +18,6 @@ import yaml
|
||||||
|
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_utils import netutils
|
|
||||||
|
|
||||||
from qinling import config
|
from qinling import config
|
||||||
from qinling import exceptions as exc
|
from qinling import exceptions as exc
|
||||||
|
@ -62,14 +61,6 @@ class TestKubernetesManager(base.DbTestCase):
|
||||||
namespaces.items = [namespace]
|
namespaces.items = [namespace]
|
||||||
self.k8s_v1_api.list_namespace.return_value = namespaces
|
self.k8s_v1_api.list_namespace.return_value = namespaces
|
||||||
|
|
||||||
network_policy = mock.Mock()
|
|
||||||
network_policy.metadata.name = 'allow-qinling-engine-only'
|
|
||||||
network_policies = mock.Mock()
|
|
||||||
network_policies.items = [network_policy]
|
|
||||||
self.k8s_v1_ext.list_namespaced_network_policy.return_value = (
|
|
||||||
network_policies
|
|
||||||
)
|
|
||||||
|
|
||||||
self.manager = k8s_manager.KubernetesManager(self.conf,
|
self.manager = k8s_manager.KubernetesManager(self.conf,
|
||||||
self.qinling_endpoint)
|
self.qinling_endpoint)
|
||||||
|
|
||||||
|
@ -141,50 +132,6 @@ class TestKubernetesManager(base.DbTestCase):
|
||||||
self.assertEqual(2, self.k8s_v1_api.list_namespace.call_count)
|
self.assertEqual(2, self.k8s_v1_api.list_namespace.call_count)
|
||||||
self.k8s_v1_api.create_namespace.assert_not_called()
|
self.k8s_v1_api.create_namespace.assert_not_called()
|
||||||
|
|
||||||
def test__ensure_network_policy(self):
|
|
||||||
# self.manager is not used in this test.
|
|
||||||
network_policies = mock.Mock()
|
|
||||||
network_policies.items = []
|
|
||||||
v1ext = self.k8s_v1_ext
|
|
||||||
v1ext.list_namespaced_network_policy.return_value = network_policies
|
|
||||||
|
|
||||||
k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint)
|
|
||||||
|
|
||||||
host_ip = netutils.get_my_ipv4()
|
|
||||||
cidr = "%s/32" % host_ip
|
|
||||||
|
|
||||||
network_policy_body = {
|
|
||||||
'apiVersion': 'extensions/v1beta1',
|
|
||||||
'kind': 'NetworkPolicy',
|
|
||||||
'metadata': {'name': 'allow-qinling-engine-only'},
|
|
||||||
'spec': {
|
|
||||||
'podSelector': {},
|
|
||||||
'policyTypes': ["Ingress"],
|
|
||||||
'ingress': [{'from': [{'ipBlock': {'cidr': cidr}}]}]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
v1ext.list_namespaced_network_policy.assert_called_with(
|
|
||||||
self.fake_namespace
|
|
||||||
)
|
|
||||||
v1ext.create_namespaced_network_policy.assert_called_once_with(
|
|
||||||
self.fake_namespace, network_policy_body)
|
|
||||||
|
|
||||||
def test__ensure_network_policy_not_create(self):
|
|
||||||
# self.manager is not used in this test.
|
|
||||||
item = mock.Mock()
|
|
||||||
item.metadata.name = 'allow-qinling-engine-only'
|
|
||||||
network_policies = mock.Mock()
|
|
||||||
network_policies.items = [item]
|
|
||||||
v1ext = self.k8s_v1_ext
|
|
||||||
v1ext.list_namespaced_network_policy.return_value = network_policies
|
|
||||||
|
|
||||||
k8s_manager.KubernetesManager(self.conf, self.qinling_endpoint)
|
|
||||||
|
|
||||||
v1ext.list_namespaced_network_policy.assert_called_with(
|
|
||||||
self.fake_namespace
|
|
||||||
)
|
|
||||||
v1ext.create_namespaced_network_policy.assert_not_called()
|
|
||||||
|
|
||||||
def test_create_pool(self):
|
def test_create_pool(self):
|
||||||
ret = mock.Mock()
|
ret = mock.Mock()
|
||||||
ret.status.replicas = 5
|
ret.status.replicas = 5
|
||||||
|
|
Loading…
Reference in New Issue