Disable uRPF check on lrp on container LS

uRPF check which prevents evil endpoints from spoofing source
IP address needs to be disabled for logical router ports on
logical switches with container ports in case of Kubernetes.

This is to enable kubelet to perform health check. So in this
scenario the kubelet runs on the minion and the container runs
on the same minion. The packet from the kubelet hairpins back
into the VM via the tier-1 router.

Interestingly, the 'urpf_mode' property is only valid in the port
create body when the router is either of type LogicalRouterUplinkPort
or LogicalRouterDownlinkPort.

The other two port types LogicalRouterLinkPortOnTIER0 and
LogicalRouterLinkPortOnTier1 do not have 'urpf_mode' as their object
properties, and passing them results in a API validation error.

Hence in the code in the base LogicalRouterPort create method, we
add the urpf_mode to the body only if its not None. And we pass
'urpf_mode' only when creating the Downlink port ie. when attaching
the logical router to the logical switch.

Change-Id: Ib266da6e6f232e78e07f8d6c56cb69606f2ee9fe
This commit is contained in:
Abhishek Raut 2017-01-08 13:59:11 -08:00
parent 4ce55c8608
commit 2181d94403
2 changed files with 8 additions and 3 deletions

View File

@ -380,7 +380,8 @@ class LogicalRouterPort(AbstractRESTResource):
resource_type,
logical_port_id,
address_groups,
edge_cluster_member_index=None):
edge_cluster_member_index=None,
urpf_mode=None):
body = {'display_name': display_name,
'resource_type': resource_type,
'logical_router_id': logical_router_id,
@ -398,6 +399,8 @@ class LogicalRouterPort(AbstractRESTResource):
body['linked_logical_router_port_id'] = logical_port_id
if edge_cluster_member_index:
body['edge_cluster_member_index'] = edge_cluster_member_index
if urpf_mode:
body['urpf_mode'] = urpf_mode
return self._client.create(body=body)

View File

@ -143,7 +143,8 @@ class RouterLib(object):
tags,
ls_id,
logical_switch_port_id,
address_groups):
address_groups,
urpf_mode=None):
try:
port = self._router_port_client.get_by_lswitch_id(ls_id)
except exceptions.ResourceNotFound:
@ -153,7 +154,8 @@ class RouterLib(object):
tags,
nsx_constants.LROUTERPORT_DOWNLINK,
logical_switch_port_id,
address_groups)
address_groups,
urpf_mode=urpf_mode)
else:
return self._router_port_client.update(
port['id'], subnets=address_groups)