summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMaysa Macedo <maysa.macedo95@gmail.com>2019-01-09 13:43:56 +0000
committerMaysa Macedo <maysa.macedo95@gmail.com>2019-01-09 14:03:17 +0000
commit374c5eeaf9bb1fe2ec572b0748c9d649b9514540 (patch)
treeed5b337474fc15475faaa156c8f91faa6a88da26
parent7480cc36f8b33d881089fe1c82ec3c65983452f6 (diff)
Ensure reaction to svc target-port update
When the target port of a service is updated and is not allowed on the pods by the Network Policy, the security group rule needs to be removed from the LBaaS. Partially Implements: blueprint k8s-network-policies Change-Id: Ic0e58aa558ff8497b5090509f5a91d2b3aedc61f
Notes
Notes (review): Code-Review+2: Daniel Mellado <dmellado@redhat.com> Code-Review+2: Michał Dulko <mdulko@redhat.com> Workflow+1: Michał Dulko <mdulko@redhat.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 09 Jan 2019 17:48:04 +0000 Reviewed-on: https://review.openstack.org/629486 Project: openstack/kuryr-kubernetes Branch: refs/heads/master
-rw-r--r--kuryr_kubernetes/controller/drivers/lbaasv2.py18
1 files changed, 18 insertions, 0 deletions
diff --git a/kuryr_kubernetes/controller/drivers/lbaasv2.py b/kuryr_kubernetes/controller/drivers/lbaasv2.py
index 0da4e9b..985527c 100644
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@@ -200,6 +200,19 @@ class LBaaSv2Driver(base.LBaaSDriver):
200 LOG.exception('Failed when creating security group rule ' 200 LOG.exception('Failed when creating security group rule '
201 'for listener %s.', listener.name) 201 'for listener %s.', listener.name)
202 202
203 def _get_matched_sg_rule(self, rule, lbaas_sg_rules):
204 for lbaas_sg_rule in lbaas_sg_rules:
205 if lbaas_sg_rule['remote_ip_prefix'] == rule['remote_ip_prefix']:
206 return lbaas_sg_rule
207 return None
208
209 def _delete_sg_rule(self, rule, lbaas_sg_rules):
210 neutron = clients.get_neutron_client()
211 sg_rule = self._get_matched_sg_rule(rule, lbaas_sg_rules)
212 if sg_rule:
213 LOG.debug("Deleting sg rule: %r", sg_rule['id'])
214 neutron.delete_security_group_rule(sg_rule['id'])
215
203 def _apply_members_security_groups(self, loadbalancer, port, target_port, 216 def _apply_members_security_groups(self, loadbalancer, port, target_port,
204 protocol, sg_rule_name): 217 protocol, sg_rule_name):
205 neutron = clients.get_neutron_client() 218 neutron = clients.get_neutron_client()
@@ -208,6 +221,9 @@ class LBaaSv2Driver(base.LBaaSDriver):
208 else: 221 else:
209 sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0] 222 sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]
210 223
224 lbaas_sg_rules = neutron.list_security_group_rules(
225 security_group_id=sg_id)
226
211 # Check if Network Policy allows listener on the pods 227 # Check if Network Policy allows listener on the pods
212 for sg in loadbalancer.security_groups: 228 for sg in loadbalancer.security_groups:
213 if sg != sg_id: 229 if sg != sg_id:
@@ -227,6 +243,8 @@ class LBaaSv2Driver(base.LBaaSDriver):
227 max_port = rule.get('port_range_max') 243 max_port = rule.get('port_range_max')
228 if (min_port and target_port not in range(min_port, 244 if (min_port and target_port not in range(min_port,
229 max_port+1)): 245 max_port+1)):
246 self._delete_sg_rule(
247 rule, lbaas_sg_rules['security_group_rules'])
230 continue 248 continue
231 try: 249 try:
232 neutron.create_security_group_rule({ 250 neutron.create_security_group_rule({