Ensure lb sg rules are deleted when no longer allowed

This patch ensures that the lb sg rules that are no longer needed (not allowed anymore by the NP) are removed, i.e., if an existing rule at the loadbalancer is no longer enabled by any of the NP applied to the svc, then it will be removed to ensure the specific traffic is not allowed. Partially Implements: blueprint k8s-network-policies Change-Id: I39a84a47a821cdd6ae92ce53f39106e8b6abe98e
2019-01-17 18:33:57 +01:00 · 2019-01-17 18:33:57 +01:00 · c6253fedef
parent 838dcf5360
commit c6253fedef
1 changed files with 19 additions and 0 deletions
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@ -147,6 +147,9 @@ class LBaaSv2Driver(base.LBaaSDriver):
        else:
            sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0]

+        lbaas_sg_rules = neutron.list_security_group_rules(
+            security_group_id=sg_id)
+        all_pod_rules = []
        # Check if Network Policy allows listener on the pods
        for sg in loadbalancer.security_groups:
            if sg != sg_id:
@ -167,6 +170,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
                        if (min_port and target_port not in range(min_port,
                                                                  max_port+1)):
                            continue
+                        all_pod_rules.append(rule)
                        try:
                            neutron.create_security_group_rule({
                                'security_group_rule': {
@ -186,6 +190,21 @@ class LBaaSv2Driver(base.LBaaSDriver):
                                              'group rule for listener %s.',
                                              sg_rule_name)

+        for rule in lbaas_sg_rules['security_group_rules']:
+            if (rule.get('protocol') != protocol.lower() or
+                    rule.get('port_range_min') != port or
+                    not rule.get('remote_ip_prefix')):
+                continue
+            self._delete_rule_if_no_match(rule, all_pod_rules)
+
+    def _delete_rule_if_no_match(self, rule, all_pod_rules):
+        for pod_rule in all_pod_rules:
+            if pod_rule['remote_ip_prefix'] == rule['remote_ip_prefix']:
+                return
+        neutron = clients.get_neutron_client()
+        LOG.debug("Deleting sg rule: %r", rule['id'])
+        neutron.delete_security_group_rule(rule['id'])
+
    def _remove_default_octavia_rules(self, sg_id, listener):
        neutron = clients.get_neutron_client()
        for remaining in self._provisioning_timer(