Add icmp sg rules to k8s project

This commit adds a sg rule to k8s project sg so pods there can reply to ping for testing purpouses. By default it only enables ingress rules but the functions could be extended depending on future requirements. Partially implements: bp functional-testing-catch-up Change-Id: I1e3f88a007260b485b246a3a3e12d41bc06983b2
2017-10-26 10:42:18 +00:00 · 2017-10-26 10:42:18 +00:00 · d64582fc63
parent 353c193600
commit d64582fc63
2 changed files with 32 additions and 0 deletions
--- a/devstack/lib/kuryr_kubernetes
+++ b/devstack/lib/kuryr_kubernetes
@ -174,6 +174,23 @@ print("%s\\t%s" % (n[beg_offset], n[-end_offset]))
 EOF
 }

+# create_k8s_icmp_sg_rules
+#   Description: Creates icmp sg rules for Kuryr-Kubernetes pods
+#   Params:
+#      sg_id       - Kuryr's security group id
+#      direction   - egress or ingress direction
+function create_k8s_icmp_sg_rules {
+    local sg_id=$1
+    local direction="$2"
+    icmp_sg_rules=$(openstack --os-cloud devstack-admin \
+                              --os-region "$REGION_NAME" \
+                              security group rule create \
+                              --protocol icmp \
+                              --"$direction" "$sg_id")
+    die_if_not_set $LINENO icmp_sg_rules \
+        "Failure creating icmp sg ${direction} rule for ${sg_id}"
+}
+
 # create_k8s_subnet
 #   Description: Creates a network and subnet for Kuryr-Kubernetes usage
 #   Params:
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -303,6 +303,20 @@ function configure_neutron_defaults {
    iniset "$KURYR_CONFIG" octavia_defaults member_mode "$KURYR_K8S_OCTAVIA_MEMBER_MODE"
 }

+function configure_k8s_pod_sg_rules {
+    local project_id
+    local sg_id
+
+    project_id=$(get_or_create_project \
+        "$KURYR_NEUTRON_DEFAULT_PROJECT" default)
+    sg_id=$(openstack --os-cloud devstack-admin \
+                      --os-region "$REGION_NAME" \
+                      security group list \
+                      --project "$project_id" -c ID -c Name -f value | \
+                      awk '/default/ {print $1}')
+    create_k8s_icmp_sg_rules "$sg_id" ingress
+}
+
 function get_hyperkube_container_cacert_setup_dir {
    case "$1" in
        1.[0-3].*) echo "/data";;
@ -582,6 +596,7 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then

    if is_service_enabled tempest; then
        copy_tempest_kubeconfig
+        configure_k8s_pod_sg_rules
    fi

    if is_service_enabled kuryr-kubernetes; then