We can easily imagine an user frustrated by his pod not getting deleted
and opting to remove the finalizer from the Pod. If the cause of the
deletion delay was the kuryr-controller being down, we end up with an
orphaned KuryrPort. At the moment this causes crashes, which obviously
it shouldn't. Moreover we should figure out how to clean up the Neutron
port if that happens. This commit does so as explained below.
1. KuryrPort on_present() will trigger its deletion when it detects that
Pod does not longer exist.
2. Turns out security_groups parameter passed to release_vif() was never
used. I removed it from drivers and got rid of get_security_groups()
call from on_finalize() as it's no longer necessary.
3. When we cannot get the Pod in KuryrPort on_finalize() we attempt to
gather info required to cleanup the KuryrPort and "mock" a Pod
object. A precaution is added that any error from release_vif() is
ignored in that case to make sure failed cleanup is not causing the
system to go down.
Change-Id: Iaf48296ff28394823f68d58362bcc87d38a2cd42
This commit proposes to limit the number of create ports
in bulk requests to 20, since Neutron takes long to handle
this requests when the Number of ports and parallel calls
increase.
Change-Id: Ifa4fb9e1d1c899d55859fc5f33ba4c0670ba86b6
Neutron should make a subport that is already attached to a trunk ACTIVE
immediately. Unfortunately there seems to be an OVN bug causing an event
triggering this to be lost, leaving the port in DOWN state forever. This
is a disaster for Kuryr, because we can't proceed to wire the pods in
such case.
This commit attempts to workaround this by making Kuryr reattach the
ports that are in DOWN state for more than 90 seconds after they're
plugged.
Change-Id: If9a3968d68dced588614cd5521d4a111e78d435f
In order to have more control over the nodes subnets we expect instead
of relying on static configuration option it's better to have
flexibility. This commit introduces NodesSubnetsDriver model that will
allow writing more complicated drivers providing the
worker_nodes_subnets setting.
A use case in mind is to use OpenShift Machine Custom Resources in order
to discover subnets the nodes are using.
Change-Id: I0eb5d9ad50895151967c23d3ad6d1237cc4d9667
This commit is a huge refactoring of how we handle network policies. In
general:
* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
This means that in order to trigger SG rules recalculation on Pod ang
Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
KuryrNetworkPolicy objects, so that objects cannot get removed before
KuryrNetworkPolicyHandler won't process deletion correctly.
Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
PodVIFDriver base class defines activate_vif method, which currently
accepts two arguments - pod and vif. While vif argument is utilized for
most of the time, pod is not.
It was discovered during development, where there is a need for calling
activate_vif method from within a CRD resource rather than pod.
Change-Id: I6367bd93d5c0abe9a2ee6d018d997209f23f5318
This patch moves the namespace handling to be more aligned
with the k8s style.
Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250
Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
Since we already migrated fully to Python3, it's time to also remove
bits needed for Python2. One of those libs is six.
Change-Id: Ib984d7b4b3c1048ed091c78986c634689a8ace8c
NetworkPolicy can replicate what namespace isolation does (and much
more), so we are removing the code that is not needed
Change-Id: Ib79c21cb92c522744658a204001383b6c0e98846
When the deletion of a SVC is triggered while the load balancer
is still creating and the controller restarts, the deletion
event will be gone and the lbaas remains. This commit fixes
the issue, by removing the leftover lbaas upon controller restart.
Change-Id: I2d7dd14c3f05b0b1da6db7ac9b58731e34b593e6
When a NP is deleted its associated SG should be deleted too.
However, when using pools, ports may have that SG assigned, not
allowing the SG deletion and consequently stoping the kuryrnetpolicy
associated object deletion -- which may cause kuryr-controller crashes
too
Closes-Bug: 1846717
Change-Id: I7ee071b32f08af567dd92bc6e081f2cb4a3b3366
In case of kuryr-controller crash/restart while creating a namespace
it may happen that some network resources are leftover as the kuryr
net crd was not yet created. This may lead to a waste of OpenStack
network resources (networks, subnets). This patch ensures the namespace
is cleaned up before creating the resources in case a previous attempt
was made without completing the kuryr net crd creation.
Change-Id: Iddc03090dc8a847abe4afa2bed0900f0c7cf6936
When Pods or Network Policies are created/updated/deleted, only the affected
service(s) should have the SG updated. Right now, all the services are updated.
This commit fixes the issue, on the Network Policy side, by checking if any of
the pods selected by a Service is also selected by a Network Policy, and if so
update the SG of that LBaaS.
And on the Pods side, by matching the Service selectors and Network Policy
selectors, when this NP got the pointed pods SG updated. If the selectors
match the LBaaS SG is updated.
Closes-Bug: 1818203
Change-Id: Id996651a7d03bc7621e57b46825ddfa9d98e48ce
When a Network Policy is changed, services must also be updated,
deleting the unnecessary rules that do not match the NP anymore
and create needed ones.
Closes-Bug: #1811242
Partially Implements: blueprint k8s-network-policies
Change-Id: I800477d08fd1f46c2a94d3653496f8f1188a3844
When a namespace is created, deleted or updated and
its labels matches the namespaceSelector of a NP,
the CRD and the respective sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: I515de28647f5f06248555733c27dd4f5a56149ec
This commit fixes a few typos that were around Kuryr-Kubernetes code
and attempts to keep a saner codebase avoiding one-liner committers.
Change-Id: I57380d69570a74abd167ef02e6a346885bda8d5d
When a pod gets created, deleted or updated and its labels
matches the PodSelector of a NP, the sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: Ic0dd3bc93e2453460c4d8dea360efd414b6ae42b
This patch changes the FIP allocation to be only
after all LB components were provisioned.
With this approach, the FIP allocation is performed just before
Kuryr annotates endpoints details, this should reduce
the probability for orphan FIPs in case of kuryr-controller
restart.
In addition it updates FIP allocation to check if FIP
already allocated for LB vip before allocating new FIP.
Change-Id: Idb734f81a1f4fc60155b0700de275d0b01f52a30
Closes-Bug: 1806647
This patch set ensures that:
- A new network policy is applied to existing pods
- A modification on the network policy selector gets applied on the
associated pods
- Deleting a network policy updated the access policies on the
associated pods
- There is no race at deleting the network policy, ensuring the
security group is first deleted from the ports and then removed
as part of the network policy deletion process
Partially Implements: blueprint k8s-network-policies
Change-Id: I25aa23b87947662333c021b9df3e83b9de2515e2
This patch ensures namespace handler does not depend on specific
functions implemented on the security group driver for the namespace
isolation. This way it will be possible to enable the namespace
handler (to create a different network per namespace) together with
the network policy that will perform the isolation between pods/svc
in a different way.
Partially Implements: blueprint k8s-network-policies
Closes-Bug: #1799496
Change-Id: Ied892e616075ce16fdc15ceb31219c100e011536
The OVN provider was added lately to Octavia [1] in addition
to the 'amphora' provider.
In order to create a LB with a specific provider the provider
name should be posted in load balancer creation request,
in case the provider name is not specified, Octavia default
provider will be used.
This patch enhances LBaaS driver to support LB provider functionality.
The functionality of translating K8S-services into Octavia-OVN
load balancers will be based on this change.
[1] 66502f19f2
Partially Implements: blueprint octavia-ovn-provider
Change-Id: I07532c0fd93d9269f317eace53b4baaa70df9201
scope param is added to allow getting multiple independent instances
of a driver. This is particularly useful for using same VIFPoolDriver
implementation for multiple PodVIFDrivers (eg. NoopVIFPool may be
used for multiple PodVIFDriver types)
Also renames driver_alias to specific_driver to better indicate its
function.
Related-Bug: 1747406
Change-Id: Iea3b65b91f362a18cca6bf9d44d938063a56118b
Signed-off-by: Yash Gupta <y.gupta@samsung.com>
This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7
This patch implements the multi-vif of VIF-Handler And Vif
Drivers Design.
This patch creates a new driver type MultiVIFDriver. It will
be the base class of real drivers like sriov,
additional_subnet and npwg_multiple_interfaces. Each of the
derived driver should implement the parsing of the additional
interfaces definition in K8S pods, and call VIF driver to
either create or acquire the Neutron port and its VIF object.
A list of enabled drivers can be returned by its class method.
So that the VIFHandler can invoke each driver one by one to
get the whole list of interfaces for one pod.
Partially Implements: blueprint multi-vif-pods
Change-Id: I8b5175a4637b18a0b574e27674a217865afb22b7
Signed-off-by: Peng Liu <pliu@redhat.com>
This patch adds the driver skel for Network Policy Support and hooks the
previously merged handler to use it. Follow up patches will provide translation
between NP and Neutron security groups and driver implementation.
Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: Ie8cca7b717677347f6a100e8d3b3912bdc20a148
This patch adds a new default driver to get the project ID
associated to a namespace. Same as the pod and service project
drivers
Partially Implements: blueprint network-namespace
Change-Id: Ib4306ba2c3d07ddfa311e2970b67d8b617c951e7
This patch adds a base driver and handler for network policy events. Follow up
patches will implement the driver and actions on network policies crud
actions, as well as tempest tests.
Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: I26969f2597c112259ca90724ff8b357bd8bb376e
This is the second patch of the Ingress Controller capability.
In order for the K8S Ingress and OpenShift Route resources to work,
the cluster must have an Ingress Controller running.
This patch extends LBaaS driver to support L7 load balancing and
verifies, retrieves and stores the L7 router LB (pre-created by admin or
Devstack) details.
The OCP-route and K8S-endpoint handlers (implemented in next patch) will
query the ingress controller for the L7 router details.
Partially Implements: blueprint openshift-router-support
Change-Id: Id55169f6c9c1c607b2aa54c92711dfbd04a9e39d
This patch extends the namespace handler to account for existing
ports at kuryr ports pools before deleting the network namespace
resources. It extends the vif_pool driver with support for removing
all the ports of the different pools belonging to the namespace to be
deleted.
Partially Implements: blueprint network-namespace
Change-Id: I84580201f38c219f1943510bb493da0f07e07153
This patch extends the namespace_subnet driver to handle namespace
deletion. It ensures the created resources during namespace creation
are removed upon namespace deletion.
Note it does not currently support deleting the extra ports created
by the ports pool feature, so it should not be used if ports pool
feature is enabled. A follow up patch will address this issue
Partially Implements: blueprint network-namespace
Change-Id: I2eed278dafacd5090a902bacfd366f7cdf9edca4
A Kuryr controller handler associates itself with specific Kubernetes object
kind (e.g: endpoint) and it's responsible for handling the events of this
object.
The Kuryr controller handlers call one or more Kuryr controller drivers to
manage specific aspects of the Kubernetes resource in the OpenStack domain.
This patch makes K8S-Endpoint handler and LBaaS driver decoupled, and also
updates LBaaS driver to be more generic (e.g: support create a pool that
attached to loadbalancer).
After having this change the LBaaS driver could be extended to
support L7 load balancing, means it could be used as the Ingress driver.
Closes-Bug: 1770934
Change-Id: Ifcda04cc0116bf42e79aa4f855dc9df73671b4d9
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace
Partially Implements: blueprint network-namespace
Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
This patch adds support for nodes with different vif drivers as
well as different pool drivers for each vif driver type.
Closes-Bug: 1747406
Change-Id: I842fd4b513a5f325d598d677e5008f9ea51adab9
This is continuation of Ie4a53dedf54472394f92fdfacddf0632e33f1f5b and
aims to orchestrate security groups and rules creation to make sure
listeners are available for each LoadBalancer Service. This is done
on-demand in LBaaS v2 driver.
Related-Bug: 1749968
Change-Id: Ie6b3783eff7a21ad602923c32bacc37356664e82
Service loadbalancerIP could be one of the following :
1. loadbalancerIP allocated from pre-defined pool
k8s service.spec.type = 'LoadBalancer'
2. loadbalancerIP specified by user
k8s service.spec.type = 'LoadBalancer' and service.spec.loadBalancerIP='x.y.z.t'
This commit extend service capability to support '1' and '2'
Implements: blueprint k8s-service-type-loadbalancer
Change-Id: I98f56692e143aa7ab14dd9920139819c7026acce
This patch enhances the generic vif pool driver to also pre-create
ports in bulk request, so that containers can make use of them
when being boot -- even if not that many containers have been
created and deleted before.
This patch also removes the port deletion/recycle from the pod deletion
pipeline by having a dedicated thread performing periodic recycling
actions.
Partially Implements blueprint ports-pool
Change-Id: I7a3165b8a43e314c360b04cb0cefc69e0e5e768f
In order to speed up containers creation/deletion a new generic-vif
driver is proposed that build upon the port pool driver to ensure
ports already created can be reused in the future.
Note this remove the neutron.create_port from the container creation process.
As measured in the performance evaluation performed in [0], these times are,
on average, around 2 seconds.
[0] https://blog.russellbryant.net/2016/12/19/comparing-openstack-neutron-ml2ovs-and-ovn-control-plane/
Partially Implements blueprint ports-pool
Change-Id: Ib127735570470850dde452c453eac3d5545f7a43
tox.ini contains a bunch of excludes, that are unnecessary. Some are
leftovers from neutron. Some are already fixed and there is no point in
excluding them and some are easy to fix.
This commit does not fix E128 as it is the only serious exclusion with
(currently 166 lines to be changed)
Change-Id: I48cb6cd2258b2d8ed5b8dfdd3ceac7d8d573be81
Every time a container is created or deleted there is a call from
Kuryr to Neutron to create/remove the port used by the container.
In order to speed up both container creation and deletion a vif
pool driver is added, enabling the posibility of performing
Neutron resource management actions before/after containers
creation/deletion process.
This patch introduces a basic structure for the driver to trigger
ports creation and cleanup as part of the vif pool management.
Note it will be followed up with extended versions of the drivers
to support the extra ports pool functionality.
Partially Implements blueprint ports-pool
Change-Id: I441aa8f8ef567414f38d40365e3799de33de5b8c
This patch implements LoadBalancerHandler that handles K8s Endpoints
events and tracks changes in LBaaSServiceSpec to update Neutron LBaaS
accordingly and to reflect its' actual state in LBaaSState.
Change-Id: I718daf6d3def981c1bde5ca9831f955766935fbd
Partially-Implements: blueprint kuryr-k8s-integration
Michał Dulko