In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied may have that traffic blocked when it should be
allowed.
To fix that this commit makes sure that SGs used for NPs include ingress
rules for each of the Service in it's namespace. It's not ideal but
seems to be a fair compromise between opening as little traffic as
possible and increasing number of security groups and rules.
As this commit makes sure all the NPs in the namespaces are reanalyzed
every time a Service is created or deleted, a little fixes in order to
support that are also made.
Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
Closes-Bug: 1923452
When moving from annotation to CRD a compatibility code was added
to allow user to upgrade from ussuri to victoria version. Now we are going
to upgrade to wallaby, so everyone should already use CRD and we
can remove the code.
Change-Id: I2acea7f6b3e1f02edd89f2f08127065a6556d367
For simple case, when operator wants to open connection to all the
namespaces in the cluster, i.e.:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: networkpolicy-example
spec:
podSelector: {}
policyTypes:
- Egress
- Ingress
egress:
- to:
- namespaceSelector: {}
there was false assumption, that we need to open it without any
restriction, while the truth is, that all we need to do is to open
egress network to all the namespaces within cluster.
Change-Id: Ibea039fa9c3b46b83e99237ce2ceb03f02d50727
Closes-Bug: 1915008
Network policy parse_network_policy_rules is used only within the
NetworkPolicyDriver class. Let's make it private, as it should be.
Also, changed layout of the code a bit, just to easily distinguish
between helper methods from signature of the class.
Change-Id: Ic13393c841f04e6748f3fe716656cb5a8b3dcd71
Also, selfLink occurrences in unit tests has been removed (besides
those, which actually make sense), and documentation.
Implements: blueprint selflink
Change-Id: Ib0bcc9f5cb6c4cdc27c3393dcb3f665b21cb64ac
Repeated rules are being created for the service while not needed, but
on the downside it cause increased number of calls to the Neutron. In
this patch we're being polite to Neutron by not creating them.
Closes-Bug: 1888407
Change-Id: I4e64fb00666f0d8ebcb757d77b5cbc81bd69f9d3
This commit is a huge refactoring of how we handle network policies. In
general:
* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
This means that in order to trigger SG rules recalculation on Pod ang
Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
KuryrNetworkPolicy objects, so that objects cannot get removed before
KuryrNetworkPolicyHandler won't process deletion correctly.
Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
While handling the creation of a Network
Policy it's possible that the CRD is patched
with repeated sg rules, which is not allowed
resulting in validation error as the repeated
sg rules will not have the sg rule id.
Closes-Bug: #1887167
Change-Id: Ia7814ddcea0d6948ff280a3e03a896bbc442891c
In network policy driver we are using security groups for the OpenStack
side to create appropriate port ranges to be open for certain hosts (or
all hosts). In this patch we add a mechanism for selecting right IP
version to the rule, or create rules for both (IPv4 and IPv6) network
types.
Implements: blueprint kuryr-ipv6-support
Change-Id: Ie7544aeebb1d18038ebc19c8f815b69213b55a88
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I26b9878515ea156a6b4bde14a64848621593d868
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Besides driver itself, there was a change also for utils/os_vif_util
modules, since while changing neutron objects to OpenStackSDK objects,
signature has also changed.
Also, favor of using attribute based access for Munch objects (all
OpenStackSDK objects are basically Munch based), so that we can also
have these working in older version of OpenStackSDK.
Implements: blueprint switch-to-openstacksdk
Change-Id: I7db217aa9f2b09b38d5e8709cf3712646f6b6893
This is result of running 2to3 without dict fix (as it seems
unnecessary for most of our cases).
In Python 3 {}.values() returns a view that is not indexable. This
commit uses list() on that to make AddHandler.should_callback compatible
with Python 3.
Change-Id: I354597f43d43630f9fb875dd8c9ab741c35af723
We're not taking into account the case of a Network Policy
with an egress rule to a pod that contains a Service sitting
in front of it. Right now, only an egress rule to the matched
pod is created, when one for the matched SVC is also required.
Related-Bug: 1849139
Change-Id: I9830f30ba1fde3e5ec1a98fcbca22af992dd1bec
When the podSelector of a Network Policy Spec is updated from '{}'
to any other value, the pods that are not supposed to be enforced
by the policy anymore do not have their Security Group updated
to the default one. This commit fixes the issue by also taking into
account the possible value of '{}' in the podSelector NP spec.
Change-Id: I35519acfdf8ef250880e36bcf789c063ba86b31e
Closes-Bug: 1826548
This commit adds support for Network Policies that define ports
with text. In the case of ingress rule with named port, the pods
selected by NetworkPolicySpec's podSelector has its containers
verified to check for ports with same name. In case of egress rule
all the pods selected by the NetworkPolicyEgressRule's selector
have its containers verified to check if the containers ports
have the same name as the ones defined in policy rule ports.
If matched, a security Group rule with
a 'remote_ip_prefixes' field pointing to that pod is created.
Change-Id: If1eddc3e6cc4884ca53e81e4f87b5fae80fed70e
Closes-Bug: 1818983
This commit adds support for ipBlocks when using Network Policies with
Kuryr-Kubernetes.
Partially Implements: blueprint k8s-network-policies
Change-Id: I4f9078420190521fcba7bbc02540b616c479c0d3
This patch adds support to consider policyTypes when applying network
policies. It ensures ingress/egress traffic is allowed when the
network policy is not affecting them if not targetted by the policyTypes
Closes-Bug: 1822333
Change-Id: I3281e1ca2c4dcaf38ac9bd220eb4e91b5484904d
When an SG is created, Neutron populates it with egress rules allowing
it to call anything. This isn't compliant with how network policies are
supposed to work in K8s. In order to correctly block all traffic we need
to remove those rules when creating the SG and this patch implements it.
Change-Id: I20860a52af843f770b6af5db65cfd9fb3e42ccfd
Closes-Bug: 1822174
As kuryrnetpolicy CRD objects are namespaced, when a namespace is
deleted, the object is deleted by kubernetes as part of the namespace
deletion process. This was making network policy driver failing on
releasing the network policy as it could not find the object. This
patch ensures kuryr-controller doesn't fail in case kubernetes has
already deleted the kuryrnetpolicy object by skipping the exception
when trying to delete an already deleted object.
Closes-Bug: 1816020
Change-Id: I0443b65e5d6897c5d6673c222fc50101c244cd1e
When the podSelector of a NP is updated, the podSelector
on the respective CRD must also be updated with the same
value. However, this do not happen in case the field of a label
is updated, for example: Label {'app: demo'} is updated to
{'context:demo'} the result given is {'app: demo', 'context:demo'}
when should be {'context:demo'}. And after that, if the updated label
{'context:demo'} is removed from the NP, it will not be removed from the CRD.
These cases happen because the podSelector field is a dict and not
a list.
This commit fixes the issue by changing the merge strategy to
JSON Patch, instead of JSON Merge Patch.
Change-Id: Ic629c1ba4ac13c2bfaffdf7f904b69abf9521ed3
Closes-Bug: 1810394
This patch ensures host to pod connectivity is not blocked by
network policies
Partially Implements: blueprint k8s-network-policies
Closes-Bug: 1812877
Change-Id: Ib85698aad1f5bd63601614c0ee36bd3613b5c12c
When a namespace is created, deleted or updated and
its labels matches the namespaceSelector of a NP,
the CRD and the respective sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: I515de28647f5f06248555733c27dd4f5a56149ec
This patch adds support for Network Policy on services. It
applies pods' security groups onto the services in front of them.
It makes the next assumptions:
- All the pods pointed by one svc have the same labels, thus the same
sgs being enforced
- Only copies the SG rules that have the same protocol and direction
as the listener being created
- Adds a default rule to NP to enable traffic from services subnet CIDR
Partially Implements: blueprint k8s-network-policies
Change-Id: Ibd4b51ff40b69af26ab7e7b81d18e63abddf775b
When a pod gets created, deleted or updated and its labels
matches the PodSelector of a NP, the sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: Ic0dd3bc93e2453460c4d8dea360efd414b6ae42b
This include support for both types, when pod selector is used alone
or together with a namespace selector.
TODO in follow up patch sets:
- React to new pods/namespaces created with labels
- React to pod/namespaces relabeling/deletion
Partially Implements: blueprint k8s-network-policies
Change-Id: Ie29b9da64fcd5df7b9a0e9af7b4835208f76da66
This patch adds namespaceSelector support for ingress and egress
Network Policies.
In addition it handles the case where either no from/to or not ports
section appears on the ingress or egress block
Partially Implements: blueprint k8s-network-policies
Change-Id: I7bfb1275221b76ad811ac6baff99e642d31f7e0a
This patch set ensures that:
- A new network policy is applied to existing pods
- A modification on the network policy selector gets applied on the
associated pods
- Deleting a network policy updated the access policies on the
associated pods
- There is no race at deleting the network policy, ensuring the
security group is first deleted from the ports and then removed
as part of the network policy deletion process
Partially Implements: blueprint k8s-network-policies
Change-Id: I25aa23b87947662333c021b9df3e83b9de2515e2
This commit adds support for updating network policies. It handles the
patch to KuryrNetPolicy CRD and handles security group rules update.
Partially Implements: blueprint k8s-network-policies
Change-Id: I02f69616b8cf9cddd23fd415bbb7517b178907e8
Michał Dulko