There are some of the mentions of KuryrNetPolicy around our code. In
this patch we are removing it (with one exception - the spec for
originally designed CRD for network policy handling), just to avoid
confusion with currently used KuryrNetworkPolicy.
Change-Id: Ie9bb46467a249e1c0ada3a9810c4fff59fd57757
In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied may have that traffic blocked when it should be
allowed.
To fix that this commit makes sure that SGs used for NPs include ingress
rules for each of the Service in it's namespace. It's not ideal but
seems to be a fair compromise between opening as little traffic as
possible and increasing number of security groups and rules.
As this commit makes sure all the NPs in the namespaces are reanalyzed
every time a Service is created or deleted, a little fixes in order to
support that are also made.
Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
Closes-Bug: 1923452
Also, selfLink occurrences in unit tests has been removed (besides
those, which actually make sense), and documentation.
Implements: blueprint selflink
Change-Id: Ib0bcc9f5cb6c4cdc27c3393dcb3f665b21cb64ac
Change documentation and tests from 'demo/kuryr' which by default will
use docker registry to 'quay.io/demo/kuryr' which will hint about
quay.io registry.
Change-Id: I7edc6bd8fed2943acf78ce2b66c44c91b1c33114
This commit is a huge refactoring of how we handle network policies. In
general:
* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
This means that in order to trigger SG rules recalculation on Pod ang
Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
KuryrNetworkPolicy objects, so that objects cannot get removed before
KuryrNetworkPolicyHandler won't process deletion correctly.
Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
In network policy driver we are using security groups for the OpenStack
side to create appropriate port ranges to be open for certain hosts (or
all hosts). In this patch we add a mechanism for selecting right IP
version to the rule, or create rules for both (IPv4 and IPv6) network
types.
Implements: blueprint kuryr-ipv6-support
Change-Id: Ie7544aeebb1d18038ebc19c8f815b69213b55a88
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I26b9878515ea156a6b4bde14a64848621593d868
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Right now we attempt to retrieve the list of pods without
fetching the items field returned on the kubernetes response,
causing the wrong element to be fetched.
This commit fixes the issue by getting the list of pods
through the items.
Closes-bug: 1864451
Change-Id: I0144f68900011ba3b5c6373a439dc1df3a68f8ed
This is result of running 2to3 without dict fix (as it seems
unnecessary for most of our cases).
In Python 3 {}.values() returns a view that is not indexable. This
commit uses list() on that to make AddHandler.should_callback compatible
with Python 3.
Change-Id: I354597f43d43630f9fb875dd8c9ab741c35af723
When a pod takes a while to get annotated with the VIF information,
the retrieval of the pod IP from the annotations might fail due to
missing annotation, causing the controller to restart.
This commit fixes the issue by ensuring the pod IP is only retrieved
after the pod is annotated.
Change-Id: Iac1570b76783d532b77e7d8be96f2b71a19f8409
Closes-Bug: 1841758
This patch makes use of the KuryrNet CRD spec to ensure pools
population actions on a new namespace only happen once.
Closes-Bug: 1833032
Change-Id: Ia561833d594c55c17a9dc1a588d39bf3410cdf81
The CRD is not updated with the created SG rule
when a Network Policy that contains more than one selector
in the ingress/egress rules and a pod that matches any selector
that is not the first are created.
This commit fixes the issue by ensuring the flag that indicates
when the CRD needs update is not overwritten when handling each
selector.
Change-Id: I02c9b9929a3156d9d40e5aeefef5456f6befa0ab
Closes-Bug: 1829041
To enforce the network policy isolation, the network policy
security group driver must be used. Thus the code needs to be
there instead of in the namespace security group driver (which
is used for namespace isolation)
Currently, when using the correct Network Policy drivers and
handlers the CRD is not updated on events applied over namespaces
that matches a NP.
This commit fixes the issue by moving the support of this
functionality from 'NamespacePodSecurityGroupsDriver' to
NetworkPolicySecurityGroupsDriver.
Closes-bug: 1811995
Partially Implements: blueprint k8s-network-policies
Change-Id: Idaf70ea8cb7677296d6bea59b4d551bbb87e0422
When a namespace is created, deleted or updated and
its labels matches the namespaceSelector of a NP,
the CRD and the respective sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: I515de28647f5f06248555733c27dd4f5a56149ec
When a pod gets created, deleted or updated and its labels
matches the PodSelector of a NP, the sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: Ic0dd3bc93e2453460c4d8dea360efd414b6ae42b
This commit adds support to match expressions and redesigns how
Security Groups are fetched and applied to pods that matches
a Network Policy.
Change-Id: I5d2831b09e24a2adc3c26aa29f1e7b131e9314ba
This patch set ensures that:
- A new network policy is applied to existing pods
- A modification on the network policy selector gets applied on the
associated pods
- Deleting a network policy updated the access policies on the
associated pods
- There is no race at deleting the network policy, ensuring the
security group is first deleted from the ports and then removed
as part of the network policy deletion process
Partially Implements: blueprint k8s-network-policies
Change-Id: I25aa23b87947662333c021b9df3e83b9de2515e2
This commit creates a new security group driver for handling network
policies sg and sg rules.
Partially Implements: blueprint k8s-network-policies
Change-Id: Ie4dfac39704f4bbfb31eb329cd43ab8a06addf0d
Roman Dobosz