Ensure namespace and network policy compatibility
This patch ensures namespace handler does not depend on specific
functions implemented on the security group driver for the namespace
isolation. This way it will be possible to enable the namespace
handler (to create a different network per namespace) together with
the network policy that will perform the isolation between pods/svc
in a different way.
Partially Implements: blueprint k8s-network-policies
Closes-Bug: #1799496
Change-Id: Ied892e616075ce16fdc15ceb31219c100e011536
(cherry picked from commit 651da66af1
)
This commit is contained in:
parent
84ad28ef65
commit
00c991be36
|
@ -947,7 +947,7 @@ elif [[ "$1" == "stack" && "$2" == "test-config" ]]; then
|
|||
if is_service_enabled tempest && [[ "$KURYR_K8S_CONTAINERIZED_DEPLOYMENT" == "True" ]]; then
|
||||
iniset $TEMPEST_CONFIG kuryr_kubernetes containerized True
|
||||
fi
|
||||
if is_service_enabled tempest && [[ "$KURYR_SUBNET_DRIVER" == "namespace" ]]; then
|
||||
if is_service_enabled tempest && [[ "$KURYR_SG_DRIVER" == "namespace" ]] && [[ "$KURYR_SUBNET_DRIVER" == "namespace" ]]; then
|
||||
iniset $TEMPEST_CONFIG kuryr_kubernetes namespace_enabled True
|
||||
fi
|
||||
if is_service_enabled tempest && [[ "$KURYR_K8S_SERIAL_TESTS" == "True" ]]; then
|
||||
|
|
|
@ -221,7 +221,9 @@ class PodSecurityGroupsDriver(DriverBase):
|
|||
:param project_id: OpenStack project ID
|
||||
:param crd_spec: dict with the keys and values for the CRD spec, such
|
||||
as subnetId or subnetCIDR
|
||||
:return: dict with the keys and values for the CRD spec, such as sgId
|
||||
:return: dict with the keys and values for the CRD spec, such as sgId.
|
||||
If no security group need to be created for the namespace, it
|
||||
should return an empty dict
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
|
|
|
@ -14,10 +14,13 @@
|
|||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
|
||||
from kuryr_kubernetes import config
|
||||
from kuryr_kubernetes.controller.drivers import base
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
|
||||
"""Provides security groups for Pod based on a configuration option."""
|
||||
|
@ -35,6 +38,15 @@ class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
|
|||
|
||||
return sg_list[:]
|
||||
|
||||
def create_namespace_sg(self, namespace, project_id, crd_spec):
|
||||
LOG.debug("Security group driver does not create SGs for the "
|
||||
"namespaces.")
|
||||
return {}
|
||||
|
||||
def delete_sg(self, sg_id):
|
||||
LOG.debug("Security group driver does not implement deleting "
|
||||
"SGs.")
|
||||
|
||||
|
||||
class DefaultServiceSecurityGroupsDriver(base.ServiceSecurityGroupsDriver):
|
||||
"""Provides security groups for Service based on a configuration option."""
|
||||
|
|
|
@ -57,7 +57,11 @@ class NamespaceHandler(k8s_base.ResourceEventHandler):
|
|||
"Rolling back created network resources.")
|
||||
self._drv_subnets.rollback_network_resources(net_crd_spec, ns_name)
|
||||
raise
|
||||
net_crd_spec.update(net_crd_sg)
|
||||
if net_crd_sg:
|
||||
net_crd_spec.update(net_crd_sg)
|
||||
else:
|
||||
LOG.debug("No SG created for the namespace. Namespace isolation "
|
||||
"will not be enforced.")
|
||||
|
||||
# create CRD resource for the network
|
||||
try:
|
||||
|
@ -80,7 +84,12 @@ class NamespaceHandler(k8s_base.ResourceEventHandler):
|
|||
|
||||
self._drv_vif_pool.delete_network_pools(net_crd['spec']['netId'])
|
||||
self._drv_subnets.delete_namespace_subnet(net_crd)
|
||||
self._drv_sg.delete_sg(net_crd['spec']['sgId'])
|
||||
sg_id = net_crd['spec'].get('sgId')
|
||||
if sg_id:
|
||||
self._drv_sg.delete_sg(sg_id)
|
||||
else:
|
||||
LOG.debug("There is no security group associated with the "
|
||||
"namespace to be deleted")
|
||||
|
||||
self._del_kuryrnet_crd(net_crd_id)
|
||||
|
||||
|
|
Loading…
Reference in New Issue