Merge "Ensure host to pod connectivity for NP"
This commit is contained in:
commit
1f43759f69
|
@ -120,6 +120,31 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||
return existing_pod_selector
|
||||
return False
|
||||
|
||||
def _add_default_np_rules(self, sg_id):
|
||||
"""Add extra SG rule to allow traffic from svcs and host.
|
||||
|
||||
This method adds the base security group rules for the NP security
|
||||
group:
|
||||
- Ensure traffic is allowed from the services subnet
|
||||
- Ensure traffic is allowed from the host
|
||||
"""
|
||||
default_cidrs = []
|
||||
default_cidrs.append(utils.get_subnet_cidr(
|
||||
config.CONF.neutron_defaults.service_subnet))
|
||||
worker_subnet_id = config.CONF.pod_vif_nested.worker_nodes_subnet
|
||||
if worker_subnet_id:
|
||||
default_cidrs.append(utils.get_subnet_cidr(worker_subnet_id))
|
||||
for cidr in default_cidrs:
|
||||
default_rule = {
|
||||
u'security_group_rule': {
|
||||
u'ethertype': 'IPv4',
|
||||
u'security_group_id': sg_id,
|
||||
u'direction': 'ingress',
|
||||
u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
|
||||
u'remote_ip_prefix': cidr
|
||||
}}
|
||||
driver_utils.create_security_group_rule(default_rule)
|
||||
|
||||
def create_security_group_rules_from_network_policy(self, policy,
|
||||
project_id):
|
||||
"""Create initial security group and rules
|
||||
|
@ -151,19 +176,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||
sgr_id = driver_utils.create_security_group_rule(e_rule)
|
||||
e_rule['security_group_rule']['id'] = sgr_id
|
||||
|
||||
# NOTE(ltomasbo): Add extra SG rule to allow traffic from services
|
||||
# subnet
|
||||
svc_cidr = utils.get_subnet_cidr(
|
||||
config.CONF.neutron_defaults.service_subnet)
|
||||
svc_rule = {
|
||||
u'security_group_rule': {
|
||||
u'ethertype': 'IPv4',
|
||||
u'security_group_id': sg_id,
|
||||
u'direction': 'ingress',
|
||||
u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
|
||||
u'remote_ip_prefix': svc_cidr
|
||||
}}
|
||||
driver_utils.create_security_group_rule(svc_rule)
|
||||
# Add default rules to allow traffic from host and svc subnet
|
||||
self._add_default_np_rules(sg_id)
|
||||
except (n_exc.NeutronClientException, exceptions.ResourceNotReady):
|
||||
LOG.exception("Error creating security group for network policy "
|
||||
" %s", policy['metadata']['name'])
|
||||
|
|
|
@ -180,6 +180,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
m_affected.assert_not_called()
|
||||
m_namespaced.assert_called_once_with(self._policy)
|
||||
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
'_add_default_np_rules')
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
'get_kuryrnetpolicy_crd')
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
|
@ -190,7 +192,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
def test_create_security_group_rules_from_network_policy(self, m_utils,
|
||||
m_parse,
|
||||
m_add_crd,
|
||||
m_get_crd):
|
||||
m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
|
@ -202,7 +205,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
self._policy, self._project_id)
|
||||
m_get_crd.assert_called_once()
|
||||
m_add_crd.assert_called_once()
|
||||
m_add_default.assert_called_once()
|
||||
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
'_add_default_np_rules')
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
'get_kuryrnetpolicy_crd')
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
|
@ -211,7 +217,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
'parse_network_policy_rules')
|
||||
@mock.patch.object(utils, 'get_subnet_cidr')
|
||||
def test_create_security_group_rules_with_k8s_exc(self, m_utils, m_parse,
|
||||
m_add_crd, m_get_crd):
|
||||
m_add_crd, m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
|
@ -225,7 +232,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
self._driver.create_security_group_rules_from_network_policy,
|
||||
self._policy, self._project_id)
|
||||
m_add_crd.assert_called_once()
|
||||
m_add_default.assert_called_once()
|
||||
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
'_add_default_np_rules')
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
'get_kuryrnetpolicy_crd')
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
|
@ -234,7 +244,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
'parse_network_policy_rules')
|
||||
@mock.patch.object(utils, 'get_subnet_cidr')
|
||||
def test_create_security_group_rules_error_add_crd(self, m_utils, m_parse,
|
||||
m_add_crd, m_get_crd):
|
||||
m_add_crd, m_get_crd,
|
||||
m_add_default):
|
||||
self._driver.neutron.create_security_group.return_value = {
|
||||
'security_group': {'id': mock.sentinel.id}}
|
||||
m_utils.get_subnet_cidr.return_value = {
|
||||
|
@ -248,6 +259,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
self._driver.create_security_group_rules_from_network_policy,
|
||||
self._policy, self._project_id)
|
||||
m_get_crd.assert_not_called()
|
||||
m_add_default.assert_called_once()
|
||||
|
||||
def test_create_security_group_rules_with_n_exc(self):
|
||||
self._driver.neutron.create_security_group.side_effect = (
|
||||
|
|
Loading…
Reference in New Issue