From 74fdd3c833b1f49936ae2869c700830187814260 Mon Sep 17 00:00:00 2001 From: Luis Tomas Bolivar Date: Fri, 14 Dec 2018 12:54:16 +0100 Subject: [PATCH] Ensure network policies are not applied on pod with host networking This ensures kuryr-controller is not trying to add security groups to the pods with host networking as those are not mananged by kuryr cni Partially Implements: blueprint k8s-network-policies Change-Id: Ie43a6783675c6870e2f93ac6902cfdcdd500caa4 --- kuryr_kubernetes/controller/handlers/policy.py | 5 +++++ .../tests/unit/controller/handlers/test_policy.py | 12 +++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/kuryr_kubernetes/controller/handlers/policy.py b/kuryr_kubernetes/controller/handlers/policy.py index f92eb2b38..54b4489f1 100644 --- a/kuryr_kubernetes/controller/handlers/policy.py +++ b/kuryr_kubernetes/controller/handlers/policy.py @@ -19,6 +19,7 @@ from oslo_log import log as logging from kuryr_kubernetes import clients from kuryr_kubernetes import constants as k_const from kuryr_kubernetes.controller.drivers import base as drivers +from kuryr_kubernetes.controller.drivers import utils as driver_utils from kuryr_kubernetes.handlers import k8s_base from kuryr_kubernetes import utils @@ -70,6 +71,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler): pods_to_update.extend(matched_pods) for pod in pods_to_update: + if driver_utils.is_host_network(pod): + continue pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id) self._drv_vif_pool.update_vif_sgs(pod, pod_sgs) @@ -80,6 +83,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler): netpolicy_crd = self._drv_policy.get_kuryrnetpolicy_crd(policy) crd_sg = netpolicy_crd['spec'].get('securityGroupId') for pod in pods_to_update: + if driver_utils.is_host_network(pod): + continue pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id) if crd_sg in pod_sgs: pod_sgs.remove(crd_sg) diff --git a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py index d9afbcae1..0d2ed3210 100644 --- a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py +++ b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py @@ -108,9 +108,11 @@ class TestPolicyHandler(test_base.TestCase): handler._drv_project) self.assertEqual(m_get_policy_driver.return_value, handler._drv_policy) - def test_on_present(self): + @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network') + def test_on_present(self, m_host_network): modified_pod = mock.sentinel.modified_pod match_pod = mock.sentinel.match_pod + m_host_network.return_value = False knp_on_ns = self._handler._drv_policy.knps_on_namespace knp_on_ns.return_value = True @@ -136,9 +138,11 @@ class TestPolicyHandler(test_base.TestCase): calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)] self._update_vif_sgs.assert_has_calls(calls) - def test_on_present_without_knps_on_namespace(self): + @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network') + def test_on_present_without_knps_on_namespace(self, m_host_network): modified_pod = mock.sentinel.modified_pod match_pod = mock.sentinel.match_pod + m_host_network.return_value = False ensure_nw_policy = self._handler._drv_policy.ensure_network_policy ensure_nw_policy.return_value = [modified_pod] @@ -161,9 +165,11 @@ class TestPolicyHandler(test_base.TestCase): mock.call(match_pod, sg3)] self._update_vif_sgs.assert_has_calls(calls) - def test_on_deleted(self): + @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network') + def test_on_deleted(self, m_host_network): namespace_pod = mock.sentinel.namespace_pod match_pod = mock.sentinel.match_pod + m_host_network.return_value = False affected_pods = self._handler._drv_policy.affected_pods affected_pods.return_value = [match_pod] get_knp_crd = self._handler._drv_policy.get_kuryrnetpolicy_crd