Add support for policyTypes at Network Policies
This patch adds support to consider policyTypes when applying network policies. It ensures ingress/egress traffic is allowed when the network policy is not affecting them if not targetted by the policyTypes Closes-Bug: 1822333 Change-Id: I3281e1ca2c4dcaf38ac9bd220eb4e91b5484904d
This commit is contained in:
Luis Tomas Bolivar
parent
abcb1863e2
commit
b653be469b
|
|
@ -296,8 +296,42 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||
return allow_all, selectors, allowed_cidrs
|
||||
|
||||
def _parse_sg_rules(self, sg_rule_body_list, direction, policy, sg_id):
|
||||
"""Parse policy into security group rules.
|
||||
|
||||
This method inspects the policy object and create the equivalent
|
||||
security group rules associating them to the referenced sg_id.
|
||||
It returns the rules by adding them to the sg_rule_body_list list,
|
||||
for the stated direction.
|
||||
|
||||
It accounts for special cases, such as:
|
||||
- PolicyTypes stating only Egress: ensuring ingress is not restricted
|
||||
- PolicyTypes not including Egress: ensuring egress is not restricted
|
||||
- {} ingress/egress rules: applying default open for all
|
||||
"""
|
||||
rule_list = policy['spec'].get(direction)
|
||||
if not rule_list:
|
||||
policy_types = policy['spec'].get('policyTypes')
|
||||
if direction == 'ingress':
|
||||
if len(policy_types) == 1 and policy_types[0] == 'Egress':
|
||||
# NOTE(ltomasbo): add default rule to enable all ingress
|
||||
# traffic as NP policy is not affecting ingress
|
||||
LOG.debug('Applying default all open for ingress for '
|
||||
'policy %s', policy['metadata']['selfLink'])
|
||||
rule = driver_utils.create_security_group_rule_body(
|
||||
sg_id, direction)
|
||||
sg_rule_body_list.append(rule)
|
||||
elif direction == 'egress':
|
||||
if policy_types and 'Egress' not in policy_types:
|
||||
# NOTE(ltomasbo): add default rule to enable all egress
|
||||
# traffic as NP policy is not affecting egress
|
||||
LOG.debug('Applying default all open for egress for '
|
||||
'policy %s', policy['metadata']['selfLink'])
|
||||
rule = driver_utils.create_security_group_rule_body(
|
||||
sg_id, direction)
|
||||
sg_rule_body_list.append(rule)
|
||||
else:
|
||||
LOG.warning('Not supported policyType at network policy %s',
|
||||
policy['metadata']['selfLink'])
|
||||
return
|
||||
|
||||
policy_namespace = policy['metadata']['namespace']
|
||||
|
|
@ -308,8 +342,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
|
|||
if rule_list[0] == {}:
|
||||
LOG.debug('Applying default all open policy from %s',
|
||||
policy['metadata']['selfLink'])
|
||||
rule = driver_utils.create_security_group_rule_body(
|
||||
sg_id, direction, port_range_min=1, port_range_max=65535)
|
||||
rule = driver_utils.create_security_group_rule_body(sg_id,
|
||||
direction)
|
||||
sg_rule_body_list.append(rule)
|
||||
|
||||
for rule_block in rule_list:
|
||||
|
|
|
|||
|
|
@ -362,10 +362,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
|
|||
policy['spec']['egress'] = [{}]
|
||||
self._driver.parse_network_policy_rules(policy, self._sg_id)
|
||||
m_get_ns_cidr.assert_not_called()
|
||||
calls = [mock.call(self._sg_id, 'ingress', port_range_min=1,
|
||||
port_range_max=65535),
|
||||
mock.call(self._sg_id, 'egress', port_range_min=1,
|
||||
port_range_max=65535)]
|
||||
calls = [mock.call(self._sg_id, 'ingress'),
|
||||
mock.call(self._sg_id, 'egress')]
|
||||
m_create.assert_has_calls(calls)
|
||||
|
||||
@mock.patch.object(network_policy.NetworkPolicyDriver,
|
||||
|
|
|
|||
Loading…
Reference in New Issue