diff --git a/devstack/lib/kuryr_kubernetes b/devstack/lib/kuryr_kubernetes index 7486ed2b1..981684717 100644 --- a/devstack/lib/kuryr_kubernetes +++ b/devstack/lib/kuryr_kubernetes @@ -174,6 +174,23 @@ print("%s\\t%s" % (n[beg_offset], n[-end_offset])) EOF } +# create_k8s_icmp_sg_rules +# Description: Creates icmp sg rules for Kuryr-Kubernetes pods +# Params: +# sg_id - Kuryr's security group id +# direction - egress or ingress direction +function create_k8s_icmp_sg_rules { + local sg_id=$1 + local direction="$2" + icmp_sg_rules=$(openstack --os-cloud devstack-admin \ + --os-region "$REGION_NAME" \ + security group rule create \ + --protocol icmp \ + --"$direction" "$sg_id") + die_if_not_set $LINENO icmp_sg_rules \ + "Failure creating icmp sg ${direction} rule for ${sg_id}" +} + # create_k8s_subnet # Description: Creates a network and subnet for Kuryr-Kubernetes usage # Params: diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 9e2ac7151..d731c8a21 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -303,6 +303,20 @@ function configure_neutron_defaults { iniset "$KURYR_CONFIG" octavia_defaults member_mode "$KURYR_K8S_OCTAVIA_MEMBER_MODE" } +function configure_k8s_pod_sg_rules { + local project_id + local sg_id + + project_id=$(get_or_create_project \ + "$KURYR_NEUTRON_DEFAULT_PROJECT" default) + sg_id=$(openstack --os-cloud devstack-admin \ + --os-region "$REGION_NAME" \ + security group list \ + --project "$project_id" -c ID -c Name -f value | \ + awk '/default/ {print $1}') + create_k8s_icmp_sg_rules "$sg_id" ingress +} + function get_hyperkube_container_cacert_setup_dir { case "$1" in 1.[0-3].*) echo "/data";; @@ -582,6 +596,7 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then if is_service_enabled tempest; then copy_tempest_kubeconfig + configure_k8s_pod_sg_rules fi if is_service_enabled kuryr-kubernetes; then