From 7fb7d96c2150c351e49d0f845372e65fbc2c3645 Mon Sep 17 00:00:00 2001 From: Maysa Macedo Date: Thu, 27 Feb 2020 17:03:55 +0000 Subject: [PATCH] Ensure LB sg rules use IPv6 when enabled When IPv6 and Network Policy are enabled we must ensure the amphora SG is updated with sg rules using IPv6. Implements: blueprint kuryr-ipv6-support Change-Id: Id89b6c02e85d7faa75be6182c9d82ee7f32ff909 --- kuryr_kubernetes/constants.py | 4 ++++ kuryr_kubernetes/controller/drivers/lbaasv2.py | 9 +++++++++ kuryr_kubernetes/utils.py | 12 ++++++++++++ 3 files changed, 25 insertions(+) diff --git a/kuryr_kubernetes/constants.py b/kuryr_kubernetes/constants.py index ea4a5d2ba..9614444ee 100644 --- a/kuryr_kubernetes/constants.py +++ b/kuryr_kubernetes/constants.py @@ -66,6 +66,10 @@ KURYR_VIF_TYPE_SRIOV = 'sriov' OCTAVIA_L2_MEMBER_MODE = "L2" OCTAVIA_L3_MEMBER_MODE = "L3" NEUTRON_LBAAS_HAPROXY_PROVIDER = 'haproxy' +IPv4 = 'IPv4' +IPv6 = 'IPv6' +IP_VERSION_4 = 4 +IP_VERSION_6 = 6 VIF_POOL_POPULATE = '/populatePool' VIF_POOL_FREE = '/freePool' diff --git a/kuryr_kubernetes/controller/drivers/lbaasv2.py b/kuryr_kubernetes/controller/drivers/lbaasv2.py index 294c181eb..192cb225b 100644 --- a/kuryr_kubernetes/controller/drivers/lbaasv2.py +++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py @@ -13,6 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. +import ipaddress import random from six.moves import http_client as httplib import time @@ -31,6 +32,7 @@ from oslo_utils import versionutils from kuryr_kubernetes import clients from kuryr_kubernetes import config +from kuryr_kubernetes import constants as k_const from kuryr_kubernetes.controller.drivers import base from kuryr_kubernetes.controller.drivers import utils as c_utils from kuryr_kubernetes import exceptions as k_exc @@ -307,11 +309,14 @@ class LBaaSv2Driver(base.LBaaSDriver): max_port+1)): continue all_pod_rules.append(rule) + sg_rule_ethertype = ipaddress.ip_network( + rule.remote_ip_prefix).version try: LOG.debug("Creating LBaaS sg rule for sg: %r", lb_sg) os_net.create_security_group_rule( direction='ingress', + ether_type=sg_rule_ethertype, port_range_min=port, port_range_max=port, protocol=protocol, @@ -338,9 +343,13 @@ class LBaaSv2Driver(base.LBaaSDriver): self._delete_rule_if_no_match(rule, all_pod_rules) if add_default_rules: + sg_rule_ethertype = k_const.IPv4 + if utils.get_service_subnet_version() == k_const.IP_VERSION_6: + sg_rule_ethertype = k_const.IPv6 try: LOG.debug("Restoring default LBaaS sg rule for sg: %r", lb_sg) os_net.create_security_group_rule(direction='ingress', + ether_type=sg_rule_ethertype, port_range_min=port, port_range_max=port, protocol=protocol, diff --git a/kuryr_kubernetes/utils.py b/kuryr_kubernetes/utils.py index d39cfc275..d3be907cc 100644 --- a/kuryr_kubernetes/utils.py +++ b/kuryr_kubernetes/utils.py @@ -355,3 +355,15 @@ def get_service_ports(service): 'port': port['port'], 'targetPort': str(port['targetPort'])} for port in service['spec']['ports']] + + +@MEMOIZE +def get_service_subnet_version(): + os_net = clients.get_network_client() + svc_subnet_id = CONF.neutron_defaults.service_subnet + try: + svc_subnet = os_net.get_subnet(svc_subnet_id) + except os_exc.ResourceNotFound: + LOG.exception("Service subnet %s not found", svc_subnet_id) + raise + return svc_subnet.ip_version