Ensure OpenShift gate uses the namespace subnet/sg drivers

Depends-On: I5d12d6be2b89b6301d7f2509513a558b33ef5898
Implements: blueprint openshift-project-isolation-support

Change-Id: I46dcb331e63421437468fd55f5ffdf02ed2ee148
This commit is contained in:
Luis Tomas Bolivar 2018-07-06 14:31:19 +02:00
parent e3a33599a3
commit b4b2c7bf48
4 changed files with 25 additions and 6 deletions

View File

@ -105,6 +105,10 @@
vars:
devstack_services:
kuryr-daemon: true
devstack_localrc:
KURYR_SUBNET_DRIVER: namespace
KURYR_SG_DRIVER: namespace
KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace
voting: false
- job:
@ -113,12 +117,10 @@
Tempest with Octavia, CNI daemon, containers and namespace subnet driver
parent: kuryr-kubernetes-tempest-daemon-containerized-octavia
vars:
tempest_test_regex: '^(kuryr_tempest_plugin.tests.scenario.test_namespace.TestNamespaceScenario.test_namespace)'
devstack_localrc:
KURYR_SUBNET_DRIVER: namespace
KURYR_SG_DRIVER: namespace
KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace
voting: false
- job:
name: kuryr-kubernetes-tempest-daemon-containerized-openshift-octavia

View File

@ -491,6 +491,12 @@ rules:
- nodes
- services
- services/status
- namespaces
- apiGroups:
- openstack.org
verbs: ["*"]
resources:
- kuryrnets
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1

View File

@ -419,7 +419,7 @@ function configure_neutron_defaults {
"$allow_default_sg_id"
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
security group rule create --project "$project_id" \
--description "allow traffic from default namespace" \
--description "allow icmp traffic from default namespace" \
--remote-group "$allow_namespace_sg_id" --ethertype IPv4 --protocol icmp \
"$allow_default_sg_id"
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
@ -427,11 +427,20 @@ function configure_neutron_defaults {
--description "allow traffic from namespaces at default namespace" \
--remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol tcp \
"$allow_namespace_sg_id"
# NOTE(ltomasbo): Some tempest test are using FIP and depends on icmp
# traffic being allowed to the pods. To enable these tests we permit
# icmp traffic from everywhere on the default namespace. Note tcp
# traffic will be dropped, just icmp is permitted.
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
security group rule create --project "$project_id" \
--description "allow traffic from namespaces at default namespace" \
--remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol icmp \
"$allow_namespace_sg_id"
--description "allow imcp traffic from everywhere to default namespace" \
--ethertype IPv4 --protocol icmp "$allow_namespace_sg_id"
# NOTE(ltomasbo): As more security groups and rules are created, there
# is a need to increase the quota for it
openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
quota set --secgroups 100 --secgroup-rules 100 "$project_id"
iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_namespaces "$allow_namespace_sg_id"
iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_default "$allow_default_sg_id"

View File

@ -32,6 +32,8 @@ sudo chown ${USER}:${USER} ${HOME}/.kube/config
/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get ds -o yaml --all-namespaces >> ${K8S_LOG_DIR}/daemonsets.txt
/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get nodes -o yaml --all-namespaces >> ${K8S_LOG_DIR}/nodes.txt
/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get ingress -o yaml --all-namespaces >> ${K8S_LOG_DIR}/ingress.txt
/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get namespaces -o yaml >> ${K8S_LOG_DIR}/namespaces.txt
/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get kuryrnets -o yaml --all-namespaces >> ${K8S_LOG_DIR}/kuryrnets_crds.txt
# Kubernetes pods logs
mkdir -p ${K8S_LOG_DIR}/pod_logs