Merge "Ensure host to pod connectivity for NP"

This commit is contained in:
Zuul 2019-01-28 10:04:11 +00:00 committed by Gerrit Code Review
commit 1f43759f69
2 changed files with 42 additions and 16 deletions

View File

@ -120,6 +120,31 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
return existing_pod_selector
return False
def _add_default_np_rules(self, sg_id):
"""Add extra SG rule to allow traffic from svcs and host.
This method adds the base security group rules for the NP security
group:
- Ensure traffic is allowed from the services subnet
- Ensure traffic is allowed from the host
"""
default_cidrs = []
default_cidrs.append(utils.get_subnet_cidr(
config.CONF.neutron_defaults.service_subnet))
worker_subnet_id = config.CONF.pod_vif_nested.worker_nodes_subnet
if worker_subnet_id:
default_cidrs.append(utils.get_subnet_cidr(worker_subnet_id))
for cidr in default_cidrs:
default_rule = {
u'security_group_rule': {
u'ethertype': 'IPv4',
u'security_group_id': sg_id,
u'direction': 'ingress',
u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
u'remote_ip_prefix': cidr
}}
driver_utils.create_security_group_rule(default_rule)
def create_security_group_rules_from_network_policy(self, policy,
project_id):
"""Create initial security group and rules
@ -151,19 +176,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
sgr_id = driver_utils.create_security_group_rule(e_rule)
e_rule['security_group_rule']['id'] = sgr_id
# NOTE(ltomasbo): Add extra SG rule to allow traffic from services
# subnet
svc_cidr = utils.get_subnet_cidr(
config.CONF.neutron_defaults.service_subnet)
svc_rule = {
u'security_group_rule': {
u'ethertype': 'IPv4',
u'security_group_id': sg_id,
u'direction': 'ingress',
u'description': 'Kuryr-Kubernetes NetPolicy SG rule',
u'remote_ip_prefix': svc_cidr
}}
driver_utils.create_security_group_rule(svc_rule)
# Add default rules to allow traffic from host and svc subnet
self._add_default_np_rules(sg_id)
except (n_exc.NeutronClientException, exceptions.ResourceNotReady):
LOG.exception("Error creating security group for network policy "
" %s", policy['metadata']['name'])

View File

@ -180,6 +180,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
m_affected.assert_not_called()
m_namespaced.assert_called_once_with(self._policy)
@mock.patch.object(network_policy.NetworkPolicyDriver,
'_add_default_np_rules')
@mock.patch.object(network_policy.NetworkPolicyDriver,
'get_kuryrnetpolicy_crd')
@mock.patch.object(network_policy.NetworkPolicyDriver,
@ -190,7 +192,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
def test_create_security_group_rules_from_network_policy(self, m_utils,
m_parse,
m_add_crd,
m_get_crd):
m_get_crd,
m_add_default):
self._driver.neutron.create_security_group.return_value = {
'security_group': {'id': mock.sentinel.id}}
m_utils.get_subnet_cidr.return_value = {
@ -202,7 +205,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
self._policy, self._project_id)
m_get_crd.assert_called_once()
m_add_crd.assert_called_once()
m_add_default.assert_called_once()
@mock.patch.object(network_policy.NetworkPolicyDriver,
'_add_default_np_rules')
@mock.patch.object(network_policy.NetworkPolicyDriver,
'get_kuryrnetpolicy_crd')
@mock.patch.object(network_policy.NetworkPolicyDriver,
@ -211,7 +217,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
'parse_network_policy_rules')
@mock.patch.object(utils, 'get_subnet_cidr')
def test_create_security_group_rules_with_k8s_exc(self, m_utils, m_parse,
m_add_crd, m_get_crd):
m_add_crd, m_get_crd,
m_add_default):
self._driver.neutron.create_security_group.return_value = {
'security_group': {'id': mock.sentinel.id}}
m_utils.get_subnet_cidr.return_value = {
@ -225,7 +232,10 @@ class TestNetworkPolicyDriver(test_base.TestCase):
self._driver.create_security_group_rules_from_network_policy,
self._policy, self._project_id)
m_add_crd.assert_called_once()
m_add_default.assert_called_once()
@mock.patch.object(network_policy.NetworkPolicyDriver,
'_add_default_np_rules')
@mock.patch.object(network_policy.NetworkPolicyDriver,
'get_kuryrnetpolicy_crd')
@mock.patch.object(network_policy.NetworkPolicyDriver,
@ -234,7 +244,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
'parse_network_policy_rules')
@mock.patch.object(utils, 'get_subnet_cidr')
def test_create_security_group_rules_error_add_crd(self, m_utils, m_parse,
m_add_crd, m_get_crd):
m_add_crd, m_get_crd,
m_add_default):
self._driver.neutron.create_security_group.return_value = {
'security_group': {'id': mock.sentinel.id}}
m_utils.get_subnet_cidr.return_value = {
@ -248,6 +259,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
self._driver.create_security_group_rules_from_network_policy,
self._policy, self._project_id)
m_get_crd.assert_not_called()
m_add_default.assert_called_once()
def test_create_security_group_rules_with_n_exc(self):
self._driver.neutron.create_security_group.side_effect = (