Ensure namespace and network policy compatibility
This patch ensures namespace handler does not depend on specific functions implemented on the security group driver for the namespace isolation. This way it will be possible to enable the namespace handler (to create a different network per namespace) together with the network policy that will perform the isolation between pods/svc in a different way. Partially Implements: blueprint k8s-network-policies Closes-Bug: #1799496 Change-Id: Ied892e616075ce16fdc15ceb31219c100e011536
This commit is contained in:
parent
374c57d66d
commit
651da66af1
|
@ -838,7 +838,7 @@ function update_tempest_conf_file {
|
|||
if [[ "$KURYR_K8S_CONTAINERIZED_DEPLOYMENT" == "True" ]]; then
|
||||
iniset $TEMPEST_CONFIG kuryr_kubernetes containerized True
|
||||
fi
|
||||
if [[ "$KURYR_SUBNET_DRIVER" == "namespace" ]]; then
|
||||
if [[ "$KURYR_SG_DRIVER" == "namespace" ]] && [[ "$KURYR_SUBNET_DRIVER" == "namespace" ]]; then
|
||||
iniset $TEMPEST_CONFIG kuryr_kubernetes namespace_enabled True
|
||||
fi
|
||||
if [[ "$KURYR_K8S_SERIAL_TESTS" == "True" ]]; then
|
||||
|
|
|
@ -234,7 +234,9 @@ class PodSecurityGroupsDriver(DriverBase):
|
|||
:param project_id: OpenStack project ID
|
||||
:param crd_spec: dict with the keys and values for the CRD spec, such
|
||||
as subnetId or subnetCIDR
|
||||
:return: dict with the keys and values for the CRD spec, such as sgId
|
||||
:return: dict with the keys and values for the CRD spec, such as sgId.
|
||||
If no security group need to be created for the namespace, it
|
||||
should return an empty dict
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
|
|
|
@ -14,10 +14,13 @@
|
|||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
|
||||
from kuryr_kubernetes import config
|
||||
from kuryr_kubernetes.controller.drivers import base
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
|
||||
"""Provides security groups for Pod based on a configuration option."""
|
||||
|
@ -35,6 +38,15 @@ class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
|
|||
|
||||
return sg_list[:]
|
||||
|
||||
def create_namespace_sg(self, namespace, project_id, crd_spec):
|
||||
LOG.debug("Security group driver does not create SGs for the "
|
||||
"namespaces.")
|
||||
return {}
|
||||
|
||||
def delete_sg(self, sg_id):
|
||||
LOG.debug("Security group driver does not implement deleting "
|
||||
"SGs.")
|
||||
|
||||
|
||||
class DefaultServiceSecurityGroupsDriver(base.ServiceSecurityGroupsDriver):
|
||||
"""Provides security groups for Service based on a configuration option."""
|
||||
|
|
|
@ -57,7 +57,11 @@ class NamespaceHandler(k8s_base.ResourceEventHandler):
|
|||
"Rolling back created network resources.")
|
||||
self._drv_subnets.rollback_network_resources(net_crd_spec, ns_name)
|
||||
raise
|
||||
net_crd_spec.update(net_crd_sg)
|
||||
if net_crd_sg:
|
||||
net_crd_spec.update(net_crd_sg)
|
||||
else:
|
||||
LOG.debug("No SG created for the namespace. Namespace isolation "
|
||||
"will not be enforced.")
|
||||
|
||||
# create CRD resource for the network
|
||||
try:
|
||||
|
@ -80,7 +84,12 @@ class NamespaceHandler(k8s_base.ResourceEventHandler):
|
|||
|
||||
self._drv_vif_pool.delete_network_pools(net_crd['spec']['netId'])
|
||||
self._drv_subnets.delete_namespace_subnet(net_crd)
|
||||
self._drv_sg.delete_sg(net_crd['spec']['sgId'])
|
||||
sg_id = net_crd['spec'].get('sgId')
|
||||
if sg_id:
|
||||
self._drv_sg.delete_sg(sg_id)
|
||||
else:
|
||||
LOG.debug("There is no security group associated with the "
|
||||
"namespace to be deleted")
|
||||
|
||||
self._del_kuryrnet_crd(net_crd_id)
|
||||
|
||||
|
|
Loading…
Reference in New Issue