Ensure namespace and network policy compatibility

This patch ensures namespace handler does not depend on specific
functions implemented on the security group driver for the namespace
isolation. This way it will be possible to enable the namespace
handler (to create a different network per namespace) together with
the network policy that will perform the isolation between pods/svc
in a different way.

Partially Implements: blueprint k8s-network-policies
Closes-Bug: #1799496
Change-Id: Ied892e616075ce16fdc15ceb31219c100e011536

devstack/plugin.sh

@@ -838,7 +838,7 @@ function update_tempest_conf_file {
     if [[ "$KURYR_K8S_CONTAINERIZED_DEPLOYMENT" == "True" ]]; then
         iniset $TEMPEST_CONFIG kuryr_kubernetes containerized True
     fi
-    if [[ "$KURYR_SUBNET_DRIVER" == "namespace" ]]; then
+    if [[ "$KURYR_SG_DRIVER" == "namespace" ]] && [[ "$KURYR_SUBNET_DRIVER" == "namespace" ]]; then
         iniset $TEMPEST_CONFIG kuryr_kubernetes namespace_enabled True
     fi
     if [[ "$KURYR_K8S_SERIAL_TESTS" == "True" ]]; then

kuryr_kubernetes/controller/drivers/base.py

@@ -234,7 +234,9 @@ class PodSecurityGroupsDriver(DriverBase):
         :param project_id: OpenStack project ID
         :param crd_spec: dict with the keys and values for the CRD spec, such
                          as subnetId or subnetCIDR
-        :return: dict with the keys and values for the CRD spec, such as sgId
+        :return: dict with the keys and values for the CRD spec, such as sgId.
+        If no security group need to be created for the namespace, it
+        should return an empty dict
         """
         raise NotImplementedError()
 

kuryr_kubernetes/controller/drivers/default_security_groups.py

@@ -14,10 +14,13 @@
 #    under the License.
 
 from oslo_config import cfg
+from oslo_log import log as logging
 
 from kuryr_kubernetes import config
 from kuryr_kubernetes.controller.drivers import base
 
+LOG = logging.getLogger(__name__)
+
 
 class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
     """Provides security groups for Pod based on a configuration option."""
@@ -35,6 +38,15 @@ class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver):
 
         return sg_list[:]
 
+    def create_namespace_sg(self, namespace, project_id, crd_spec):
+        LOG.debug("Security group driver does not create SGs for the "
+                  "namespaces.")
+        return {}
+
+    def delete_sg(self, sg_id):
+        LOG.debug("Security group driver does not implement deleting "
+                  "SGs.")
+
 
 class DefaultServiceSecurityGroupsDriver(base.ServiceSecurityGroupsDriver):
     """Provides security groups for Service based on a configuration option."""

kuryr_kubernetes/controller/handlers/namespace.py

@@ -57,7 +57,11 @@ class NamespaceHandler(k8s_base.ResourceEventHandler):
                           "Rolling back created network resources.")
             self._drv_subnets.rollback_network_resources(net_crd_spec, ns_name)
             raise
-        net_crd_spec.update(net_crd_sg)
+        if net_crd_sg:
+            net_crd_spec.update(net_crd_sg)
+        else:
+            LOG.debug("No SG created for the namespace. Namespace isolation "
+                      "will not be enforced.")
 
         # create CRD resource for the network
         try:
@@ -80,7 +84,12 @@ class NamespaceHandler(k8s_base.ResourceEventHandler):
 
         self._drv_vif_pool.delete_network_pools(net_crd['spec']['netId'])
         self._drv_subnets.delete_namespace_subnet(net_crd)
-        self._drv_sg.delete_sg(net_crd['spec']['sgId'])
+        sg_id = net_crd['spec'].get('sgId')
+        if sg_id:
+            self._drv_sg.delete_sg(sg_id)
+        else:
+            LOG.debug("There is no security group associated with the "
+                      "namespace to be deleted")
 
         self._del_kuryrnet_crd(net_crd_id)