Ensure network policies are not applied on pod with host networking

This ensures kuryr-controller is not trying to add security groups to the pods with host networking as those are not mananged by kuryr cni Partially Implements: blueprint k8s-network-policies Change-Id: Ie43a6783675c6870e2f93ac6902cfdcdd500caa4
2018-12-14 12:54:16 +01:00 · 2018-12-14 12:54:16 +01:00 · 74fdd3c833
parent 30369502bb
commit 74fdd3c833
2 changed files with 14 additions and 3 deletions
--- a/kuryr_kubernetes/controller/handlers/policy.py
+++ b/kuryr_kubernetes/controller/handlers/policy.py
@ -19,6 +19,7 @@ from oslo_log import log as logging
 from kuryr_kubernetes import clients
 from kuryr_kubernetes import constants as k_const
 from kuryr_kubernetes.controller.drivers import base as drivers
+from kuryr_kubernetes.controller.drivers import utils as driver_utils
 from kuryr_kubernetes.handlers import k8s_base
 from kuryr_kubernetes import utils

@ -70,6 +71,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
        pods_to_update.extend(matched_pods)

        for pod in pods_to_update:
+            if driver_utils.is_host_network(pod):
+                continue
            pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
            self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)

@ -80,6 +83,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
        netpolicy_crd = self._drv_policy.get_kuryrnetpolicy_crd(policy)
        crd_sg = netpolicy_crd['spec'].get('securityGroupId')
        for pod in pods_to_update:
+            if driver_utils.is_host_network(pod):
+                continue
            pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
            if crd_sg in pod_sgs:
                pod_sgs.remove(crd_sg)
--- a/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py
@ -108,9 +108,11 @@ class TestPolicyHandler(test_base.TestCase):
                         handler._drv_project)
        self.assertEqual(m_get_policy_driver.return_value, handler._drv_policy)

-    def test_on_present(self):
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
+    def test_on_present(self, m_host_network):
        modified_pod = mock.sentinel.modified_pod
        match_pod = mock.sentinel.match_pod
+        m_host_network.return_value = False

        knp_on_ns = self._handler._drv_policy.knps_on_namespace
        knp_on_ns.return_value = True
@ -136,9 +138,11 @@ class TestPolicyHandler(test_base.TestCase):
        calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)]
        self._update_vif_sgs.assert_has_calls(calls)

-    def test_on_present_without_knps_on_namespace(self):
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
+    def test_on_present_without_knps_on_namespace(self, m_host_network):
        modified_pod = mock.sentinel.modified_pod
        match_pod = mock.sentinel.match_pod
+        m_host_network.return_value = False

        ensure_nw_policy = self._handler._drv_policy.ensure_network_policy
        ensure_nw_policy.return_value = [modified_pod]
@ -161,9 +165,11 @@ class TestPolicyHandler(test_base.TestCase):
                 mock.call(match_pod, sg3)]
        self._update_vif_sgs.assert_has_calls(calls)

-    def test_on_deleted(self):
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
+    def test_on_deleted(self, m_host_network):
        namespace_pod = mock.sentinel.namespace_pod
        match_pod = mock.sentinel.match_pod
+        m_host_network.return_value = False
        affected_pods = self._handler._drv_policy.affected_pods
        affected_pods.return_value = [match_pod]
        get_knp_crd = self._handler._drv_policy.get_kuryrnetpolicy_crd