Fix SG rules to be created twice for the services.

Repeated rules are being created for the service while not needed, but on the downside it cause increased number of calls to the Neutron. In this patch we're being polite to Neutron by not creating them. Closes-Bug: 1888407 Change-Id: I4e64fb00666f0d8ebcb757d77b5cbc81bd69f9d3
2020-07-09 11:41:24 +02:00 · 2020-07-09 11:41:24 +02:00 · cae194972a
parent 65c31a43ae
commit cae194972a
2 changed files with 3 additions and 27 deletions
--- a/kuryr_kubernetes/controller/drivers/network_policy.py
+++ b/kuryr_kubernetes/controller/drivers/network_policy.py
@ -341,7 +341,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
                    crd_rules, direction, port, pod_selector,
                    policy_namespace)
        if allow_all:
-            container_port = None
            for container_port, pods in matched_pods.items():
                for ethertype in (constants.IPv4, constants.IPv6):
                    sg_rule = driver_utils.create_security_group_rule_body(
@ -350,10 +349,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
                        ethertype=ethertype,
                        pods=pods)
                    crd_rules.append(sg_rule)
-            if direction == 'egress':
-                self._create_svc_egress_sg_rule(
-                    policy_namespace, crd_rules,
-                    port=container_port, protocol=port.get('protocol'))

    def _create_sg_rule_on_number_port(self, allowed_resources,
                                       direction, port, sg_rule_body_list,
@ -395,11 +390,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
                        ethertype=ethertype,
                        protocol=port.get('protocol')))
                sg_rule_body_list.append(sg_rule)
-                if direction == 'egress':
-                    self._create_svc_egress_sg_rule(
-                        policy_namespace, sg_rule_body_list,
-                        port=port.get('port'),
-                        protocol=port.get('protocol'))

    def _create_default_sg_rule(self, direction, sg_rule_body_list):
        for ethertype in (constants.IPv4, constants.IPv6):
@ -532,9 +522,6 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
                            port_range_max=65535,
                            ethertype=ethertype)
                        sg_rule_body_list.append(rule)
-                        if direction == 'egress':
-                            self._create_svc_egress_sg_rule(policy_namespace,
-                                                            sg_rule_body_list)
            else:
                LOG.debug('This network policy specifies no %(direction)s '
                          '%(rule_direction)s and no ports: %(policy)s',
--- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
+++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py
@ -524,15 +524,12 @@ class TestNetworkPolicyDriver(test_base.TestCase):

        m_get_ports.assert_called_with(resources[0], port)

-    @mock.patch('kuryr_kubernetes.controller.drivers.utils.'
-                'create_security_group_rule_body')
    @mock.patch.object(network_policy.NetworkPolicyDriver,
                       '_create_sg_rules_with_container_ports')
    @mock.patch('kuryr_kubernetes.controller.drivers.utils.get_ports')
    def test__create_sg_rule_body_on_text_port_egress_all(self,
                                                          m_get_ports,
-                                                          m_create_sgr_cont,
-                                                          m_create_sgr):
+                                                          m_create_sgr_cont):
        port = {'protocol': 'TCP', 'port': 22}
        container_ports = mock.sentinel.ports
        resources = [{'spec': 'foo'}]
@ -552,9 +549,7 @@ class TestNetworkPolicyDriver(test_base.TestCase):
                                                       allow_all=True)

        m_get_ports.assert_called_with(resources[0], port)
-        m_create_sgr.assert_called_once_with('egress', None, cidr=mock.ANY,
-                                             protocol='TCP')
-        self.assertEqual(len(crd_rules), 1)
+        self.assertEqual(len(crd_rules), 0)

    @mock.patch('kuryr_kubernetes.utils.get_subnet_cidr')
    @mock.patch('kuryr_kubernetes.controller.drivers.utils.'
@ -600,14 +595,8 @@ class TestNetworkPolicyDriver(test_base.TestCase):
        calls = [mock.call(direction, container_ports[0][1],
                           protocol=port['protocol'], ethertype=e,
                           pods='foo') for e in ('IPv4', 'IPv6')]
-        calls.append(mock.call(direction, container_ports[0][1],
-                               protocol=port['protocol'],
-                               cidr='10.0.0.128/26'))
        m_create_sgr.assert_has_calls(calls)
-
-        # NOTE(gryf): there are 3 rules created in case of egress direction,
-        # since additional one is created for specific cidr in service subnet.
-        self.assertEqual(len(crd_rules), 3)
+        self.assertEqual(len(crd_rules), 2)

    def test__create_all_pods_sg_rules(self):
        port = {'protocol': 'TCP', 'port': 22}