Add Network Policies Driver

This patch adds the driver skel for Network Policy Support and hooks the
previously merged handler to use it. Follow up patches will provide translation
between NP and Neutron security groups and driver implementation.

Partially Implements: blueprint k8s-network-policies
Co-Authored-By: Eyal Leshem <eyal.leshem@toganetworks.com>
Change-Id: Ie8cca7b717677347f6a100e8d3b3912bdc20a148

kuryr_kubernetes/config.py

@@ -112,6 +112,10 @@ k8s_opts = [
                help=_("The driver to determine OpenStack "
                       "project for namespaces"),
                default='default'),
+    cfg.StrOpt('network_policy_project_driver',
+               help=_("The driver to determine OpenStack "
+                      "project for network policies"),
+               default='default'),
     cfg.StrOpt('pod_subnets_driver',
                help=_("The driver to determine Neutron "
                       "subnets for pod ports"),
@@ -169,6 +173,9 @@ k8s_opts = [
     cfg.PortOpt('controller_ha_elector_port',
                 help=_('Port on which leader-elector pod is listening to.'),
                 default=16401),
+    cfg.StrOpt('network_policy_driver',
+               help=_("Driver for network policies"),
+               default='default'),
 ]
 
 neutron_defaults = [

kuryr_kubernetes/controller/drivers/base.py

@@ -664,7 +664,7 @@ class NetworkPolicyDriver(DriverBase):
 class NetworkPolicyProjectDriver(DriverBase):
     """Get an OpenStack project id for K8s network policies"""
 
-    ALIAS = 'policy_project'
+    ALIAS = 'network_policy_project'
 
     @abc.abstractmethod
     def get_project(self, policy):

kuryr_kubernetes/controller/drivers/default_project.py

@@ -67,4 +67,13 @@ class DefaultNamespaceProjectDriver(base.NamespaceProjectDriver):
             raise cfg.RequiredOptError('project',
                                        cfg.OptGroup('neutron_defaults'))
 
+
+class DefaultNetworkPolicyProjectDriver(base.NetworkPolicyProjectDriver):
+
+    def get_project(self, policy):
+        project_id = config.CONF.neutron_defaults.project
+
+        if not project_id:
+            raise cfg.RequiredOptError('project',
+                                       cfg.OptGroup('neutron_defaults'))
         return project_id

kuryr_kubernetes/controller/drivers/network_policy.py

@@ -0,0 +1,30 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from oslo_log import log as logging
+
+from kuryr_kubernetes.controller.drivers import base
+
+LOG = logging.getLogger(__name__)
+
+
+class NetworkPolicyDriver(base.NetworkPolicyDriver):
+    """Provides security groups actions based on K8s Network Policies"""
+
+    def ensure_network_policy(self, policy, project_id):
+        pass
+
+    def release_network_policy(self, policy, project_id):
+        pass

kuryr_kubernetes/controller/handlers/policy.py

@@ -15,6 +15,7 @@
 from oslo_log import log as logging
 
 from kuryr_kubernetes import constants as k_const
+from kuryr_kubernetes.controller.drivers import base as drivers
 from kuryr_kubernetes.handlers import k8s_base
 
 LOG = logging.getLogger(__name__)
@@ -28,9 +29,15 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
 
     def __init__(self):
         super(NetworkPolicyHandler, self).__init__()
+        self._drv_policy = drivers.NetworkPolicyDriver.get_instance()
+        self._drv_project = drivers.NetworkPolicyProjectDriver.get_instance()
 
     def on_present(self, policy):
-        LOG.debug("Received event notification on network policy: %s", policy)
+        LOG.debug("Created or updated: %s", policy)
+        project_id = self._drv_project.get_project(policy)
+        self._drv_policy.ensure_network_policy(policy, project_id)
 
     def on_deleted(self, policy):
-        LOG.debug("Received event notification on network policy: %s", policy)
+        LOG.debug("Deleted network policy: %s", policy)
+        project_id = self._drv_project.get_project(policy)
+        self._drv_policy.release_network_policy(policy, project_id)

setup.cfg

@@ -49,6 +49,9 @@ kuryr_kubernetes.controller.drivers.service_project =
 kuryr_kubernetes.controller.drivers.namespace_project =
     default = kuryr_kubernetes.controller.drivers.default_project:DefaultNamespaceProjectDriver
 
+kuryr_kubernetes.controller.drivers.network_policy_project =
+    default = kuryr_kubernetes.controller.drivers.default_project:DefaultNetworkPolicyProjectDriver
+
 kuryr_kubernetes.controller.drivers.pod_subnets =
     default = kuryr_kubernetes.controller.drivers.default_subnet:DefaultPodSubnetDriver
     namespace = kuryr_kubernetes.controller.drivers.namespace_subnet:NamespacePodSubnetDriver
@@ -62,6 +65,9 @@ kuryr_kubernetes.controller.drivers.pod_security_groups =
 kuryr_kubernetes.controller.drivers.service_security_groups =
     default = kuryr_kubernetes.controller.drivers.default_security_groups:DefaultServiceSecurityGroupsDriver
 
+kuryr_kubernetes.controller.drivers.network_policy =
+    default = kuryr_kubernetes.controller.drivers.network_policy:NetworkPolicyDriver
+
 kuryr_kubernetes.controller.drivers.pod_vif =
     neutron-vif = kuryr_kubernetes.controller.drivers.neutron_vif:NeutronPodVIFDriver
     nested-vlan = kuryr_kubernetes.controller.drivers.nested_vlan_vif:NestedVlanPodVIFDriver