When attempting to Handle a Network Policy and one Namespace
which is affected by it is in the process of getting handled
by Kuryr, the Network Policy event would be often retried.
This commit removes the retry to make sure the Network Policy
gets updated only once the Namespace handling has finsihed.
Change-Id: I73c9488dca21f73070ca84352e3ba3780ea7298f
This got decided at the PTG. The code is old, not maintained, not tested
and most likely doesn't work anymore. Moreover it gave us a hard
dependency on grpcio and protobuf, which is fairly problematic in Python
and gave us all sorts of headaches.
Change-Id: I0c8c91cdd3e1284e7a3c1e9fe04b4c0fbbde7e45
For Neutron networks and subnets, add identifier (which origins from
tags) to the description field as a workaround for inability for create
tagged resources in atomic way. This change might be reverted when
Neutron gain such ability.
Depends-On: https://review.opendev.org/c/openstack/kuryr-tempest-plugin/+/841107
Change-Id: I1750a0b6ae569752b44a4fe682288686868450fe
During removal of Neutron resources, sometimes there could be hanging
orphaned ports. Till now, all the removal was done one by one which
slows down removing process. In this change there is introduced removing
port in parallel in five concurrently run workers.
Change-Id: I74842989784601325b6d8977da4bc936ceedbc0e
Currently, creating network and/or subnet depending heavily on tags.
There could be an issue with selecting right network when tag is set in
configuration, while it'll fail on actual tagging network or subnet. In
that case it might happen, that multiple, untagged subnets would be
created, while only one is expected. In this patch we introduce adding
unique UID from Kubernetes namespace into Neutron network description
field, so that it will indicate only one, specific namespace, so that
there shouldn't be collision with other k8s deployments within same
OpenStack cloud, despite of the tag.
Depends-On: https://review.opendev.org/c/openstack/kuryr-tempest-plugin/+/835245
Change-Id: Id68da7932be66d339119ed92b870c8f7538afb15
In OpenStack Neutron and Octavia, name and descriptions of the objects
are limited to the 255 characters, while on Kubernetes names are limited
to the 253 characters. Kuryr often creates names for the networks and
subnets using Kubernetes object name with additional prefix and suffix,
which may exceed allowed character limit. In this patch there is
proposed solution for this issue by simply truncate kubernetes resource
name, while keeping prefix and suffix intact, to fit the Neutron name
limit.
Change-Id: I6e404104034f11593fc313797ad464458bbdf82d
Besides that, added ownerReferences to the KuryrNetworkPolicy, so that
we don't need to query kubertnetes API about uid of NetworkPolicy
object. Although side effect of that field is, that it will be removed
alongside with NetworkPolicy, but it's acceptable, since we remove it
anyway after NetworkPolicy removal.
Change-Id: Ia9fb5cac516bc042c20897d8527afdfb8661b42b
Right now the in use Ports info is retrieved
by looking for the Pods and then for each
KuryrPort correponding to the specific Pod,
which can increase the time to recover precreated
Ports upon restart. This commit fixes the issue
by collecting all the KuryrPorts at once.
Depends-On: https://review.opendev.org/c/openstack/kuryr-tempest-plugin/+/816394
Change-Id: I6499898a42a21337455a3d793b6ddbc71765437d
Due to a known Neutron issue it's possible
to have subports with DOWN status and upon
controller restart those subports with are
not taken into account when repopulating the
pools resulting in leftovers. This commit
ensures nodes_ports_cleanup thread detach the
Port from the Trunk and remove it from the
Trunk.
Change-Id: If106637c81a5566d7bea00561f5cf1b381f97f23
Ensures Namespaces are only handled when there
is any Pod on Pod Network present on it to avoid
creating Networks and Subnets without really being
used.
Depends-On: https://review.opendev.org/c/openstack/kuryr-tempest-plugin/+/813404
Change-Id: Idbc1e2868c54eb1151d2498a0324731fe099592e
This prevents Kuryr Controller from CrashLoopBackoff in unexpected
case where the port is still part of the trunk during _cleanup_leftover_ports
Change-Id: Ie3f75118a58094d6ca4287e1ffc0035d380d0584
The patch handles the KuryrLoadBalancers reconcilation
using periodic task as event scheduler instead of eventlet
Implements: blueprint reconcile-openstack-resources-with-k8s
Change-Id: I85d2d1cf00b2543f41a875b32ae64fbbe885652c
The project aims to handle the reconcilation of LoadBalancers on Octavia.
When the loadbalancers are deleted on OpenStack, the reconciliations loop
which runs every 10mins detects the missing loadbalancers andd triggers
their recreation
Implements: blueprint reconcile-openstack-resources-with-k8s
Change-Id: I0cad1c45615309587a2add1921029f5ce08be446
In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied may have that traffic blocked when it should be
allowed.
To fix that this commit makes sure that SGs used for NPs include ingress
rules for each of the Service in it's namespace. It's not ideal but
seems to be a fair compromise between opening as little traffic as
possible and increasing number of security groups and rules.
As this commit makes sure all the NPs in the namespaces are reanalyzed
every time a Service is created or deleted, a little fixes in order to
support that are also made.
Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
Closes-Bug: 1923452
It is unnecessary to use list, set, dict around a generator expression
to get object of that type, since there are comprehensions for these types.
Change-Id: I11b9b87faacba4321ef54a48edd7f13df18e1df7
Seems like we misunderstood the NP API reference and default the
protocol to TCP when creating SGs for NPs that are supposed to open all
traffic. That is incorrect and we should not specify a protocol in such
cases. This commit fixes that.
Change-Id: Ie7936555ac794f10443e48908b7b5b2494525b7c
Closes-Bug: 1914380
With the recent support added to Neutron to allow adding a tag to multiple
Ports at one call, this change stops Kuryr from performing two separate
requests to create the Ports and then Tagging them and just does it one
request.
Change-Id: I09496a9cd9cce4c3ae2c6a75c242aa46fa79a07d
Closes-Bug: #1899028
It may happen that there's an unscheduled pod matching a policy when NP
is getting deleted. In that case we'll get a traceback as pod has no
nodeName set. This commit fixes that by making sure we skip unscheduled
pods when detaching SGs from ports on NP deletion.
Change-Id: I5b712ba97e030192d1d24cce2585724a78408e23
Closes-Bug: 1904040
match_selector() has a bug causing it to return True for any
podSelector with any matchLabel and pods without labels at all. This is
totally incorrect, casues issues like applying NPs to pods that should
not be affected by them and probably others.
Change-Id: I47d7e61787675252cf16a9b4ae51871d8a31dc0a
Closes-Bug: 1903067
Closes-Bug: 1903572
Due to bug 1899182 we were creating KuryrPorts and in consequence
Neutron ports for host networking pods. This is totally unnecessary and
those ports were not used at all. This commit makes sure even if version
with the bug was run, on kuryr-controller update those ports will get
deleted automatically.
Change-Id: I5f7047cb6bee1879dc37cbba1b6248e0a5086322
Related-Bug: 1899182
Seems like due to a mistake we've made is_host_network utility function
to always return False. This means that we considered hostNetworking
pods as regular one, ending up creating additional unused ports. Besides
that some anomalies regarding network policy could occur too as function
is used there.
Closes-Bug: 1899182
Change-Id: I0dade137b83499c80ec81cadf6437ea4e70d02c1
Sometimes, on pod deletion it happens that kuryr network policy CRD
cannot be found anymore, but we get error from K8s API. Let's wait for
API is functional again.
Change-Id: I24255e59fac46ac10ca815b50d6060c395b4bf34
We use affectedPods to comfortably track the list of the pods that the
NetworkPolicy indirectly targets (i.e. matches their ports). It doesn't
make sense to put pods without IP there, as well as it is impossible now
with new KuryrNetworkPolicy CRD.
We haven't seen that problem on previous CRD as we've used a weird
format to save that info: {'<pod-ip>': '<pod-namespace'}. If <pod-ip>
was None, json.dumps serialized that into {'null': '<pod-namespace>'},
which was as happily accepted by K8s API as it was utterly useless.
This commit makes sure we only put pods with IP on affectedPods field.
Please also note that we already have protection in place to make sure
we won't create rules for pods without IP (those rules would effectively
open too much traffic), so that is already covered.
Change-Id: Ie82a153c89119fc8f70071353c8e46b27d643935
Closes-Bug: 1892208
I newly added CRD, KuryrPort, we noticed, that vifs key, which is now
under 'spec' object, is rather a thing which could be represented as the
CRD status.
In this patch we propose to move vifs data under the status key.
Depends-On: I2cb66e25534e44b79f660b10498086aa88ad805c
Change-Id: I71385799775f9f9cc928e4d39a0fd443c98b53c6
On upgrade from version using annotations on Endpoints and Services
objects to save information about created Octavia resources, to a
version where that information lives in KuryrLoadBalancer CRD we need to
make sure that data is converted. Otherwise we can end up with doubled
loadbalancers.
This commit makes sure data is converted before we try processing any
Service or Endpoints resource that has annotations.
Change-Id: I01ee5cedc7af8bd02283d065cd9b6f4a94f79888
This commit is a huge refactoring of how we handle network policies. In
general:
* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
This means that in order to trigger SG rules recalculation on Pod ang
Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
KuryrNetworkPolicy objects, so that objects cannot get removed before
KuryrNetworkPolicyHandler won't process deletion correctly.
Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
Till now, we were using pod annotations to store information regarding
state of the associated VIFs to pod. This alone have its own issues and
it's prone to the inconsistency in case of controller failures.
In this patch we propose new CRD called KuryrPort for storage the
information about VIFs.
Depends-On: If639b63dcf660ed709623c8d5f788026619c895c
Change-Id: I1e76ea949120f819dcab6d07714522a576e426f2
In network policy driver we are using security groups for the OpenStack
side to create appropriate port ranges to be open for certain hosts (or
all hosts). In this patch we add a mechanism for selecting right IP
version to the rule, or create rules for both (IPv4 and IPv6) network
types.
Implements: blueprint kuryr-ipv6-support
Change-Id: Ie7544aeebb1d18038ebc19c8f815b69213b55a88
Sometimes we create a lot of security group rules, which might exceed
the quotas. In this patch we propose to distinguish conflict exceptions
for quota exceeding from rule already exists.
Change-Id: Icea686ec9d1fcb701f1853c40d6cfd4ca20fd0ac
get_pod_ip() does not make any API calls and just gets the IP from VIF
annotation. Maybe it would make some sense to cache it to avoid several
dict lookups, but current version bases cache on whole pod object, which
we know may change often over time, so I don't think there's a point in
keeping the cache here.
Change-Id: Id441700ac7add94a675c3a38434abae0b826b766
This patch moves the namespace handling to be more aligned
with the k8s style.
Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250
Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
Since we already migrated fully to Python3, it's time to also remove
bits needed for Python2. One of those libs is six.
Change-Id: Ib984d7b4b3c1048ed091c78986c634689a8ace8c
Our hacking module is ancient and makes Python 3.6's f-strings to fail
PEP8 check. This commit bumps hacking to newer version and fixes
violations found by it.
Change-Id: If8769f7657676d71bcf84c08108e728836071425
get_ports_by_attrs was using neutron client for obtaining ports with
specified attribites. OpenStackSDK have this OOTB, so that one can query
for ports simply by using os.network.ports(name=…, tags=[…], …), so,
there is no need for additional function.
Also, make use of previously added real port object in tests. By using
openstack.network.v2.port.Port objects we gain such confidence
that we are dealing with an port object, dict, tuple, or any other data
type, so that we can treat it accordingly in the code.
Implements: blueprint switch-to-openstacksdk
Change-Id: I7b597f7229113a598de631641bde04e083fea4b5
Besides refactor itself, there was several issues resolved, like
appropriate data handling - because macvlan driver is still using
neutron client, we have to deal with dict data and openstacksdk objects
at the same time in couple of helper methods in os_vif_util module.
Furthermore, helper method for creating port object for test purposes
was moved to fake module, since it is also utilized in test for os vif
utils.
Change-Id: Iefc758ac22e1688ca9d017d5a4c1d32c4cf0583a
Implements: blueprint switch-to-openstacksdk
Besides driver itself, there was a change also for utils/os_vif_util
modules, since while changing neutron objects to OpenStackSDK objects,
signature has also changed.
Also, favor of using attribute based access for Munch objects (all
OpenStackSDK objects are basically Munch based), so that we can also
have these working in older version of OpenStackSDK.
Implements: blueprint switch-to-openstacksdk
Change-Id: I7db217aa9f2b09b38d5e8709cf3712646f6b6893