Commit Graph

21 Commits

Author SHA1 Message Date
Zuul c24002fe78 Merge "CNI: Use K8S_POD_UID passed from CRI" 2022-03-30 10:41:25 +00:00
Michał Dulko 46f4544547 CI: Cleanup what we gather from K8s
Seems like the set of resources we gather from K8s for CI gates
debugging purposes was outdated. This commit updates it to make sure
we're also getting NPs and KLBs, while removing Ingress, KuryrNet and
KuryrNetPolicy that are obsolete today.

Besides that KuryrNet and KuryrNetPolicy CRD definitions are removed as
we're not using them for a long time now.

Change-Id: Ia7ecd8f79b6ac0a8172cf108e228e2ea1cb7a0d5
2022-03-08 12:52:31 +01:00
Michał Dulko d5f5db7005 CNI: Use K8S_POD_UID passed from CRI
Recent versions of cri-o and containerd are passing K8S_POD_UID as a CNI
argument, alongside with K8S_POD_NAMESPACE and K8S_POD_NAME. As both
latter variables cannot be used to safely identify a pod in the API
(StatefulSet recreates pods with the same name), we were prone to race
conditions in the CNI code that we could only workaround. The end effect
was mostly IP conflict.

Now that the UID argument is passed, we're able to compare the UID from
the request with the one in the API to make sure we're wiring the
correct pod. This commit implements that by making sure to move the
check to the code actually waiting for the pod to appear in the
registry. In case of K8S_POD_UID missing from the CNI request, API call
to retrieve Pod is used as a fallback.

We also know that this check doesn't work for static pods, so CRD and
controller needed to be updated to include information if the pod is
static on the KuryrPort spec, so that we can skip the check for the
static pods without the need to fetch Pod from the API.

Closes-Bug: 1963677
Change-Id: I5ef6a8212c535e90dee049a579c1483644d56db8
2022-03-08 12:28:48 +01:00
Tabitha Fasoyin 87f6c66d31 Add option to set listener timeouts for lb created by Kuryr
The timeout-client-data and timeout-member-data configurations
for Octavia listeners default to 50 seconds for load balancers
created by Kuryr. This patch allows the creation and modification
of load balancers handled by Kuryr with different timeouts values.

Implements: blueprint configure-lb-listeners-timeout
Change-Id: I99016001c2263023d1fa2637d7b5aeb23b3b2d9d
2021-03-17 14:58:37 +00:00
scavnicka aa02a4b412 Leaks of loadbalancer
In theory with the usage of Finalizers having leaks of loadbalancers
is not possible anymore, and if the CRD is deleted it gets recreated
and also the loadbalancer is recreated.

This commit is deleting ensure_release_lbaas and _cleanup_leftover_lbaas
functions.

Change-Id: I0db62a845b23a32eef4358368332c4da2cad5460
2020-09-21 14:28:45 +00:00
Zuul 93aafb1261 Merge "Convert KuryrLoadBalancer subsets CRD to EndpointSlice" 2020-08-26 16:42:16 +00:00
Maysa Macedo 437a147ca6 Convert KuryrLoadBalancer subsets CRD to EndpointSlice
This commit formats the KuryrLoadBalancer CRD to include
the structure of EndpointSlice.

Change-Id: I1e42578841effeb3778e8d729c181b89b84f62b7
2020-08-24 20:07:01 +00:00
Roman Dobosz 1aa6753d80 Move vifs to 'status' in the KuryrPort CRD.
I newly added CRD, KuryrPort, we noticed, that vifs key, which is now
under 'spec' object, is rather a thing which could be represented as the
CRD status.

In this patch we propose to move vifs data under the status key.

Depends-On: I2cb66e25534e44b79f660b10498086aa88ad805c
Change-Id: I71385799775f9f9cc928e4d39a0fd443c98b53c6
2020-08-12 17:39:45 +02:00
Michał Dulko a1708e1c76 KuryrNetworkPolicy CRD
This commit is a huge refactoring of how we handle network policies. In
general:

* KuryrNetPolicy is replaced by KuryrNetworkPolicy. The upgrade path
  is handled in the constructor of KuryrNetworkPolicyHandler.
* New CRD has spec and status properties. spec is always populated by
  NetworkPolicyHandler. status is handled by KuryrNetworkPolicyHandler.
  This means that in order to trigger SG rules recalculation on Pod ang
  Service events, the NetworkPolicy is "bumped" with a dummy annotation.
* NetworkPolicyHandler injects finalizers onto NetworkPolicy and
  KuryrNetworkPolicy objects, so that objects cannot get removed before
  KuryrNetworkPolicyHandler won't process deletion correctly.

Depends-On: https://review.opendev.org/742209
Change-Id: Iafc982e590ada0cd9d82e922c103583e4304e9ce
2020-07-31 14:44:15 +02:00
scavnicka f71ae55476 Update loadbalancer CRD with service spec and rely on CRD
This commit adds support for creation of loadbalancer, listeners,
members, pools with using the CRD, it is also filling the status
field in the CRD.

Depends-On: https://review.opendev.org/#/c/743214/
Change-Id: I42f90c836397b0d71969642d6ba31bfb49786a43
2020-07-30 21:56:43 +00:00
Roman Dobosz a458fa6894 Pod annotations to KuryrPort CRD.
Till now, we were using pod annotations to store information regarding
state of the associated VIFs to pod. This alone have its own issues and
it's prone to the inconsistency in case of controller failures.

In this patch we propose new CRD called KuryrPort for storage the
information about VIFs.

Depends-On: If639b63dcf660ed709623c8d5f788026619c895c
Change-Id: I1e76ea949120f819dcab6d07714522a576e426f2
2020-07-29 23:50:17 +02:00
Michał Dulko fe1627e271 Preserve unknown in remote_ip_prefixes in NP CRD
The remote_ip_prefixes field in KuryrNetPolicy CRD is an object. As it's
not defined with correct schema, it needs
x-kubernetes-preserve-unknown-fields property. This commit fixes that.

I'm not defining the field correctly as we're moving to new CRD anyway.

Change-Id: I71a7bd16ca8e6b7d9acb7398360b58694ede073f
2020-03-18 11:58:14 +01:00
Luis Tomas Bolivar 780c4dfa09 Namespace event handling through KuryrNet CRD
This patch moves the namespace handling to be more aligned
with the k8s style.

Depends-on: If0aaf748d13027b3d660aa0f74c4f6653e911250

Change-Id: Ia2811d743f6c4791321b05977118d0b4276787b5
2020-03-13 12:30:07 +01:00
Michał Dulko 93657a9f12 Remove sgId from KuryrNet CRD
Seems like we don't need sgId on KuryrNet CRD, it's not written anywhere
and only read in one place. This patch removes it.

Change-Id: Ia5a0f0dd89d72b16189cb33e97720bc6171239ac
2020-03-04 09:43:17 +01:00
Michał Dulko c10468cd74 Update CRDs from apiextensions.k8s.io/v1beta1 to v1
In Kubernetes 1.16 CRDs got out of beta and added to regular
apiextensions.k8s.io/v1. This was accompanied with some format changes.
This patch updates our CRD definitions to new version.

Change-Id: Ib5e64fe72581ef601e5df2e317900566cd476470
2020-02-26 12:00:37 +01:00
Luis Tomas Bolivar 9acfd8faa8 Remove namespace isolation support
NetworkPolicy can replicate what namespace isolation does (and much
more), so we are removing the code that is not needed

Change-Id: Ib79c21cb92c522744658a204001383b6c0e98846
2020-02-03 12:48:10 +01:00
sarka_scavnicka 48f2d2838b Add a loadbalancer CRD
This commit adds CRD to Kuryr that contains informations about
service's annotations and endpoints' annotations, also it is
ensured that CRD is created on the cluster when using devstack.

Partially-Implements: blueprint move-svc-annotations-to-crds

Change-Id: I4088ad09efe96b2d395fb892750adcb39abee3a4
2019-10-14 12:44:47 +00:00
Maysa Macedo a85a7bc8b1 Add CRD validation to KuryrNet and KuryrNetPolicy
This commits adds validation to important fields of KuryrNet and
KuryrNetPolicy CRDs.

Change-Id: I0262d60291e8f163e72f6c078c341984b5e5020c
2019-06-20 08:41:54 +00:00
Daniel Mellado 4465c2062a Implement NP SG create/delete actions
This commit implements NP driver actions for creating/updating SG and SG
rules. It also creates KuryrNetPolicy as a CRD so we don't have to rely
on the slow neutron API for time-costly operations such as listing SG
and so.

Security group rules and label matching will be handled in a follow-up
patch, as well as storing CRD object_id in a network policy annotation.

Unit tests will also be added after some more functionality is added
with the remaining patch series.

Partially-Implements: bp/k8s-network-policies
Change-Id: I6d45a462e812b24073b529144fc0843e8725a06e
2018-09-06 10:10:15 -04:00
Peng Liu babc761aed Add NPWG Multi-VIF driver option in devstack
In devstack plugin, add KURYR_MULTI_VIF_DRIVER parameter to
specify which multi-vif driver to be enabled. If it's NPWG
driver, the network attachemnt definition CRD is created in
Kubernetes cluster.

Change-Id: I260a44880b9cfb3686843504bd29649e5d0518d0
2018-08-16 15:09:09 +08:00
Luis Tomas Bolivar d5d4ef1f9d Add namespace subnet driver for namespace creation
This patch adds a new subnet driver that creates a new network
for each created k8s namespace. It makes use of K8s CRDs to store
the information about the network resources created for each
namespace

Partially Implements: blueprint network-namespace

Change-Id: I7988e1da7a9ed57f29c85ddcd99bb2c87808010e
2018-05-25 08:57:42 +02:00