diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py index 3b7593065..32f82dfc9 100644 --- a/kuryr_kubernetes/controller/drivers/network_policy.py +++ b/kuryr_kubernetes/controller/drivers/network_policy.py @@ -120,6 +120,31 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): return existing_pod_selector return False + def _add_default_np_rules(self, sg_id): + """Add extra SG rule to allow traffic from svcs and host. + + This method adds the base security group rules for the NP security + group: + - Ensure traffic is allowed from the services subnet + - Ensure traffic is allowed from the host + """ + default_cidrs = [] + default_cidrs.append(utils.get_subnet_cidr( + config.CONF.neutron_defaults.service_subnet)) + worker_subnet_id = config.CONF.pod_vif_nested.worker_nodes_subnet + if worker_subnet_id: + default_cidrs.append(utils.get_subnet_cidr(worker_subnet_id)) + for cidr in default_cidrs: + default_rule = { + u'security_group_rule': { + u'ethertype': 'IPv4', + u'security_group_id': sg_id, + u'direction': 'ingress', + u'description': 'Kuryr-Kubernetes NetPolicy SG rule', + u'remote_ip_prefix': cidr + }} + driver_utils.create_security_group_rule(default_rule) + def create_security_group_rules_from_network_policy(self, policy, project_id): """Create initial security group and rules @@ -151,19 +176,8 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver): sgr_id = driver_utils.create_security_group_rule(e_rule) e_rule['security_group_rule']['id'] = sgr_id - # NOTE(ltomasbo): Add extra SG rule to allow traffic from services - # subnet - svc_cidr = utils.get_subnet_cidr( - config.CONF.neutron_defaults.service_subnet) - svc_rule = { - u'security_group_rule': { - u'ethertype': 'IPv4', - u'security_group_id': sg_id, - u'direction': 'ingress', - u'description': 'Kuryr-Kubernetes NetPolicy SG rule', - u'remote_ip_prefix': svc_cidr - }} - driver_utils.create_security_group_rule(svc_rule) + # Add default rules to allow traffic from host and svc subnet + self._add_default_np_rules(sg_id) except (n_exc.NeutronClientException, exceptions.ResourceNotReady): LOG.exception("Error creating security group for network policy " " %s", policy['metadata']['name']) diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py index ff57dae96..053e55edc 100644 --- a/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py +++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py @@ -180,6 +180,8 @@ class TestNetworkPolicyDriver(test_base.TestCase): m_affected.assert_not_called() m_namespaced.assert_called_once_with(self._policy) + @mock.patch.object(network_policy.NetworkPolicyDriver, + '_add_default_np_rules') @mock.patch.object(network_policy.NetworkPolicyDriver, 'get_kuryrnetpolicy_crd') @mock.patch.object(network_policy.NetworkPolicyDriver, @@ -190,7 +192,8 @@ class TestNetworkPolicyDriver(test_base.TestCase): def test_create_security_group_rules_from_network_policy(self, m_utils, m_parse, m_add_crd, - m_get_crd): + m_get_crd, + m_add_default): self._driver.neutron.create_security_group.return_value = { 'security_group': {'id': mock.sentinel.id}} m_utils.get_subnet_cidr.return_value = { @@ -202,7 +205,10 @@ class TestNetworkPolicyDriver(test_base.TestCase): self._policy, self._project_id) m_get_crd.assert_called_once() m_add_crd.assert_called_once() + m_add_default.assert_called_once() + @mock.patch.object(network_policy.NetworkPolicyDriver, + '_add_default_np_rules') @mock.patch.object(network_policy.NetworkPolicyDriver, 'get_kuryrnetpolicy_crd') @mock.patch.object(network_policy.NetworkPolicyDriver, @@ -211,7 +217,8 @@ class TestNetworkPolicyDriver(test_base.TestCase): 'parse_network_policy_rules') @mock.patch.object(utils, 'get_subnet_cidr') def test_create_security_group_rules_with_k8s_exc(self, m_utils, m_parse, - m_add_crd, m_get_crd): + m_add_crd, m_get_crd, + m_add_default): self._driver.neutron.create_security_group.return_value = { 'security_group': {'id': mock.sentinel.id}} m_utils.get_subnet_cidr.return_value = { @@ -225,7 +232,10 @@ class TestNetworkPolicyDriver(test_base.TestCase): self._driver.create_security_group_rules_from_network_policy, self._policy, self._project_id) m_add_crd.assert_called_once() + m_add_default.assert_called_once() + @mock.patch.object(network_policy.NetworkPolicyDriver, + '_add_default_np_rules') @mock.patch.object(network_policy.NetworkPolicyDriver, 'get_kuryrnetpolicy_crd') @mock.patch.object(network_policy.NetworkPolicyDriver, @@ -234,7 +244,8 @@ class TestNetworkPolicyDriver(test_base.TestCase): 'parse_network_policy_rules') @mock.patch.object(utils, 'get_subnet_cidr') def test_create_security_group_rules_error_add_crd(self, m_utils, m_parse, - m_add_crd, m_get_crd): + m_add_crd, m_get_crd, + m_add_default): self._driver.neutron.create_security_group.return_value = { 'security_group': {'id': mock.sentinel.id}} m_utils.get_subnet_cidr.return_value = { @@ -248,6 +259,7 @@ class TestNetworkPolicyDriver(test_base.TestCase): self._driver.create_security_group_rules_from_network_policy, self._policy, self._project_id) m_get_crd.assert_not_called() + m_add_default.assert_called_once() def test_create_security_group_rules_with_n_exc(self): self._driver.neutron.create_security_group.side_effect = (