From 3baaccdc039754e9fc72d9738a4fb39fdf4099e6 Mon Sep 17 00:00:00 2001
From: Luis Tomas Bolivar <ltomasbo@redhat.com>
Date: Wed, 19 Dec 2018 14:59:13 +0100
Subject: [PATCH] Ensure lb sg rules are not updated without namespaces

This patch ensures Octavia LoadBalancer SG rules are not updated
by the lbaas driver when the namespace isolation feature is not
enabled.

Closes-Bug: 1809119
Change-Id: I09af490e77fcb722115e75147d5d004b2f4e6426
---
 kuryr_kubernetes/controller/drivers/lbaasv2.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kuryr_kubernetes/controller/drivers/lbaasv2.py b/kuryr_kubernetes/controller/drivers/lbaasv2.py
index e589b672b..bc8b81132 100644
--- a/kuryr_kubernetes/controller/drivers/lbaasv2.py
+++ b/kuryr_kubernetes/controller/drivers/lbaasv2.py
@@ -252,9 +252,12 @@ class LBaaSv2Driver(base.LBaaSDriver):
 
     def _ensure_security_group_rules(self, loadbalancer, listener,
                                      service_type):
+        namespace_isolation = (
+            'namespace' in CONF.kubernetes.enabled_handlers and
+            CONF.kubernetes.service_security_groups_driver == 'namespace')
         if loadbalancer.provider == const.NEUTRON_LBAAS_HAPROXY_PROVIDER:
             self._ensure_lb_security_group_rule(loadbalancer, listener)
-        elif service_type == 'ClusterIP':
+        elif service_type == 'ClusterIP' and namespace_isolation:
             self._extend_lb_security_group_rules(loadbalancer, listener)
 
     def ensure_listener(self, loadbalancer, protocol, port,