Ensure network policies are not applied on pod with host networking

This ensures kuryr-controller is not trying to add security
groups to the pods with host networking as those are not mananged
by kuryr cni

Partially Implements: blueprint k8s-network-policies

Change-Id: Ie43a6783675c6870e2f93ac6902cfdcdd500caa4

kuryr_kubernetes/controller/handlers/policy.py

@@ -19,6 +19,7 @@ from oslo_log import log as logging
 from kuryr_kubernetes import clients
 from kuryr_kubernetes import constants as k_const
 from kuryr_kubernetes.controller.drivers import base as drivers
+from kuryr_kubernetes.controller.drivers import utils as driver_utils
 from kuryr_kubernetes.handlers import k8s_base
 from kuryr_kubernetes import utils
 
@@ -70,6 +71,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
         pods_to_update.extend(matched_pods)
 
         for pod in pods_to_update:
+            if driver_utils.is_host_network(pod):
+                continue
             pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
             self._drv_vif_pool.update_vif_sgs(pod, pod_sgs)
 
@@ -80,6 +83,8 @@ class NetworkPolicyHandler(k8s_base.ResourceEventHandler):
         netpolicy_crd = self._drv_policy.get_kuryrnetpolicy_crd(policy)
         crd_sg = netpolicy_crd['spec'].get('securityGroupId')
         for pod in pods_to_update:
+            if driver_utils.is_host_network(pod):
+                continue
             pod_sgs = self._drv_pod_sg.get_security_groups(pod, project_id)
             if crd_sg in pod_sgs:
                 pod_sgs.remove(crd_sg)

kuryr_kubernetes/tests/unit/controller/handlers/test_policy.py

@@ -108,9 +108,11 @@ class TestPolicyHandler(test_base.TestCase):
                          handler._drv_project)
         self.assertEqual(m_get_policy_driver.return_value, handler._drv_policy)
 
-    def test_on_present(self):
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
+    def test_on_present(self, m_host_network):
         modified_pod = mock.sentinel.modified_pod
         match_pod = mock.sentinel.match_pod
+        m_host_network.return_value = False
 
         knp_on_ns = self._handler._drv_policy.knps_on_namespace
         knp_on_ns.return_value = True
@@ -136,9 +138,11 @@ class TestPolicyHandler(test_base.TestCase):
         calls = [mock.call(modified_pod, sg1), mock.call(match_pod, sg2)]
         self._update_vif_sgs.assert_has_calls(calls)
 
-    def test_on_present_without_knps_on_namespace(self):
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
+    def test_on_present_without_knps_on_namespace(self, m_host_network):
         modified_pod = mock.sentinel.modified_pod
         match_pod = mock.sentinel.match_pod
+        m_host_network.return_value = False
 
         ensure_nw_policy = self._handler._drv_policy.ensure_network_policy
         ensure_nw_policy.return_value = [modified_pod]
@@ -161,9 +165,11 @@ class TestPolicyHandler(test_base.TestCase):
                  mock.call(match_pod, sg3)]
         self._update_vif_sgs.assert_has_calls(calls)
 
-    def test_on_deleted(self):
+    @mock.patch('kuryr_kubernetes.controller.drivers.utils.is_host_network')
+    def test_on_deleted(self, m_host_network):
         namespace_pod = mock.sentinel.namespace_pod
         match_pod = mock.sentinel.match_pod
+        m_host_network.return_value = False
         affected_pods = self._handler._drv_policy.affected_pods
         affected_pods.return_value = [match_pod]
         get_knp_crd = self._handler._drv_policy.get_kuryrnetpolicy_crd