diff --git a/kuryr_kubernetes/config.py b/kuryr_kubernetes/config.py index de37bc76a..90f5f4e66 100644 --- a/kuryr_kubernetes/config.py +++ b/kuryr_kubernetes/config.py @@ -39,6 +39,9 @@ k8s_opts = [ cfg.StrOpt('pod_subnets_driver', help=_("The driver to determine Neutron subnets for pod ports"), default='default'), + cfg.StrOpt('pod_security_groups_driver', + help=_("The driver to determine Neutron security groups for pods"), + default='default'), ] neutron_defaults = [ @@ -46,6 +49,8 @@ neutron_defaults = [ help=_("Default OpenStack project ID for Kubernetes resources")), cfg.StrOpt('pod_subnet', help=_("Default Neutron subnet ID for Kubernetes pods")), + cfg.ListOpt('pod_security_groups', + help=_("Default Neutron security groups' IDs for Kubernetes pods")), ] CONF = cfg.CONF diff --git a/kuryr_kubernetes/controller/drivers/base.py b/kuryr_kubernetes/controller/drivers/base.py index 18a9b5580..2c7e71bdc 100644 --- a/kuryr_kubernetes/controller/drivers/base.py +++ b/kuryr_kubernetes/controller/drivers/base.py @@ -113,3 +113,20 @@ class PodSubnetsDriver(DriverBase): `os_vif.subnet.Subnet` object corresponding to the 'subnet_id' """ raise NotImplementedError() + + +@six.add_metaclass(abc.ABCMeta) +class PodSecurityGroupsDriver(DriverBase): + """Provides security groups for Kubernetes Pods.""" + + ALIAS = 'pod_security_groups' + + @abc.abstractmethod + def get_security_groups(self, pod, project_id): + """Get a list of security groups' IDs for Pod. + + :param pod: dict containing Kubernetes Pod object + :param project_id: OpenStack project ID + :return: list containing security groups' IDs + """ + raise NotImplementedError() diff --git a/kuryr_kubernetes/controller/drivers/default_security_groups.py b/kuryr_kubernetes/controller/drivers/default_security_groups.py new file mode 100644 index 000000000..f99038783 --- /dev/null +++ b/kuryr_kubernetes/controller/drivers/default_security_groups.py @@ -0,0 +1,36 @@ +# Copyright (c) 2016 Mirantis, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from kuryr_kubernetes import config +from kuryr_kubernetes.controller.drivers import base + + +class DefaultPodSecurityGroupsDriver(base.PodSecurityGroupsDriver): + """Provides security groups for Pod based on a configuration option.""" + + def get_security_groups(self, pod, project_id): + sg_list = config.CONF.neutron_defaults.pod_security_groups + + if not sg_list: + # NOTE(ivc): this option is only required for + # DefaultPodSecurityGroupsDriver and its subclasses, but it may be + # optional for other drivers (e.g. when each namespace has own + # set of security groups) + raise cfg.RequiredOptError('pod_security_groups', + 'neutron_defaults') + + return sg_list[:] diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_default_security_groups.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_default_security_groups.py new file mode 100644 index 000000000..a4100d3c9 --- /dev/null +++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_default_security_groups.py @@ -0,0 +1,45 @@ +# Copyright (c) 2016 Mirantis, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import mock + +from oslo_config import cfg + +from kuryr_kubernetes.controller.drivers import default_security_groups +from kuryr_kubernetes.tests import base as test_base + + +class TestDefaultPodSecurityGroupsDriver(test_base.TestCase): + + @mock.patch('kuryr_kubernetes.config.CONF') + def test_get_security_groups(self, m_cfg): + sg_list = [mock.sentinel.sg_id] + project_id = mock.sentinel.project_id + pod = mock.sentinel.pod + m_cfg.neutron_defaults.pod_security_groups = sg_list + driver = default_security_groups.DefaultPodSecurityGroupsDriver() + + ret = driver.get_security_groups(pod, project_id) + + self.assertEqual(sg_list, ret) + self.assertIsNot(sg_list, ret) + + def test_get_security_groups_not_set(self): + project_id = mock.sentinel.project_id + pod = mock.sentinel.pod + driver = default_security_groups.DefaultPodSecurityGroupsDriver() + + self.assertRaises(cfg.RequiredOptError, driver.get_security_groups, + pod, project_id) diff --git a/setup.cfg b/setup.cfg index d47211801..216f79d80 100644 --- a/setup.cfg +++ b/setup.cfg @@ -32,6 +32,9 @@ kuryr_kubernetes.controller.drivers.pod_project = kuryr_kubernetes.controller.drivers.pod_subnets = default = kuryr_kubernetes.controller.drivers.default_subnet:DefaultPodSubnetDriver +kuryr_kubernetes.controller.drivers.pod_security_groups = + default = kuryr_kubernetes.controller.drivers.default_security_groups:DefaultPodSecurityGroupsDriver + [files] packages = kuryr_kubernetes