def _parse_selectors_on_namespace(crd, direction, pod_selector, ns_selector,
rule_block, crd_rules, namespace, matched):
ns_name = namespace['metadata'].get('name')
ns_labels = namespace['metadata'].get('labels')
sg_id = crd['spec']['securityGroupId']
if (ns_selector and ns_labels
and driver_utils.match_selector(ns_selector, ns_labels)):
if pod_selector:
pods = driver_utils.get_pods(pod_selector, ns_name).get('items')
if 'ports' in rule_block:
for port in rule_block['ports']:
if type(port.get('port')) is not int:
matched = (_create_sg_rule_on_text_port(
sg_id, direction, port, pods, crd_rules, matched,
crd))
else:
matched = True
for pod in pods:
pod_ip = driver_utils.get_pod_ip(pod)
crd_rules.append(
_create_sg_rule(sg_id,
direction,
pod_ip,
port=port,
namespace=ns_name))
else:
for pod in pods:
pod_ip = driver_utils.get_pod_ip(pod)
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
pod_ip,
namespace=ns_name))
else:
ns_pods = driver_utils.get_pods(ns_selector)
ns_cidr = driver_utils.get_namespace_subnet_cidr(namespace)
if 'ports' in rule_block:
for port in rule_block['ports']:
if type(port.get('port')) is not int:
matched = (_create_sg_rule_on_text_port(
sg_id, direction, port, ns_pods, crd_rules,
matched, crd))
else:
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
ns_cidr,
port=port,
namespace=ns_name))
else:
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
ns_cidr,
namespace=ns_name))
return matched, crd_rules
def _parse_rules(direction, crd, namespace):
policy = crd['spec']['networkpolicy_spec']
sg_id = crd['spec']['securityGroupId']
ns_labels = namespace['metadata'].get('labels')
ns_name = namespace['metadata'].get('name')
ns_cidr = utils.get_namespace_subnet_cidr(namespace)
rule_direction = 'from'
crd_rules = crd['spec'].get('ingressSgRules')
if direction == 'egress':
rule_direction = 'to'
crd_rules = crd['spec'].get('egressSgRules')
matched = False
rule_list = policy.get(direction, [])
for rule_block in rule_list:
for rule in rule_block.get(rule_direction, []):
pod_selector = rule.get('podSelector')
ns_selector = rule.get('namespaceSelector')
if (ns_selector and ns_labels
and utils.match_selector(ns_selector, ns_labels)):
if pod_selector:
pods = utils.get_pods(pod_selector, ns_name)
for pod in pods.get('items'):
pod_ip = utils.get_pod_ip(pod)
if 'ports' in rule_block:
for port in rule_block['ports']:
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
pod_ip,
port=port,
namespace=ns_name))
else:
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
pod_ip,
namespace=ns_name))
else:
if 'ports' in rule_block:
for port in rule_block['ports']:
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
ns_cidr,
port=port,
namespace=ns_name))
else:
matched = True
crd_rules.append(
_create_sg_rule(sg_id,
direction,
ns_cidr,
namespace=ns_name))
return matched, crd_rules
def _create_sg_rule_on_text_port(sg_id,
direction,
port,
rule_selected_pods,
crd_rules,
matched,
crd,
allow_all=False,
namespace=None):
matched_pods = {}
spec_pod_selector = crd['spec'].get('podSelector')
policy_namespace = crd['metadata']['namespace']
spec_pods = driver_utils.get_pods(spec_pod_selector,
policy_namespace).get('items')
if direction == 'ingress':
for spec_pod in spec_pods:
container_ports = driver_utils.get_ports(spec_pod, port)
for rule_selected_pod in rule_selected_pods:
matched = _create_sg_rules_with_container_ports(
matched_pods, container_ports, allow_all, namespace,
matched, crd_rules, sg_id, direction, port,
rule_selected_pod)
elif direction == 'egress':
for rule_selected_pod in rule_selected_pods:
pod_label = rule_selected_pod['metadata'].get('labels')
pod_ns = rule_selected_pod['metadata'].get('namespace')
# NOTE(maysams) Do not allow egress traffic to the actual
# set of pods the NP is enforced on.
if (driver_utils.match_selector(spec_pod_selector, pod_label)
and policy_namespace == pod_ns):
continue
container_ports = driver_utils.get_ports(rule_selected_pod, port)
matched = _create_sg_rules_with_container_ports(
matched_pods, container_ports, allow_all, namespace, matched,
crd_rules, sg_id, direction, port, rule_selected_pod)
for container_port, pods in matched_pods.items():
if allow_all:
sg_rule = driver_utils.create_security_group_rule_body(
sg_id,
direction,
container_port,
protocol=port.get('protocol'),
pods=pods)
else:
namespace_obj = driver_utils.get_namespace(namespace)
namespace_cidr = driver_utils.get_namespace_subnet_cidr(
namespace_obj)
sg_rule = driver_utils.create_security_group_rule_body(
sg_id,
direction,
container_port,
protocol=port.get('protocol'),
cidr=namespace_cidr,
pods=pods)
sgr_id = driver_utils.create_security_group_rule(sg_rule)
sg_rule['security_group_rule']['id'] = sgr_id
crd_rules.append(sg_rule)
return matched
def _get_namespaces_cidr(self, namespace_selector, namespace=None):
cidrs = []
if not namespace_selector and namespace:
ns = self.kubernetes.get(
'{}/namespaces/{}'.format(constants.K8S_API_BASE, namespace))
ns_cidr = driver_utils.get_namespace_subnet_cidr(ns)
cidrs.append({'cidr': ns_cidr, 'namespace': namespace})
else:
matching_namespaces = driver_utils.get_namespaces(
namespace_selector)
for ns in matching_namespaces.get('items'):
# NOTE(ltomasbo): This requires the namespace handler to be
# also enabled
ns_cidr = driver_utils.get_namespace_subnet_cidr(ns)
ns_name = ns['metadata']['name']
cidrs.append({'cidr': ns_cidr, 'namespace': ns_name})
return cidrs
def _get_resource_details(self, resource):
namespace = None
if self._is_pod(resource):
cidr = resource['status'].get('podIP')
namespace = resource['metadata']['namespace']
elif resource.get('cidr'):
cidr = resource.get('cidr')
else:
cidr = driver_utils.get_namespace_subnet_cidr(resource)
namespace = resource['metadata']['name']
return cidr, namespace
def _parse_selectors_on_namespace(crd, direction, pod_selector, ns_selector,
rule_block, crd_rules, namespace, matched):
ns_name = namespace['metadata'].get('name')
ns_labels = namespace['metadata'].get('labels')
sg_id = crd['spec']['securityGroupId']
if (ns_selector and ns_labels
and driver_utils.match_selector(ns_selector, ns_labels)):
if pod_selector:
pods = driver_utils.get_pods(pod_selector, ns_name).get('items')
if 'ports' in rule_block:
for port in rule_block['ports']:
if type(port.get('port')) is not int:
matched = (_create_sg_rule_on_text_port(
sg_id, direction, port, pods, crd_rules, matched,
crd))
else:
matched = True
for pod in pods:
pod_ip = driver_utils.get_pod_ip(pod)
if not pod_ip:
pod_name = pod['metadata']['name']
LOG.debug(
"Skipping SG rule creation for pod "
"%s due to no IP assigned", pod_name)
continue
sg_rule = _create_sg_rule(sg_id,
direction,
pod_ip,
port=port,
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
for pod in pods:
pod_ip = driver_utils.get_pod_ip(pod)
if not pod_ip:
pod_name = pod['metadata']['name']
LOG.debug(
"Skipping SG rule creation for pod %s due"
" to no IP assigned", pod_name)
continue
matched = True
sg_rule = _create_sg_rule(sg_id,
direction,
pod_ip,
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
ns_pods = driver_utils.get_pods(ns_selector)['items']
ns_cidr = driver_utils.get_namespace_subnet_cidr(namespace)
if 'ports' in rule_block:
for port in rule_block['ports']:
if type(port.get('port')) is not int:
matched = (_create_sg_rule_on_text_port(
sg_id, direction, port, ns_pods, crd_rules,
matched, crd))
else:
matched = True
sg_rule = _create_sg_rule(sg_id,
direction,
ns_cidr,
port=port,
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
matched = True
sg_rule = _create_sg_rule(sg_id,
direction,
ns_cidr,
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
return matched, crd_rules
