def _create_all_nodes_pods_nsgroup(nsxt_client):
    nsgroup_manager = NSGroupManager(nsxt_client)
    ip_set_manager = IPSetManager(nsxt_client)

    nsgroup = nsgroup_manager.get_nsgroup(name=ALL_NODES_PODS_NSGROUP_NAME)
    if not nsgroup:
        all_nodes_ip_set_id = ip_set_manager.get_ip_set(
            name=ALL_NODES_IP_SET_NAME)['id']
        all_pods_ip_set_id = ip_set_manager.get_ip_set(
            name=ALL_PODS_IP_SET_NAME)['id']
        nsxt_client.LOGGER.debug(f"Creating NSGroup : "
                                 f"{ALL_NODES_PODS_NSGROUP_NAME}")
        nsgroup = nsgroup_manager.create_nsgroup_from_ipsets(
            name=ALL_NODES_PODS_NSGROUP_NAME,
            ipset_ids=[all_nodes_ip_set_id, all_pods_ip_set_id])
    else:
        nsxt_client.LOGGER.debug(
            f"NSGroup : {ALL_NODES_PODS_NSGROUP_NAME} already exists.")
Ejemplo n.º 2
0
    def isolate_cluster(self, cluster_name, cluster_id):
        """Isolate a PKS cluster's network.

        :param str cluster_name: name of the cluster whose network needs
            isolation.
        :param str cluster_id: id of the cluster whose network needs isolation.
            Cluster id is used to identify the tagged logical switch and ports
            powering the T1 routers of the cluster.
        """
        n_id, p_id, np_id = self._create_nsgroups_for_cluster(
            cluster_name, cluster_id)

        sec_id = self._create_firewall_section_for_cluster(
            cluster_name, np_id).get('id')

        nsgroup_manager = NSGroupManager(self._nsxt_client)
        anp_id = \
            nsgroup_manager.get_nsgroup(ALL_NODES_PODS_NSGROUP_NAME).get('id')

        self._create_firewall_rules_for_cluster(sec_id, n_id, p_id, np_id,
                                                anp_id)
Ejemplo n.º 3
0
    def _create_nsgroup_for_cluster_nodes_and_pods(self, cluster_name,
                                                   nodes_nsgroup_id,
                                                   pods_nsgroup_id):
        """Create NSGroup for all nodes and pods in a cluster.

        If NSGroup already exists, delete it and re-create it. Since this group
        is based on cluster name, it possible that a previously deployed
        cluster on deletion failed to cleanup it's NSGroups, we shouldn't
        re-use that group rather create it afresh with the proper member
        NSGroups ids.

        :param str cluster_name: name of the cluster whose network is being
            isolated.
        :param str nodes_nsgroup_id:
        :param str pods_nsgroup_id:

        :return: NSGroup containing all the nodes and pods in the cluster, as a
            JSON dictionary.

        :rtype: dict
        """
        name = self._get_nodes_pods_nsgroup_name(cluster_name)
        nsgroup_manager = NSGroupManager(self._nsxt_client)
        nodes_pods_nsgroup = nsgroup_manager.get_nsgroup(name)
        if nodes_pods_nsgroup:
            self._nsxt_client.LOGGER.debug(f"NSGroup : {name} already exists.")
            nsgroup_manager.delete_nsgroup(name, force=True)
            self._nsxt_client.LOGGER.debug(f"Deleted NSGroup : {name}.")

        member1 = {}
        member1['resource_type'] = "NSGroupSimpleExpression"
        member1['target_type'] = "NSGroup"
        member1['target_property'] = "id"
        member1['op'] = "EQUALS"
        member1['value'] = nodes_nsgroup_id

        member2 = {}
        member2['resource_type'] = "NSGroupSimpleExpression"
        member2['target_type'] = "NSGroup"
        member2['target_property'] = "id"
        member2['op'] = "EQUALS"
        member2['value'] = pods_nsgroup_id

        members = [member1, member2]

        self._nsxt_client.LOGGER.debug(f"Creating NSGroup : {name}.")
        nodes_pods_nsgroup = nsgroup_manager.create_nsgroup(name,
                                                            members=members)

        return nodes_pods_nsgroup
Ejemplo n.º 4
0
    def remove_cluster_isolation(self, cluster_name):
        """Revert isolatation of a PKS cluster's network.

        :param str cluster_name: name of the cluster whose network isolation
            needs to be reverted.
        """
        firewall_section_name = \
            self._get_firewall_section_name_for_cluster(cluster_name)

        nodes_nsgroup_name = self._get_nodes_nsgroup_name(cluster_name)
        pods_nsgroup_name = self._get_pods_nsgroup_name(cluster_name)
        nodes_pods_nsgroup_name = \
            self._get_nodes_pods_nsgroup_name(cluster_name)

        dfw_manager = DFWManager(self._nsxt_client)
        nsgroup_manager = NSGroupManager(self._nsxt_client)

        dfw_manager.delete_firewall_section(firewall_section_name,
                                            cascade=True)
        nsgroup_manager.delete_nsgroup(nodes_pods_nsgroup_name, force=True)
        nsgroup_manager.delete_nsgroup(nodes_nsgroup_name, force=True)
        nsgroup_manager.delete_nsgroup(pods_nsgroup_name, force=True)
Ejemplo n.º 5
0
    def _create_nsgroup_for_cluster_nodes(self, cluster_name, cluster_id):
        """Create NSGroup for all nodes in the cluster.

        If NSGroup already exists, delete it and re-create it. Since this group
        is based on cluster name, it possible that a previously deployed
        cluster on deletion failed to cleanup it's NSGroups, we shouldn't
        re-use that group rather create it afresh with the proper cluster
        id tag based membership criteria.

        :param str cluster_name: name of the cluster whose network is being
            isolated.
        :param str cluster_id: id of the cluster whose network is being
            isolated.

        :return: NSGroup containing all the nodes in the cluster, as a JSON
            dictionary.

        :rtype: dict
        """
        name = self._get_nodes_nsgroup_name(cluster_name)
        nsgroup_manager = NSGroupManager(self._nsxt_client)
        nodes_nsgroup = nsgroup_manager.get_nsgroup(name)
        if nodes_nsgroup:
            self._nsxt_client.LOGGER.debug(f"NSGroup : {name} already exists.")
            nsgroup_manager.delete_nsgroup(name, force=True)
            self._nsxt_client.LOGGER.debug(f"Deleted NSGroup : {name}.")

        criteria = {}
        criteria['resource_type'] = "NSGroupComplexExpression"

        expression1 = {}
        expression1['resource_type'] = "NSGroupTagExpression"
        expression1['target_type'] = "LogicalSwitch"
        expression1['scope'] = "pks/cluster"
        expression1['tag'] = str(cluster_id)

        expression2 = {}
        expression2['resource_type'] = "NSGroupTagExpression"
        expression2['target_type'] = "LogicalSwitch"
        expression2['scope'] = "pks/floating_ip"

        criteria['expressions'] = [expression1, expression2]

        self._nsxt_client.LOGGER.debug(f"Creating NSGroup : {name}.")
        nodes_nsgroup = nsgroup_manager.create_nsgroup(
            name, membership_criteria=[criteria])

        return nodes_nsgroup