def remove_firewall_policy(cls, name, namespace, is_global=False):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
fw_policy_fq_name = pm_obj.get_fq_name() +\
[cls.get_firewall_policy_name(name, namespace, is_global)]
fw_policy_uuid = FirewallPolicyKM.get_fq_name_to_uuid(
fw_policy_fq_name)
if not fw_policy_uuid:
# We are not aware of this firewall policy.
return
try:
fw_policy_obj = cls.vnc_lib.firewall_policy_read(id=fw_policy_uuid)
except NoIdError:
raise
aps_obj.del_firewall_policy(fw_policy_obj)
cls.vnc_lib.application_policy_set_update(aps_obj)
def get_firewall_policy_rule_uuid(cls, name, namespace, is_global=False):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
aps = ApplicationPolicySetKM.locate(cls.cluster_aps_uuid)
pm = PolicyManagementKM.locate(aps.parent_uuid)
fw_policy_fq_name = pm.fq_name +\
[cls.get_firewall_policy_name(name, namespace, is_global)]
fw_policy_uuid = FirewallPolicyKM.get_fq_name_to_uuid(fw_policy_fq_name)
return fw_policy_uuid
def delete_firewall_policy(cls, name, namespace, is_global=False):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
fw_policy_fq_name = pm_obj.get_fq_name() +\
[cls.get_firewall_policy_name(name, namespace, is_global)]
fw_policy_uuid = FirewallPolicyKM.get_fq_name_to_uuid(
fw_policy_fq_name)
if not fw_policy_uuid:
# We are not aware of this firewall policy.
return
fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
fw_policy_rules = fw_policy.firewall_rules
# Remove deny all firewall rule, if any.
if fw_policy.deny_all_rule_uuid:
VncSecurityPolicy.delete_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid,
fw_policy.deny_all_rule_uuid)
# Remove egress deny all firewall rule, if any.
if fw_policy.egress_deny_all_rule_uuid:
VncSecurityPolicy.delete_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid,
fw_policy.egress_deny_all_rule_uuid)
for rule_uuid in fw_policy_rules:
try:
VncSecurityPolicy.delete_firewall_rule(fw_policy_uuid,
rule_uuid)
except:
raise
cls.remove_firewall_policy(name, namespace)
try:
cls.vnc_lib.firewall_policy_delete(id=fw_policy_uuid)
FirewallPolicyKM.delete(fw_policy_uuid)
except:
raise
def sync_cluster_security_policy(cls):
"""
Synchronize K8s network policies with Contrail Security policy.
Expects that FW policies on the APS are in proper order.
Returns a list of orphaned or invalid firewall policies.
"""
# If APS does not exist for this cluster, then there is nothing to do.
if not cls.cluster_aps_uuid:
return []
aps = ApplicationPolicySetKM.find_by_name_or_uuid(cls.cluster_aps_uuid)
if not aps:
return []
# If APS does not match this cluster name, then there is nothing to do.
if aps.name != vnc_kube_config.cluster_name():
return []
# Get the current list of firewall policies on the APS.
fw_policy_uuids = aps.get_firewall_policies()
# Construct list of firewall policies that belong to the cluster.
cluster_firewall_policies = []
for fw_policy_uuid in fw_policy_uuids:
fw_policy = FirewallPolicyKM.find_by_name_or_uuid(fw_policy_uuid)
if fw_policy.cluster_name != vnc_kube_config.cluster_name():
continue
cluster_firewall_policies.append(fw_policy_uuid)
# We are interested only in policies created by k8s user via network
# policy. These policies are sequenced between the infra created ingress
# policy and infra created deny-all policy.
try:
start_index = cluster_firewall_policies.index(
cls.ingress_svc_fw_policy_uuid)
end_index = cluster_firewall_policies.index(
cls.deny_all_fw_policy_uuid)
curr_user_firewall_policies =\
cluster_firewall_policies[start_index+1:end_index]
except ValueError:
return []
# Get list of user created network policies.
configured_network_policies = NetworkPolicyKM.get_configured_policies()
for nw_policy_uuid in configured_network_policies:
np = NetworkPolicyKM.find_by_name_or_uuid(nw_policy_uuid)
if not np or not np.get_vnc_fq_name():
continue
# Decipher the firewall policy corresponding to the network policy.
fw_policy_uuid = FirewallPolicyKM.get_fq_name_to_uuid(
np.get_vnc_fq_name().split(":"))
if not fw_policy_uuid:
# We are yet to process this network policy.
continue
# A firewall policy was found but it is not inbetween the infra
# created policies as expected. Add it again so it will be inserted
# in the right place.
if fw_policy_uuid not in curr_user_firewall_policies:
cls.add_firewall_policy(fw_policy_uuid)
else:
# Filter out processed policies.
curr_user_firewall_policies.remove(fw_policy_uuid)
# Return orphaned firewall policies that could not be validated against
# user created network policy.
headless_fw_policy_uuids = curr_user_firewall_policies
return headless_fw_policy_uuids