def _parse_selectors_on_namespace(crd, direction, pod_selector, ns_selector, rule_block, crd_rules, namespace, matched): ns_name = namespace['metadata'].get('name') ns_labels = namespace['metadata'].get('labels') sg_id = crd['spec']['securityGroupId'] if (ns_selector and ns_labels and driver_utils.match_selector(ns_selector, ns_labels)): if pod_selector: pods = driver_utils.get_pods(pod_selector, ns_name).get('items') if 'ports' in rule_block: for port in rule_block['ports']: if type(port.get('port')) is not int: matched = (_create_sg_rule_on_text_port( sg_id, direction, port, pods, crd_rules, matched, crd)) else: matched = True for pod in pods: pod_ip = driver_utils.get_pod_ip(pod) crd_rules.append( _create_sg_rule(sg_id, direction, pod_ip, port=port, namespace=ns_name)) else: for pod in pods: pod_ip = driver_utils.get_pod_ip(pod) matched = True crd_rules.append( _create_sg_rule(sg_id, direction, pod_ip, namespace=ns_name)) else: ns_pods = driver_utils.get_pods(ns_selector) ns_cidr = driver_utils.get_namespace_subnet_cidr(namespace) if 'ports' in rule_block: for port in rule_block['ports']: if type(port.get('port')) is not int: matched = (_create_sg_rule_on_text_port( sg_id, direction, port, ns_pods, crd_rules, matched, crd)) else: matched = True crd_rules.append( _create_sg_rule(sg_id, direction, ns_cidr, port=port, namespace=ns_name)) else: matched = True crd_rules.append( _create_sg_rule(sg_id, direction, ns_cidr, namespace=ns_name)) return matched, crd_rules
def _parse_rules(direction, crd, namespace): policy = crd['spec']['networkpolicy_spec'] sg_id = crd['spec']['securityGroupId'] ns_labels = namespace['metadata'].get('labels') ns_name = namespace['metadata'].get('name') ns_cidr = utils.get_namespace_subnet_cidr(namespace) rule_direction = 'from' crd_rules = crd['spec'].get('ingressSgRules') if direction == 'egress': rule_direction = 'to' crd_rules = crd['spec'].get('egressSgRules') matched = False rule_list = policy.get(direction, []) for rule_block in rule_list: for rule in rule_block.get(rule_direction, []): pod_selector = rule.get('podSelector') ns_selector = rule.get('namespaceSelector') if (ns_selector and ns_labels and utils.match_selector(ns_selector, ns_labels)): if pod_selector: pods = utils.get_pods(pod_selector, ns_name) for pod in pods.get('items'): pod_ip = utils.get_pod_ip(pod) if 'ports' in rule_block: for port in rule_block['ports']: matched = True crd_rules.append( _create_sg_rule(sg_id, direction, pod_ip, port=port, namespace=ns_name)) else: matched = True crd_rules.append( _create_sg_rule(sg_id, direction, pod_ip, namespace=ns_name)) else: if 'ports' in rule_block: for port in rule_block['ports']: matched = True crd_rules.append( _create_sg_rule(sg_id, direction, ns_cidr, port=port, namespace=ns_name)) else: matched = True crd_rules.append( _create_sg_rule(sg_id, direction, ns_cidr, namespace=ns_name)) return matched, crd_rules
def _create_sg_rule_on_text_port(sg_id, direction, port, rule_selected_pods, crd_rules, matched, crd, allow_all=False, namespace=None): matched_pods = {} spec_pod_selector = crd['spec'].get('podSelector') policy_namespace = crd['metadata']['namespace'] spec_pods = driver_utils.get_pods(spec_pod_selector, policy_namespace).get('items') if direction == 'ingress': for spec_pod in spec_pods: container_ports = driver_utils.get_ports(spec_pod, port) for rule_selected_pod in rule_selected_pods: matched = _create_sg_rules_with_container_ports( matched_pods, container_ports, allow_all, namespace, matched, crd_rules, sg_id, direction, port, rule_selected_pod) elif direction == 'egress': for rule_selected_pod in rule_selected_pods: pod_label = rule_selected_pod['metadata'].get('labels') pod_ns = rule_selected_pod['metadata'].get('namespace') # NOTE(maysams) Do not allow egress traffic to the actual # set of pods the NP is enforced on. if (driver_utils.match_selector(spec_pod_selector, pod_label) and policy_namespace == pod_ns): continue container_ports = driver_utils.get_ports(rule_selected_pod, port) matched = _create_sg_rules_with_container_ports( matched_pods, container_ports, allow_all, namespace, matched, crd_rules, sg_id, direction, port, rule_selected_pod) for container_port, pods in matched_pods.items(): if allow_all: sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), pods=pods) else: namespace_obj = driver_utils.get_namespace(namespace) namespace_cidr = driver_utils.get_namespace_subnet_cidr( namespace_obj) sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), cidr=namespace_cidr, pods=pods) sgr_id = driver_utils.create_security_group_rule(sg_rule) sg_rule['security_group_rule']['id'] = sgr_id crd_rules.append(sg_rule) return matched
def _get_namespaces_cidr(self, namespace_selector, namespace=None): cidrs = [] if not namespace_selector and namespace: ns = self.kubernetes.get( '{}/namespaces/{}'.format(constants.K8S_API_BASE, namespace)) ns_cidr = driver_utils.get_namespace_subnet_cidr(ns) cidrs.append({'cidr': ns_cidr, 'namespace': namespace}) else: matching_namespaces = driver_utils.get_namespaces( namespace_selector) for ns in matching_namespaces.get('items'): # NOTE(ltomasbo): This requires the namespace handler to be # also enabled ns_cidr = driver_utils.get_namespace_subnet_cidr(ns) ns_name = ns['metadata']['name'] cidrs.append({'cidr': ns_cidr, 'namespace': ns_name}) return cidrs
def _get_resource_details(self, resource): namespace = None if self._is_pod(resource): cidr = resource['status'].get('podIP') namespace = resource['metadata']['namespace'] elif resource.get('cidr'): cidr = resource.get('cidr') else: cidr = driver_utils.get_namespace_subnet_cidr(resource) namespace = resource['metadata']['name'] return cidr, namespace
def _parse_selectors_on_namespace(crd, direction, pod_selector, ns_selector, rule_block, crd_rules, namespace, matched): ns_name = namespace['metadata'].get('name') ns_labels = namespace['metadata'].get('labels') sg_id = crd['spec']['securityGroupId'] if (ns_selector and ns_labels and driver_utils.match_selector(ns_selector, ns_labels)): if pod_selector: pods = driver_utils.get_pods(pod_selector, ns_name).get('items') if 'ports' in rule_block: for port in rule_block['ports']: if type(port.get('port')) is not int: matched = (_create_sg_rule_on_text_port( sg_id, direction, port, pods, crd_rules, matched, crd)) else: matched = True for pod in pods: pod_ip = driver_utils.get_pod_ip(pod) if not pod_ip: pod_name = pod['metadata']['name'] LOG.debug( "Skipping SG rule creation for pod " "%s due to no IP assigned", pod_name) continue sg_rule = _create_sg_rule(sg_id, direction, pod_ip, port=port, namespace=ns_name) if sg_rule not in crd_rules: crd_rules.append(sg_rule) else: for pod in pods: pod_ip = driver_utils.get_pod_ip(pod) if not pod_ip: pod_name = pod['metadata']['name'] LOG.debug( "Skipping SG rule creation for pod %s due" " to no IP assigned", pod_name) continue matched = True sg_rule = _create_sg_rule(sg_id, direction, pod_ip, namespace=ns_name) if sg_rule not in crd_rules: crd_rules.append(sg_rule) else: ns_pods = driver_utils.get_pods(ns_selector)['items'] ns_cidr = driver_utils.get_namespace_subnet_cidr(namespace) if 'ports' in rule_block: for port in rule_block['ports']: if type(port.get('port')) is not int: matched = (_create_sg_rule_on_text_port( sg_id, direction, port, ns_pods, crd_rules, matched, crd)) else: matched = True sg_rule = _create_sg_rule(sg_id, direction, ns_cidr, port=port, namespace=ns_name) if sg_rule not in crd_rules: crd_rules.append(sg_rule) else: matched = True sg_rule = _create_sg_rule(sg_id, direction, ns_cidr, namespace=ns_name) if sg_rule not in crd_rules: crd_rules.append(sg_rule) return matched, crd_rules