Python get_kuryrnetpolicy_crds Examples, kuryr_kubernetes.controller.drivers.utils.get_kuryrnetpolicy_crds Python Examples

Example #1

0

Show file

File: network_policy_security_groups.py Project: luis5tb/kuryr-kubernetes

def _get_pod_sgs(pod, project_id):
    sg_list = []

    pod_labels = pod['metadata'].get('labels')
    pod_namespace = pod['metadata']['namespace']

    knp_crds = driver_utils.get_kuryrnetpolicy_crds(namespace=pod_namespace)
    for crd in knp_crds.get('items'):
        pod_selector = crd['spec'].get('podSelector')
        if pod_selector:
            if driver_utils.match_selector(pod_selector, pod_labels):
                LOG.debug("Appending %s", str(crd['spec']['securityGroupId']))
                sg_list.append(str(crd['spec']['securityGroupId']))
        else:
            LOG.debug("Appending %s", str(crd['spec']['securityGroupId']))
            sg_list.append(str(crd['spec']['securityGroupId']))

    # NOTE(maysams) Pods that are not selected by any Networkpolicy
    # are fully accessible. Thus, the default security group is associated.
    if not sg_list:
        sg_list = config.CONF.neutron_defaults.pod_security_groups
        if not sg_list:
            raise cfg.RequiredOptError('pod_security_groups',
                                       cfg.OptGroup('neutron_defaults'))

    return sg_list[:]

Example #2

0

Show file

File: network_policy_security_groups.py Project: luis5tb/kuryr-kubernetes

    def delete_sg_rules(self, pod):
        LOG.debug("Deleting sg rule for pod: %s", pod['metadata']['name'])
        pod_ip = driver_utils.get_pod_ip(pod)
        if not pod_ip:
            LOG.debug("Skipping SG rule deletion as pod %s has no IP assigned",
                      pod['metadata']['name'])
            return None
        crd_pod_selectors = []
        knp_crds = driver_utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')

            i_matched, i_rules = _parse_rules_on_delete_pod(
                ingress_rule_list, "ingress", pod_ip)
            e_matched, e_rules = _parse_rules_on_delete_pod(
                egress_rule_list, "egress", pod_ip)

            if i_matched or e_matched:
                driver_utils.patch_kuryrnetworkpolicy_crd(
                    crd, i_rules, e_rules, crd_selector)
            if i_matched:
                crd_pod_selectors.append(crd_selector)
        return crd_pod_selectors

Example #3

0

Show file

File: network_policy_security_groups.py Project: sosiouxme/kuryr-kubernetes

    def create_sg_rules(self, pod):
        LOG.debug("Creating sg rule for pod: %s", pod['metadata']['name'])
        knp_crds = driver_utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')

            i_matched, i_rules = _parse_rules('ingress', crd, pod=pod)
            e_matched, e_rules = _parse_rules('egress', crd, pod=pod)

            if i_matched or e_matched:
                driver_utils.patch_kuryr_crd(crd, i_rules,
                                             e_rules, crd_selector)

Example #4

0

Show file

File: namespace_security_groups.py Project: mrostecki/kuryr-kubernetes

    def create_namespace_sg_rules(self, namespace):
        kubernetes = clients.get_kubernetes_client()
        ns_name = namespace['metadata']['name']
        LOG.debug("Creating sg rule for namespace: %s", ns_name)
        namespace = kubernetes.get('{}/namespaces/{}'.format(
            constants.K8S_API_BASE, ns_name))
        knp_crds = utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')

            i_matched, i_rules = _parse_rules('ingress', crd, namespace)
            e_matched, e_rules = _parse_rules('egress', crd, namespace)

            if i_matched or e_matched:
                utils.patch_kuryr_crd(crd, i_rules, e_rules, crd_selector)

Example #5

0

Show file

    def delete_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Deleting sg rule for namespace: %s", ns_name)

        knp_crds = driver_utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')

            i_matched, i_rules = _parse_rules_on_delete_namespace(
                ingress_rule_list, "ingress", ns_name)
            e_matched, e_rules = _parse_rules_on_delete_namespace(
                egress_rule_list, "egress", ns_name)

            if i_matched or e_matched:
                driver_utils.patch_kuryr_crd(crd, i_rules, e_rules,
                                             crd_selector)

Example #6

0

Show file

File: network_policy_security_groups.py Project: luis5tb/kuryr-kubernetes

    def create_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Creating sg rule for namespace: %s", ns_name)
        crd_selectors = []
        knp_crds = driver_utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')

            i_matched, i_rules = _parse_rules('ingress',
                                              crd,
                                              namespace=namespace)
            e_matched, e_rules = _parse_rules('egress',
                                              crd,
                                              namespace=namespace)

            if i_matched or e_matched:
                driver_utils.patch_kuryrnetworkpolicy_crd(
                    crd, i_rules, e_rules, crd_selector)
            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors

Example #7

0

Show file

File: network_policy_security_groups.py Project: tw0927041027/kuryr-kubernetes

    def delete_sg_rules(self, pod):
        LOG.debug("Deleting sg rule for pod: %s", pod['metadata']['name'])
        pod_ip = driver_utils.get_pod_ip(pod)
        crd_pod_selectors = []
        knp_crds = driver_utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')
            i_rules = []
            e_rules = []

            matched = False
            for i_rule in ingress_rule_list:
                LOG.debug("Parsing ingress rule: %r", i_rule)
                remote_ip_prefix = i_rule['security_group_rule'].get(
                    'remote_ip_prefix')
                if remote_ip_prefix and remote_ip_prefix == pod_ip:
                    matched = True
                    driver_utils.delete_security_group_rule(
                        i_rule['security_group_rule']['id'])
                else:
                    i_rules.append(i_rule)

            for e_rule in egress_rule_list:
                LOG.debug("Parsing egress rule: %r", e_rule)
                remote_ip_prefix = e_rule['security_group_rule'].get(
                    'remote_ip_prefix')
                if remote_ip_prefix and remote_ip_prefix == pod_ip:
                    matched = True
                    driver_utils.delete_security_group_rule(
                        e_rule['security_group_rule']['id'])
                else:
                    e_rules.append(e_rule)

            if matched:
                driver_utils.patch_kuryr_crd(crd, i_rules, e_rules,
                                             crd_selector)
                crd_pod_selectors.append(crd_selector)
        return crd_pod_selectors

Example #8

0

Show file

File: network_policy_security_groups.py Project: sosiouxme/kuryr-kubernetes

    def delete_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Deleting sg rule for namespace: %s",
                  ns_name)

        knp_crds = driver_utils.get_kuryrnetpolicy_crds()
        for crd in knp_crds.get('items'):
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')
            i_rules = []
            e_rules = []

            matched = False
            for i_rule in ingress_rule_list:
                LOG.debug("Parsing ingress rule: %r", i_rule)
                rule_namespace = i_rule.get('namespace', None)

                if rule_namespace and rule_namespace == ns_name:
                    matched = True
                    driver_utils.delete_security_group_rule(
                        i_rule['security_group_rule']['id'])
                else:
                    i_rules.append(i_rule)

            for e_rule in egress_rule_list:
                LOG.debug("Parsing egress rule: %r", e_rule)
                rule_namespace = e_rule.get('namespace', None)

                if rule_namespace and rule_namespace == ns_name:
                    matched = True
                    driver_utils.delete_security_group_rule(
                        e_rule['security_group_rule']['id'])
                else:
                    e_rules.append(e_rule)

            if matched:
                driver_utils.patch_kuryr_crd(
                    crd, i_rules, e_rules, crd_selector)