def _create_project(self, project_name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(project_name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
try:
self.vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self.vnc_lib.project_read(fq_name=proj_fq_name)
ProjectKM.locate(proj_obj.uuid)
return proj_obj
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self,
proj_obj,
namespace=name,
name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
return None
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True:
vn_name = self._get_namespace_vn_name(name)
self._create_isolated_ns_virtual_network(ns_name=name,
vn_name=vn_name,
proj_obj=proj_obj)
try:
network_policy = self._get_network_policy_annotations(name)
sg_dict = self._update_security_groups(name, proj_obj,
network_policy)
self._ns_sg[name] = sg_dict
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
return project
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self, proj_obj, namespace=name, name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
return None
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True:
vn_name = self._get_namespace_vn_name(name)
self._create_isolated_ns_virtual_network(ns_name=name,
vn_name=vn_name,
proj_obj=proj_obj)
try:
network_policy = self._get_network_policy_annotations(name)
sg_dict = self._update_security_groups(name, proj_obj,
network_policy)
self._ns_sg[name] = sg_dict
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
return project
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
# Check if policy enforcement is enabled at project level.
# If not, then security will be enforced at VN level.
if DBBaseKM.is_nested():
# In nested mode, policy is always enforced at network level.
# This is so that we do not enforce policy on other virtual
# networks that may co-exist in the current project.
secure_project = False
else:
secure_project = vnc_kube_config.is_secure_project_enabled()
secure_vn = not secure_project
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self,
proj_obj,
namespace=name,
name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True or name == 'default':
vn_name = self._get_namespace_pod_vn_name(name)
if self._is_ip_fabric_forwarding_enabled(name):
ipam_fq_name = vnc_kube_config.ip_fabric_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(
fq_name=ipam_fq_name)
provider = self._ip_fabric_vn_obj
else:
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(
fq_name=ipam_fq_name)
provider = None
pod_vn = self._create_isolated_ns_virtual_network(
ns_name=name,
vn_name=vn_name,
vn_type='pod-network',
proj_obj=proj_obj,
ipam_obj=ipam_obj,
provider=provider,
enforce_policy=secure_vn)
# Cache pod network info in namespace entry.
self._set_namespace_pod_virtual_network(name, pod_vn.get_fq_name())
vn_name = self._get_namespace_service_vn_name(name)
ipam_fq_name = vnc_kube_config.service_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
service_vn = self._create_isolated_ns_virtual_network(
ns_name=name,
vn_name=vn_name,
vn_type='service-network',
ipam_obj=ipam_obj,
proj_obj=proj_obj,
enforce_policy=secure_vn)
# Cache service network info in namespace entry.
self._set_namespace_service_virtual_network(
name, service_vn.get_fq_name())
self._create_attach_policy(name, proj_obj, self._ip_fabric_vn_obj,
pod_vn, service_vn)
try:
self._update_security_groups(name, proj_obj)
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
# If requested, enforce security policy at project level.
if secure_project:
proj_obj = self._vnc_lib.project_read(id=project.uuid)
self._vnc_lib.set_tags(
proj_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return project
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
# Check if policy enforcement is enabled at project level.
# If not, then security will be enforced at VN level.
if DBBaseKM.is_nested():
# In nested mode, policy is always enforced at network level.
# This is so that we do not enforce policy on other virtual
# networks that may co-exist in the current project.
secure_project = False
else:
secure_project = vnc_kube_config.is_secure_project_enabled()
secure_vn = not secure_project
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self, proj_obj, namespace=name, name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True or name == 'default':
vn_name = self._get_namespace_pod_vn_name(name)
if self._is_ip_fabric_forwarding_enabled(name):
ipam_fq_name = vnc_kube_config.ip_fabric_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
provider = self._ip_fabric_vn_obj
else:
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
provider = None
pod_vn = self._create_isolated_ns_virtual_network(
ns_name=name, vn_name=vn_name, vn_type='pod-network',
proj_obj=proj_obj, ipam_obj=ipam_obj, provider=provider,
enforce_policy = secure_vn)
# Cache pod network info in namespace entry.
self._set_namespace_pod_virtual_network(name, pod_vn.get_fq_name())
vn_name = self._get_namespace_service_vn_name(name)
ipam_fq_name = vnc_kube_config.service_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
service_vn = self._create_isolated_ns_virtual_network(
ns_name=name, vn_name=vn_name, vn_type='service-network',
ipam_obj=ipam_obj,proj_obj=proj_obj,
enforce_policy = secure_vn)
# Cache service network info in namespace entry.
self._set_namespace_service_virtual_network(
name, service_vn.get_fq_name())
self._create_attach_policy(name, proj_obj,
self._ip_fabric_vn_obj, pod_vn, service_vn)
try:
self._update_security_groups(name, proj_obj)
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
# If requested, enforce security policy at project level.
if secure_project:
proj_obj = self._vnc_lib.project_read(id=project.uuid)
self._vnc_lib.set_tags(proj_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return project
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self,
proj_obj,
namespace=name,
name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
return None
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True:
vn_name = self._get_namespace_pod_vn_name(name)
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
pod_vn = self._create_isolated_ns_virtual_network( \
ns_name=name, vn_name=vn_name, proj_obj=proj_obj,
ipam_obj=ipam_obj, provider=self._ip_fabric_vn_obj)
# Cache pod network info in namespace entry.
self._set_namespace_pod_virtual_network(name, pod_vn.get_fq_name())
vn_name = self._get_namespace_service_vn_name(name)
ipam_fq_name = vnc_kube_config.service_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
service_vn = self._create_isolated_ns_virtual_network( \
ns_name=name, vn_name=vn_name,
ipam_obj=ipam_obj,proj_obj=proj_obj)
# Cache service network info in namespace entry.
self._set_namespace_service_virtual_network(
name, service_vn.get_fq_name())
self._create_attach_policy(name, proj_obj, \
self._ip_fabric_vn_obj, pod_vn, service_vn)
try:
self._update_security_groups(name, proj_obj)
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
proj_obj = self._vnc_lib.project_read(id=project.uuid)
self._vnc_lib.set_tags(
proj_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return project