def _provision_cluster(self):
        # Pre creating default project before namespace add event.
        proj_obj = self._create_project('default')

        # Create application policy set for the cluster project.
        VncSecurityPolicy.create_application_policy_set(
            vnc_kube_config.application_policy_set_name())

        # Allocate fabric snat port translation pools.
        self._allocate_fabric_snat_port_translation_pools()

        ip_fabric_fq_name = vnc_kube_config.cluster_ip_fabric_network_fq_name()
        ip_fabric_vn_obj = self.vnc_lib. \
            virtual_network_read(fq_name=ip_fabric_fq_name)

        cluster_vn_obj = None
        if DBBaseKM.is_nested():
            try:
                cluster_vn_obj = self.vnc_lib.virtual_network_read(
                    fq_name=vnc_kube_config.cluster_default_network_fq_name())
            except NoIdError:
                pass

        # Pre creating kube-system project before namespace add event.
        self._create_project('kube-system')
        # Create ip-fabric IPAM.
        ipam_name = vnc_kube_config.cluster_name() + '-ip-fabric-ipam'
        ip_fabric_ipam_update, ip_fabric_ipam_obj, ip_fabric_ipam_subnets = \
            self._create_ipam(ipam_name, self.args.ip_fabric_subnets, proj_obj)
        self._cluster_ip_fabric_ipam_fq_name = ip_fabric_ipam_obj.get_fq_name()
        # Create Pod IPAM.
        ipam_name = vnc_kube_config.cluster_name() + '-pod-ipam'
        pod_ipam_update, pod_ipam_obj, pod_ipam_subnets = \
            self._create_ipam(ipam_name, self.args.pod_subnets, proj_obj)
        # Cache cluster pod ipam name.
        # This will be referenced by ALL pods that are spawned in the cluster.
        self._cluster_pod_ipam_fq_name = pod_ipam_obj.get_fq_name()
        # Create a cluster-pod-network.
        if self.args.ip_fabric_forwarding:
            cluster_pod_vn_obj = self._create_network(
                vnc_kube_config.cluster_default_pod_network_name(),
                'pod-network', proj_obj, ip_fabric_ipam_obj,
                ip_fabric_ipam_update, ip_fabric_vn_obj)
        else:
            cluster_pod_vn_obj = self._create_network(
                vnc_kube_config.cluster_default_pod_network_name(),
                'pod-network', proj_obj, pod_ipam_obj, pod_ipam_update,
                ip_fabric_vn_obj)
        # Create Service IPAM.
        ipam_name = vnc_kube_config.cluster_name() + '-service-ipam'
        service_ipam_update, service_ipam_obj, service_ipam_subnets = \
            self._create_ipam(ipam_name, self.args.service_subnets, proj_obj)
        self._cluster_service_ipam_fq_name = service_ipam_obj.get_fq_name()
        # Create a cluster-service-network.
        cluster_service_vn_obj = self._create_network(
            vnc_kube_config.cluster_default_service_network_name(),
            'service-network', proj_obj, service_ipam_obj, service_ipam_update)
        self._create_attach_policy(proj_obj, ip_fabric_vn_obj,
                                   cluster_pod_vn_obj, cluster_service_vn_obj,
                                   cluster_vn_obj)
    def _network_policy_sync(self):
        """
        Validate and synchronize network policy config.
        """

        # Validate current network policy config.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        if not valid:
            # Validation of current network policy config failed.
            self._logger.error(
                "%s - Periodic validation of cluster security policy failed."
                " Attempting to heal." % (self._name))

            # Attempt to heal the inconsistency in network policy config.
            VncSecurityPolicy.recreate_cluster_security_policy()

        # Validate and sync that K8s API and Contrail API.
        # This handles the cases where kube-manager could have missed delete events
        # from K8s API, which is possible if kube-manager was down when the policy
        # was deleted.
        headless_fw_policy_uuids = VncSecurityPolicy.sync_cluster_security_policy(
        )

        # Delete config objects for network policies not found in K8s API server but
        # are found in Contrail API.
        for fw_policy_uuid in headless_fw_policy_uuids:
            self._logger.error(
                "%s - Generating delete event for orphaned FW policy [%s]" %
                (self._name, fw_policy_uuid))
            self._create_network_policy_delete_event(fw_policy_uuid)
Exemple #3
0
    def _validate_network_policy_resources(self,
                                           name,
                                           uuid,
                                           spec={},
                                           validate_delete=False,
                                           namespace=None):

        ns_name = namespace if namespace else self.ns_name
        np_event_obj = NetworkPolicyKM.find_by_name_or_uuid(uuid)
        if validate_delete:
            self.assertIsNone(np_event_obj)
        elif not spec:
            fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(
                name, ns_name)
            fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
            self.assertIsNotNone(np_event_obj)
            self.assertIsNone(fw_policy)
        else:
            fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(
                name, ns_name)
            fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
            self.assertIsNotNone(np_event_obj)
            self.assertIsNotNone(fw_policy)

            # Validate network policy spec.
            self._validate_spec(spec, fw_policy)
Exemple #4
0
 def create_ingress_security_policy(self):
     """
     Create a FW policy to house all ingress-to-service rules.
     """
     if not VncSecurityPolicy.ingress_svc_fw_policy_uuid:
         ingress_svc_fw_policy_uuid =\
             VncSecurityPolicy.create_firewall_policy(
                 self._k8s_event_type,
                 None, None, is_global=True)
         VncSecurityPolicy.add_firewall_policy(ingress_svc_fw_policy_uuid)
         VncSecurityPolicy.ingress_svc_fw_policy_uuid =\
             ingress_svc_fw_policy_uuid
Exemple #5
0
    def test_add_network_policy_scaling(self):
        np_uuid_dict = {}
        test_range = list(range(1, 10))
        for i in test_range:
            np_spec = {'podSelector': {}, 'ingress': [{}]}
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            np_uuid_dict[i] = self._add_update_network_policy(np_name, np_spec)
            self._validate_network_policy_resources(np_name, np_uuid_dict[i],
                                                    np_spec)

        previous_sequence = None
        aps_uid = VncSecurityPolicy.cluster_aps_uuid
        aps_obj = self._get_default_application_policy_set()
        fw_policy_refs = aps_obj.get_firewall_policy_refs()
        for i in test_range:
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            fw_policy_name = VncSecurityPolicy.get_firewall_policy_name(
                np_name, self.ns_name, False)
            for fw_policy in fw_policy_refs if fw_policy_refs else []:
                if fw_policy_name == fw_policy['to'][-1]:
                    if previous_sequence:
                        self.assertTrue(previous_sequence < \
                           fw_policy['attr'].get_sequence())
                    previous_sequence = fw_policy['attr'].get_sequence()
                    break

        for i in test_range:
            self._delete_network_policy(unittest.TestCase.id(self),
                                        np_uuid_dict[i])
            self._validate_network_policy_resources(np_name,
                                                    np_uuid_dict[i],
                                                    np_spec,
                                                    validate_delete=True)
    def test_add_network_policy_scaling(self):
        np_uuid_dict={}
        test_range = range(1, 10)
        for i in test_range:
            np_spec = {
                      'podSelector': {},
                      'ingress': [{}]
                  }
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            np_uuid_dict[i] = self._add_update_network_policy(np_name, np_spec)
            self._validate_network_policy_resources(np_name, np_uuid_dict[i],
                                                    np_spec)

        previous_sequence = None
        aps_uid = VncSecurityPolicy.cluster_aps_uuid
        aps_obj = self._get_default_application_policy_set()
        fw_policy_refs = aps_obj.get_firewall_policy_refs()
        for i in test_range:
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            fw_policy_name = VncSecurityPolicy.get_firewall_policy_name(np_name,
                self.ns_name, False)
            for fw_policy in fw_policy_refs if fw_policy_refs else []:
                if fw_policy_name == fw_policy['to'][-1]:
                    if previous_sequence:
                        self.assertTrue(previous_sequence < \
                           fw_policy['attr'].get_sequence())
                    previous_sequence = fw_policy['attr'].get_sequence()
                    break

        for i in test_range:
            self._delete_network_policy(unittest.TestCase.id(self), np_uuid_dict[i])
            self._validate_network_policy_resources(np_name, np_uuid_dict[i],
                np_spec, validate_delete=True)
    def test_network_policy_ordering_resolve_during_modify(self):

        # Check if we have a valid config to start with.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Get deny-all object handle.
        self.assertIsNotNone(VncSecurityPolicy.deny_all_fw_policy_uuid)
        fw_policy_obj = self._vnc_lib.firewall_policy_read(
            id=VncSecurityPolicy.deny_all_fw_policy_uuid)
        aps_obj = self._get_default_application_policy_set()
        self.assertIsNotNone(fw_policy_obj)
        self.assertIsNotNone(aps_obj)

        # Detach deny-all policy from APS to introduce error.
        aps_obj.del_firewall_policy(fw_policy_obj)
        self._vnc_lib.application_policy_set_update(aps_obj)

        # Verify that validation of APS will fail.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertFalse(valid)

        # Add deny-all policy to TAIL.
        # This is essentially an error condition where there is already
        # post-tail objects in the APS, but the deny-all gets added after
        # post-tail objects.
        VncSecurityPolicy.add_firewall_policy(
            VncSecurityPolicy.deny_all_fw_policy_uuid,
            tail=True)

        # Verify that validation of APS will fail.
        # Validation will fail because "tail" object is found after objects
        # that are marked as post-tail.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertFalse(valid)

        # Get allow-all object handle.
        self.assertIsNotNone(VncSecurityPolicy.allow_all_fw_policy_uuid)
        fw_policy_obj = self._vnc_lib.firewall_policy_read(
            id=VncSecurityPolicy.allow_all_fw_policy_uuid)
        aps_obj = self._get_default_application_policy_set()
        self.assertIsNotNone(fw_policy_obj)
        self.assertIsNotNone(aps_obj)

        # Re-add attempt of object marked post-tail should cause the post-tail
        # object to be re-arranged after tail, even though the object is already
        # present on the APS.
        VncSecurityPolicy.add_firewall_policy(
            VncSecurityPolicy.allow_all_fw_policy_uuid,
            append_after_tail=True)

        # Validation of APS should now succeed.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)
Exemple #8
0
    def delete_ingress_to_service_rule(cls, ns_name, ingress_name,
                                       service_name):
        """
        Delete the ingress-to-service allow rule added to ingress firewall
        policy.
        """
        rule_uuid = None
        if VncSecurityPolicy.ingress_svc_fw_policy_uuid:
            rule_name = VncIngress._get_ingress_firewall_rule_name(
                ns_name, ingress_name, service_name)

            # Get the rule id of the rule to be deleted.
            rule_uuid = VncSecurityPolicy.get_firewall_rule_uuid(rule_name)
            if rule_uuid:
                # Delete the rule.
                VncSecurityPolicy.delete_firewall_rule(
                    VncSecurityPolicy.ingress_svc_fw_policy_uuid, rule_uuid)

        return rule_uuid
    def vnc_network_policy_add(self, event, namespace, name, uid):
        spec = event['object']['spec']
        if not spec:
            self._logger.error("%s - %s:%s Spec Not Found" %
                               (self._name, name, uid))
            return

        fw_policy_uuid = VncSecurityPolicy.create_firewall_policy(name,
                                                                  namespace,
                                                                  spec,
                                                                  k8s_uuid=uid)
        VncSecurityPolicy.add_firewall_policy(fw_policy_uuid)

        # Update kube config db entry for the network policy.
        np = NetworkPolicyKM.find_by_name_or_uuid(uid)
        if np:
            fw_policy_obj = self._vnc_lib.firewall_policy_read(
                id=fw_policy_uuid)
            np.set_vnc_fq_name(":".join(fw_policy_obj.get_fq_name()))
Exemple #10
0
    def add_ingress_to_service_rule(cls, ns_name, ingress_name, service_name):
        """
        Add a ingress-to-service allow rule to ingress firewall policy.
        """
        if VncSecurityPolicy.ingress_svc_fw_policy_uuid:

            ingress_labels = XLabelCache.get_ingress_label(
                cls.get_ingress_label_name(ns_name, ingress_name))
            service_labels = XLabelCache.get_service_label(service_name)

            rule_name = VncIngress._get_ingress_firewall_rule_name(
                ns_name, ingress_name, service_name)

            fw_rule_uuid = VncSecurityPolicy.create_firewall_rule_allow_all(
                rule_name, service_labels, ingress_labels)

            VncSecurityPolicy.add_firewall_rule(
                VncSecurityPolicy.ingress_svc_fw_policy_uuid, fw_rule_uuid)

            return fw_rule_uuid
Exemple #11
0
    def test_deny_all_policy_periodic_validate(self):
        """
        Validate network policy periodic self-healing when
        deny-all firewall policy is detached from APS.
        """

        # Check if we have a valid config to start with.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Create namespace.
        self._create_namespace(self.ns_name, None, True)

        # Create a network policy.
        np_name = unittest.TestCase.id(self)
        np_spec = {'podSelector': {}, 'policyTypes': ['Ingress', 'Egress']}

        # Create a user network policy.
        np_uuid = self._add_update_network_policy(np_name, np_spec)
        self._validate_network_policy_resources(np_name,
                                                np_uuid,
                                                np_spec,
                                                namespace=self.ns_name)

        # Validate that config is sane after user policy add.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Get some basic object handles.
        self.assertIsNotNone(VncSecurityPolicy.deny_all_fw_policy_uuid)
        fw_policy_obj = self._vnc_lib.firewall_policy_read(
            id=VncSecurityPolicy.deny_all_fw_policy_uuid)
        aps_obj = self._get_default_application_policy_set()
        self.assertIsNotNone(fw_policy_obj)
        self.assertIsNotNone(aps_obj)

        # Detach deny-all policy from APS to introduce error.
        aps_obj.del_firewall_policy(fw_policy_obj)
        self._vnc_lib.application_policy_set_update(aps_obj)

        # Verify that validation of APS will fail.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertFalse(valid)

        # Fix the inconsisteny in APS.
        VncSecurityPolicy.recreate_cluster_security_policy()

        # Verify that validation of APS will succeed now.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Cleanup user created network policy.
        self._delete_network_policy(np_name, np_uuid, np_spec)
        self._validate_network_policy_resources(np_name,
                                                np_uuid,
                                                np_spec,
                                                validate_delete=True,
                                                namespace=self.ns_name)
    def _validate_network_policy_resources(self, name, uuid, spec={},
                                           validate_delete=False,
                                           namespace=None):

        ns_name = namespace if namespace else self.ns_name
        np_event_obj = NetworkPolicyKM.find_by_name_or_uuid(uuid)
        if validate_delete:
            self.assertIsNone(np_event_obj)
        elif not spec:
            fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(name,
                                                                       ns_name)
            fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
            self.assertIsNotNone(np_event_obj)
            self.assertIsNone(fw_policy)
        else:
            fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(name,
                                                                       ns_name)
            fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
            self.assertIsNotNone(np_event_obj)
            self.assertIsNotNone(fw_policy)

            # Validate network policy spec.
            self._validate_spec(spec, fw_policy)
    def test_deny_all_policy_periodic_validate(self):
        """
        Validate network policy periodic self-healing when
        deny-all firewall policy is detached from APS.
        """

        # Check if we have a valid config to start with.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Create namespace.
        self._create_namespace(self.ns_name, None, True)

        # Create a network policy.
        np_name = unittest.TestCase.id(self)
        np_spec = {
                      'podSelector': {},
                      'policyTypes': ['Ingress', 'Egress']
                   }

        # Create a user network policy.
        np_uuid = self._add_update_network_policy(np_name, np_spec)
        self._validate_network_policy_resources(np_name, np_uuid, np_spec,
                                                namespace=self.ns_name)

        # Validate that config is sane after user policy add.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Get some basic object handles.
        self.assertIsNotNone(VncSecurityPolicy.deny_all_fw_policy_uuid)
        fw_policy_obj = self._vnc_lib.firewall_policy_read(
            id=VncSecurityPolicy.deny_all_fw_policy_uuid)
        aps_obj = self._get_default_application_policy_set()
        self.assertIsNotNone(fw_policy_obj)
        self.assertIsNotNone(aps_obj)

        # Detach deny-all policy from APS to introduce error.
        aps_obj.del_firewall_policy(fw_policy_obj)
        self._vnc_lib.application_policy_set_update(aps_obj)

        # Verify that validation of APS will fail.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertFalse(valid)

        # Fix the inconsisteny in APS.
        VncSecurityPolicy.recreate_cluster_security_policy()

        # Verify that validation of APS will succeed now.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Cleanup user created network policy.
        self._delete_network_policy(np_name, np_uuid, np_spec)
        self._validate_network_policy_resources(np_name, np_uuid, np_spec,
                                                validate_delete=True,
                                                namespace=self.ns_name)
Exemple #14
0
    def delete_namespace_security_policy(self, ns_name):
        """
        Delete firwall rule created to enforce default behavior on this
        namespace.
        """
        if VncSecurityPolicy.allow_all_fw_policy_uuid:
            # Dis-associate and delete the ingress rule from namespace policy.
            rule_name = self._get_namespace_firewall_ingress_rule_name(ns_name)
            rule_uuid = VncSecurityPolicy.get_firewall_rule_uuid(rule_name)
            VncSecurityPolicy.delete_firewall_rule(
                VncSecurityPolicy.allow_all_fw_policy_uuid, rule_uuid)

            # Dis-associate and delete egress rule from namespace policy.
            egress_rule_name = self._get_namespace_firewall_egress_rule_name(
                ns_name)
            egress_rule_uuid = VncSecurityPolicy.get_firewall_rule_uuid(
                egress_rule_name)
            VncSecurityPolicy.delete_firewall_rule(
                VncSecurityPolicy.allow_all_fw_policy_uuid, egress_rule_uuid)
Exemple #15
0
    def add_namespace_security_policy(self, k8s_namespace_uuid):
        """
        Create a firwall rule for default behavior on a namespace.
        """
        ns = self._get_namespace(k8s_namespace_uuid)

        if not ns:
            return

        # Add custom namespace label on the namespace object.
        self._labels.append(k8s_namespace_uuid,
                            self._labels.get_namespace_label(ns.name))

        if not ns.firewall_ingress_allow_rule_uuid:
            ingress_rule_name = self._get_namespace_firewall_ingress_rule_name(
                ns.name)

            # Create a rule for default allow behavior on this namespace.
            ns.firewall_ingress_allow_rule_uuid =\
                VncSecurityPolicy.create_firewall_rule_allow_all(
                    ingress_rule_name,
                    self._labels.get_namespace_label(ns.name))

            # Add default allow rule to the "global allow" firewall policy.
            VncSecurityPolicy.add_firewall_rule(
                VncSecurityPolicy.allow_all_fw_policy_uuid,
                ns.firewall_ingress_allow_rule_uuid)

        if not ns.firewall_egress_allow_rule_uuid:

            egress_rule_name = self._get_namespace_firewall_egress_rule_name(
                ns.name)

            # Create a rule for default egress allow behavior on this namespace.
            ns.firewall_egress_allow_rule_uuid =\
                VncSecurityPolicy.create_firewall_rule_allow_all(
                    egress_rule_name, {},
                    self._labels.get_namespace_label(ns.name))

            # Add default egress allow rule to "global allow" firewall policy.
            VncSecurityPolicy.add_firewall_rule(
                VncSecurityPolicy.allow_all_fw_policy_uuid,
                ns.firewall_egress_allow_rule_uuid)
 def vnc_network_policy_delete(self, namespace, name, uuid):
     VncSecurityPolicy.delete_firewall_policy(name, namespace)
Exemple #17
0
    def test_periodic_validate_with_user_policies(self):
        """
        Validate network policy periodic self-healing when
        multiple user created policies are present.
        """

        np_uuid_dict = {}
        test_range = list(range(1, 10))
        for i in test_range:
            np_spec = {'podSelector': {}, 'ingress': [{}]}
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            np_uuid_dict[i] = self._add_update_network_policy(np_name, np_spec)
            self._validate_network_policy_resources(np_name, np_uuid_dict[i],
                                                    np_spec)

        # Check if we have a valid config to start with.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Get some basic object handles.
        self.assertIsNotNone(VncSecurityPolicy.allow_all_fw_policy_uuid)
        fw_policy_obj = self._vnc_lib.firewall_policy_read(
            id=VncSecurityPolicy.allow_all_fw_policy_uuid)
        aps_obj = self._get_default_application_policy_set()
        self.assertIsNotNone(fw_policy_obj)
        self.assertIsNotNone(aps_obj)

        # Detach allow-all policy from APS to introduce error.
        aps_obj.del_firewall_policy(fw_policy_obj)
        self._vnc_lib.application_policy_set_update(aps_obj)

        # Verify that validation of APS will fail.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertFalse(valid)

        # Fix the inconsisteny in APS.
        VncSecurityPolicy.recreate_cluster_security_policy()

        # Verify that validation of APS will succeed now.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        #
        # After self-healing, verify that the first on the APS, the FW policies
        # are ordered as follows:
        # - Ingress-svc fw policy
        # - User created policies
        # - Deny-all fw policy
        # - Allow-all fw policy
        #
        previous_sequence = None
        aps = ApplicationPolicySetKM.locate(aps_obj.get_uuid())
        aps.update()

        fw_policy_refs = aps.get_firewall_policy_refs_sorted()
        ingress_fw_policy_idx = None
        for index, fw_policy_ref in enumerate(fw_policy_refs):
            fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
            if fw_policy.owner and\
               fw_policy.cluster_name == self.cluster_name():
                self.assertTrue(fw_policy.uuid ==
                                VncSecurityPolicy.ingress_svc_fw_policy_uuid)
                ingress_fw_policy_idx = index
                break

        last_user_policy_index = None
        loop_start_index = ingress_fw_policy_idx + 1
        for i in test_range:
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            fw_policy_name = VncSecurityPolicy.get_firewall_policy_name(
                np_name, self.ns_name, False)
            for index, fw_policy in enumerate(
                    fw_policy_refs[loop_start_index:]):
                if fw_policy_name == fw_policy['to'][-1]:
                    if previous_sequence:
                        self.assertTrue(previous_sequence < \
                           fw_policy['attr']['sequence'])
                    previous_sequence = fw_policy['attr']['sequence']
                    last_user_policy_index = loop_start_index + index
                    break

        deny_all_policy_index = None
        loop_start_index = last_user_policy_index + 1
        for index, fw_policy_ref in enumerate(
                fw_policy_refs[loop_start_index:]):
            fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
            if fw_policy.cluster_name and\
               fw_policy.cluster_name == self.cluster_name():
                self.assertTrue(fw_policy.uuid ==
                                VncSecurityPolicy.deny_all_fw_policy_uuid)
                deny_all_policy_index = loop_start_index + index
                break

        loop_start_index = deny_all_policy_index + 1
        for fw_policy_ref in fw_policy_refs[loop_start_index:]:
            fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
            if fw_policy.cluster_name and\
               fw_policy.cluster_name == self.cluster_name():
                self.assertTrue(fw_policy.uuid ==
                                VncSecurityPolicy.allow_all_fw_policy_uuid)
                break

        for i in test_range:
            self._delete_network_policy(unittest.TestCase.id(self),
                                        np_uuid_dict[i])
            self._validate_network_policy_resources(np_name,
                                                    np_uuid_dict[i],
                                                    np_spec,
                                                    validate_delete=True)
Exemple #18
0
 def delete_ingress_to_service_rule_by_id(cls, rule_uuid):
     if VncSecurityPolicy.ingress_svc_fw_policy_uuid:
         # Delete the rule.
         VncSecurityPolicy.delete_firewall_rule(
             VncSecurityPolicy.ingress_svc_fw_policy_uuid, rule_uuid)
Exemple #19
0
 def _create_application_policy_set(self, name, parent_obj=None):
     return VncSecurityPolicy.create_application_policy_set(
         name, parent_obj)
 def _create_application_policy_set(self, name, parent_obj=None):
     return VncSecurityPolicy.create_application_policy_set(name, parent_obj)
    def __init__(self,
                 args=None,
                 logger=None,
                 q=None,
                 kube=None,
                 vnc_kubernetes_config_dict=None):
        self._name = type(self).__name__
        self.args = args
        self.logger = logger
        self.q = q
        self.kube = kube
        self._cluster_pod_ipam_fq_name = None
        self._cluster_service_ipam_fq_name = None
        self._cluster_ip_fabric_ipam_fq_name = None

        # init vnc connection
        self.vnc_lib = self._vnc_connect()

        # Cache common config.
        self.vnc_kube_config = vnc_kube_config(logger=self.logger,
                                               vnc_lib=self.vnc_lib,
                                               args=self.args,
                                               queue=self.q,
                                               kube=self.kube)

        #
        # In nested mode, kube-manager connects to contrail components running
        # in underlay via global link local services. TCP flows established on
        # link local services will be torn down by vrouter, if there is no
        # activity for configured(or default) timeout. So disable flow timeout
        # on these connections, so these flows will persist.
        #
        # Note: The way to disable flow timeout is to set timeout to max
        #       possible value.
        #
        if self.args.nested_mode == '1':
            for cassandra_server in self.args.cassandra_server_list:
                cassandra_port = cassandra_server.split(':')[-1]
                flow_aging_manager.create_flow_aging_timeout_entry(
                    self.vnc_lib, "tcp", cassandra_port, 2147483647)

            if self.args.rabbit_port:
                flow_aging_manager.create_flow_aging_timeout_entry(
                    self.vnc_lib, "tcp", self.args.rabbit_port, 2147483647)

            if self.args.vnc_endpoint_port:
                flow_aging_manager.create_flow_aging_timeout_entry(
                    self.vnc_lib, "tcp", self.args.vnc_endpoint_port,
                    2147483647)

            for collector in self.args.collectors:
                collector_port = collector.split(':')[-1]
                flow_aging_manager.create_flow_aging_timeout_entry(
                    self.vnc_lib, "tcp", collector_port, 2147483647)

        # init access to db
        self._db = db.KubeNetworkManagerDB(self.args, self.logger)
        DBBaseKM.init(self, self.logger, self._db)

        # If nested mode is enabled via config, then record the directive.
        if self.args.nested_mode == '1':
            DBBaseKM.set_nested(True)

        # sync api server db in local cache
        self._sync_km()

        # init rabbit connection
        rabbitmq_cfg = kube_args.rabbitmq_args(self.args)
        self.rabbit = VncAmqpHandle(
            self.logger._sandesh, self.logger, DBBaseKM,
            reaction_map.REACTION_MAP, self.args.cluster_id + '-' +
            self.args.cluster_name + '-kube_manager', rabbitmq_cfg,
            self.args.host_ip)
        self.rabbit.establish()
        self.rabbit._db_resync_done.set()

        # Register label add and delete callbacks with label management entity.
        label_cache.XLabelCache.register_label_add_callback(
            VncKubernetes.create_tags)
        label_cache.XLabelCache.register_label_delete_callback(
            VncKubernetes.delete_tags)

        # Instantiate and init Security Policy Manager.
        self.security_policy_mgr = VncSecurityPolicy(self.vnc_lib,
                                                     VncKubernetes.get_tags)

        # provision cluster
        self._provision_cluster()

        if vnc_kubernetes_config_dict:
            self.vnc_kube_config.update(**vnc_kubernetes_config_dict)
        else:
            # Update common config.
            self.vnc_kube_config.update(
                cluster_pod_ipam_fq_name=self._get_cluster_pod_ipam_fq_name(),
                cluster_service_ipam_fq_name=self.
                _get_cluster_service_ipam_fq_name(),
                cluster_ip_fabric_ipam_fq_name=self.
                _get_cluster_ip_fabric_ipam_fq_name())

        # handle events
        self.label_cache = label_cache.LabelCache()
        self.vnc_kube_config.update(label_cache=self.label_cache)

        self.tags_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_tags.VncTags')
        self.network_policy_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_network_policy.VncNetworkPolicy')
        self.namespace_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_namespace.VncNamespace',
            self.network_policy_mgr)
        self.ingress_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_ingress.VncIngress', self.tags_mgr)
        self.service_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_service.VncService', self.ingress_mgr)
        self.pod_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_pod.VncPod', self.service_mgr,
            self.network_policy_mgr)
        self.endpoints_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_endpoints.VncEndpoints')
        self.network_mgr = importutils.import_object(
            'kube_manager.vnc.vnc_network.VncNetwork')

        # Create system default security policies.
        VncSecurityPolicy.create_deny_all_security_policy()
        VncSecurityPolicy.create_allow_all_security_policy()
        self.ingress_mgr.create_ingress_security_policy()

        VncKubernetes._vnc_kubernetes = self

        # Associate cluster with the APS.
        VncSecurityPolicy.tag_cluster_application_policy_set()
    def test_periodic_validate_with_user_policies(self):
        """
        Validate network policy periodic self-healing when
        multiple user created policies are present.
        """

        np_uuid_dict={}
        test_range = range(1, 10)
        for i in test_range:
            np_spec = {
                      'podSelector': {},
                      'ingress': [{}]
                  }
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            np_uuid_dict[i] = self._add_update_network_policy(np_name, np_spec)
            self._validate_network_policy_resources(np_name, np_uuid_dict[i],
                                                    np_spec)

        # Check if we have a valid config to start with.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        # Get some basic object handles.
        self.assertIsNotNone(VncSecurityPolicy.allow_all_fw_policy_uuid)
        fw_policy_obj = self._vnc_lib.firewall_policy_read(
            id=VncSecurityPolicy.allow_all_fw_policy_uuid)
        aps_obj = self._get_default_application_policy_set()
        self.assertIsNotNone(fw_policy_obj)
        self.assertIsNotNone(aps_obj)

        # Detach allow-all policy from APS to introduce error.
        aps_obj.del_firewall_policy(fw_policy_obj)
        self._vnc_lib.application_policy_set_update(aps_obj)

        # Verify that validation of APS will fail.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertFalse(valid)

        # Fix the inconsisteny in APS.
        VncSecurityPolicy.recreate_cluster_security_policy()

        # Verify that validation of APS will succeed now.
        valid = VncSecurityPolicy.validate_cluster_security_policy()
        self.assertTrue(valid)

        #
        # After self-healing, verify that the first on the APS, the FW policies
        # are ordered as follows:
        # - Ingress-svc fw policy
        # - User created policies
        # - Deny-all fw policy
        # - Allow-all fw policy
        #
        previous_sequence = None
        aps = ApplicationPolicySetKM.locate(aps_obj.get_uuid())
        aps.update()

        fw_policy_refs = aps.get_firewall_policy_refs_sorted()
        ingress_fw_policy_idx = None
        for index, fw_policy_ref in enumerate(fw_policy_refs):
            fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
            if fw_policy.owner and\
               fw_policy.cluster_name == self.cluster_name():
               self.assertTrue(fw_policy.uuid == VncSecurityPolicy.ingress_svc_fw_policy_uuid)
               ingress_fw_policy_idx = index
               break

        last_user_policy_index = None
        loop_start_index = ingress_fw_policy_idx+1
        for i in test_range:
            np_name = "-".join([unittest.TestCase.id(self), str(i)])
            fw_policy_name = VncSecurityPolicy.get_firewall_policy_name(np_name,
                self.ns_name, False)
            for index, fw_policy in enumerate(fw_policy_refs[loop_start_index:]):
                if fw_policy_name == fw_policy['to'][-1]:
                    if previous_sequence:
                        self.assertTrue(previous_sequence < \
                           fw_policy['attr']['sequence'])
                    previous_sequence = fw_policy['attr']['sequence']
                    last_user_policy_index = loop_start_index + index
                    break

        deny_all_policy_index = None
        loop_start_index = last_user_policy_index + 1
        for index, fw_policy_ref in enumerate(fw_policy_refs[loop_start_index:]):
            fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
            if fw_policy.cluster_name and\
               fw_policy.cluster_name == self.cluster_name():
               self.assertTrue(fw_policy.uuid == VncSecurityPolicy.deny_all_fw_policy_uuid)
               deny_all_policy_index = loop_start_index + index
               break

        loop_start_index = deny_all_policy_index + 1
        for fw_policy_ref in fw_policy_refs[loop_start_index:]:
            fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
            if fw_policy.cluster_name and\
               fw_policy.cluster_name == self.cluster_name():
               self.assertTrue(fw_policy.uuid == VncSecurityPolicy.allow_all_fw_policy_uuid)
               break

        for i in test_range:
            self._delete_network_policy(unittest.TestCase.id(self), np_uuid_dict[i])
            self._validate_network_policy_resources(np_name, np_uuid_dict[i],
                np_spec, validate_delete=True)