def _associate_security_groups(vmi_obj, proj_obj, ns):
sg_name = "-".join([vnc_kube_config.cluster_name(), ns, 'default'])
sg_obj = SecurityGroup(sg_name, proj_obj)
vmi_obj.add_security_group(sg_obj)
ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns, 'sg'])
sg_obj = SecurityGroup(ns_sg_name, proj_obj)
vmi_obj.add_security_group(sg_obj)
return
def _update_security_groups(self, ns_name, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
# create default security group
sg_name = vnc_kube_config.get_default_sg_name(ns_name)
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if ingress:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg = SecurityGroupKM.locate(sg_obj.get_uuid())
return sg
def test_create_sg_with_configured_id_is_limited(self):
sg_obj = SecurityGroup('%s-sg' % self.id())
sg_obj.set_configured_security_group_id(8000000)
with ExpectedException(BadRequest):
self.api.security_group_create(sg_obj)
sg_obj.set_configured_security_group_id(-1)
with ExpectedException(BadRequest):
self.api.security_group_create(sg_obj)
def test_update_sg_with_configured_id(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
allocated_sg_id = sg_obj.security_group_id
configured_sg_id = sg_obj.configured_security_group_id
self.assertEqual(sg_obj.get_fq_name_str(),
mock_zk.get_sg_from_id(allocated_sg_id))
self.assertEqual(configured_sg_id, 0)
sg_obj.set_configured_security_group_id(42)
self.api.security_group_update(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
configured_sg_id = sg_obj.configured_security_group_id
self.assertEqual(sg_id, 42)
self.assertEqual(configured_sg_id, 42)
self.assertNotEqual(mock_zk.get_sg_from_id(sg_id),
sg_obj.get_fq_name_str())
sg_obj.set_configured_security_group_id(0)
self.api.security_group_update(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
allocated_sg_id = sg_obj.security_group_id
configured_sg_id = sg_obj.configured_security_group_id
self.assertEqual(sg_obj.get_fq_name_str(),
mock_zk.get_sg_from_id(allocated_sg_id))
self.assertEqual(configured_sg_id, 0)
def test_deallocate_sg_id(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
self.api.security_group_delete(id=sg_obj.uuid)
self.assertNotEqual(mock_zk.get_sg_from_id(sg_id),
sg_obj.get_fq_name_str())
def test_allocate_sg_id(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
self.assertEqual(sg_obj.get_fq_name_str(),
mock_zk.get_sg_from_id(sg_id))
self.assertGreaterEqual(sg_id, SGID_MIN_ALLOC)
def test_allocate_sg_id(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
self.assertEqual(sg_obj.get_fq_name_str(),
mock_zk.get_sg_from_id(sg_id))
self.assertGreaterEqual(sg_id, SGID_MIN_ALLOC)
def test_deallocate_sg_id(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
self.api.security_group_delete(id=sg_obj.uuid)
self.assertNotEqual(mock_zk.get_sg_from_id(sg_id),
sg_obj.get_fq_name_str())
def test_cannot_update_sg_id(self):
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_obj.set_security_group_id(8000042)
with ExpectedException(PermissionDenied):
self.api.security_group_update(sg_obj)
# test can update with same value, needed internally
# TODO(ethuleau): not sure why it's needed
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_obj.set_security_group_id(sg_obj.security_group_id)
self.api.security_group_update(sg_obj)
def test_create_sg_with_configured_id(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
sg_obj.set_configured_security_group_id(42)
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
configured_sg_id = sg_obj.configured_security_group_id
self.assertEqual(sg_id, 42)
self.assertEqual(configured_sg_id, 42)
self.assertNotEqual(mock_zk.get_sg_from_id(sg_id),
sg_obj.get_fq_name_str())
def _create_virtual_interface(self, project, lb_id, subnet_id, network_id,
ip_address):
iip_obj = InstanceIp(name=lb_id)
if subnet_id and subnet_id != ATTR_NOT_SPECIFIED:
network_id = utils.get_subnet_network_id(self._api, subnet_id)
vnet = utils.get_vnet_obj(self._api, network_id)
iip_obj.set_subnet_uuid(subnet_id)
elif network_id and network_id != ATTR_NOT_SPECIFIED:
vnet = utils.get_vnet_obj(self._api, network_id)
else:
msg = 'vip-network-id or vip-subnet-id should be specified'
raise BadRequest(resource='loadbalancer', msg=msg)
vmi = VirtualMachineInterface(lb_id, project)
vmi.set_virtual_network(vnet)
vmi.set_virtual_machine_interface_device_owner(
DEVICE_OWNER_LOADBALANCER)
sg_obj = SecurityGroup("default", project)
vmi.add_security_group(sg_obj)
self._api.virtual_machine_interface_create(vmi)
iip_obj.set_virtual_network(vnet)
iip_obj.set_virtual_machine_interface(vmi)
if ip_address and ip_address != ATTR_NOT_SPECIFIED:
iip_obj.set_instance_ip_address(ip_address)
self._api.instance_ip_create(iip_obj)
iip = self._api.instance_ip_read(id=iip_obj.uuid)
vip_address = iip.get_instance_ip_address()
vip_subnet_id = iip.get_subnet_uuid()
return vmi, vip_address, vip_subnet_id
def _create_virtual_interface(self, project, vip_id, subnet_id,
ip_address):
network_id = utils.get_subnet_network_id(self._api, subnet_id)
try:
vnet = self._api.virtual_network_read(id=network_id)
except NoIdError:
raise n_exc.NetworkNotFound(net_id=network_id)
vmi = VirtualMachineInterface(vip_id, project)
vmi.set_virtual_network(vnet)
sg_obj = SecurityGroup("default", project)
vmi.add_security_group(sg_obj)
self._api.virtual_machine_interface_create(vmi)
fq_name = list(project.get_fq_name())
fq_name.append(vip_id)
iip_obj = InstanceIp(fq_name=fq_name)
iip_obj.set_virtual_network(vnet)
iip_obj.set_virtual_machine_interface(vmi)
if ip_address and ip_address != attributes.ATTR_NOT_SPECIFIED:
iip_obj.set_instance_ip_address(ip_address)
self._api.instance_ip_create(fq_name)
return vmi
def _create_virtual_interface(self, project, lb_id, subnet_id,
ip_address):
network_id = utils.get_subnet_network_id(self._api, subnet_id)
try:
vnet = self._api.virtual_network_read(id=network_id)
except NoIdError:
raise n_exc.NetworkNotFound(net_id=network_id)
vmi = VirtualMachineInterface(lb_id, project)
vmi.set_virtual_network(vnet)
vmi.set_virtual_machine_interface_device_owner(n_constants.DEVICE_OWNER_LOADBALANCER)
sg_obj = SecurityGroup("default", project)
vmi.add_security_group(sg_obj)
self._api.virtual_machine_interface_create(vmi)
iip_obj = InstanceIp(name=lb_id)
iip_obj.set_virtual_network(vnet)
iip_obj.set_virtual_machine_interface(vmi)
if ip_address and ip_address != attributes.ATTR_NOT_SPECIFIED:
iip_obj.set_instance_ip_address(ip_address)
self._api.instance_ip_create(iip_obj)
iip = self._api.instance_ip_read(id=iip_obj.uuid)
vip_address = iip.get_instance_ip_address()
return vmi, vip_address
def create_security_group(self, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(security_group=proj_obj.get_fq_name_str() +
':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
rules = []
rules.append(_get_rule(True, 'default', None, 'IPv4'))
rules.append(_get_rule(True, 'default', None, 'IPv6'))
sg_rules = PolicyEntriesType(rules)
# create security group
id_perms = IdPermsType(
enable=True, description=KMTestCase.DEFAULT_SECGROUP_DESCRIPTION)
sg_obj = SecurityGroup(name='default',
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
return sg_obj
def create_security_group(self, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(
security_group=proj_obj.get_fq_name_str() + ':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
rules = []
rules.append(_get_rule(True, 'default', None, 'IPv4'))
rules.append(_get_rule(True, 'default', None, 'IPv6'))
sg_rules = PolicyEntriesType(rules)
# create security group
id_perms = IdPermsType(
enable=True,
description=KMTestCase.DEFAULT_SECGROUP_DESCRIPTION)
sg_obj = SecurityGroup(name='default', parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
return sg_obj
def test_security_group_rule_list_per_security_group(self):
sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project)
sgr1_id = str(uuid.uuid4())
rule = PolicyRuleType(
rule_uuid=sgr1_id,
protocol='any',
src_addresses=[AddressType(security_group='local')],
dst_addresses=[AddressType(security_group='local')],
)
sg1.set_security_group_entries(PolicyEntriesType([rule]))
self._vnc_lib.security_group_create(sg1)
sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project)
sgr2_id = str(uuid.uuid4())
rule = PolicyRuleType(
rule_uuid=sgr2_id,
protocol='any',
src_addresses=[AddressType(security_group='local')],
dst_addresses=[AddressType(security_group='local')],
)
sg2.set_security_group_entries(PolicyEntriesType([rule]))
self._vnc_lib.security_group_create(sg2)
list_result = self.list_resource(
'security_group_rule',
self.project_id,
req_filters={
'security_group_id': [sg1.uuid],
},
)
self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result})
list_result = self.list_resource(
'security_group_rule',
self.project_id,
req_filters={
'security_group_id': [sg1.uuid, sg2.uuid],
},
)
self.assertEqual(set([sgr1_id, sgr2_id]),
{sgr['id']
for sgr in list_result})
list_result = self.list_resource('security_group_rule',
self.project_id)
self.assertTrue(
set([sgr1_id,
sgr2_id]).issubset({sgr['id']
for sgr in list_result}))
def test_not_deallocate_sg_id_if_fq_name_does_not_correspond(self):
mock_zk = self._api_server._db_conn._zk_db
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_id = sg_obj.security_group_id
fake_fq_name = "fake fq_name"
mock_zk._sg_id_allocator.delete(sg_id - SGID_MIN_ALLOC)
mock_zk._sg_id_allocator.reserve(sg_id - SGID_MIN_ALLOC, fake_fq_name)
self.api.security_group_delete(id=sg_obj.uuid)
self.assertIsNotNone(mock_zk.get_sg_from_id(sg_id))
self.assertEqual(fake_fq_name, mock_zk.get_sg_from_id(sg_id))
def test_create_sg_with_configured_id_is_limited(self):
sg_obj = SecurityGroup('%s-sg' % self.id())
sg_obj.set_configured_security_group_id(8000000)
with ExpectedException(BadRequest):
self.api.security_group_create(sg_obj)
sg_obj.set_configured_security_group_id(-1)
with ExpectedException(BadRequest):
self.api.security_group_create(sg_obj)
def test_singleton_no_rule_sg(self):
try:
no_rule_sg = self.api.security_group_read(SG_NO_RULE_FQ_NAME)
except NoIdError:
self.fail("Cannot read singleton security '%s' for OpenStack" %
':'.join(SG_NO_RULE_FQ_NAME))
sg_obj = SecurityGroup(name=SG_NO_RULE_FQ_NAME[-1])
self._api_server.create_singleton_entry(sg_obj)
try:
no_rule_sg_2 = self.api.security_group_read(SG_NO_RULE_FQ_NAME)
except NoIdError:
self.fail("Cannot read singleton security '%s' for OpenStack" %
':'.join(SG_NO_RULE_FQ_NAME))
self.assertEqual(no_rule_sg.security_group_id,
no_rule_sg_2.security_group_id)
def test_cannot_update_sg_id(self):
sg_obj = SecurityGroup('%s-sg' % self.id())
self.api.security_group_create(sg_obj)
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_obj.set_security_group_id(8000042)
with ExpectedException(PermissionDenied):
self.api.security_group_update(sg_obj)
# test can update with same value, needed internally
# TODO(ethuleau): not sure why it's needed
sg_obj = self.api.security_group_read(id=sg_obj.uuid)
sg_obj.set_security_group_id(sg_obj.security_group_id)
self.api.security_group_update(sg_obj)
def test_security_group_rule_list_per_security_group(self):
sg1 = SecurityGroup('sg1-%s' % self.id(), parent_obj=self.project)
sgr1_id = str(uuid.uuid4())
rule = PolicyRuleType(
rule_uuid=sgr1_id,
protocol='any',
src_addresses=[AddressType(security_group='local')],
dst_addresses=[AddressType(security_group='local')],
)
sg1.set_security_group_entries(PolicyEntriesType([rule]))
self._vnc_lib.security_group_create(sg1)
sg2 = SecurityGroup('sg2-%s' % self.id(), parent_obj=self.project)
sgr2_id = str(uuid.uuid4())
rule = PolicyRuleType(
rule_uuid=sgr2_id,
protocol='any',
src_addresses=[AddressType(security_group='local')],
dst_addresses=[AddressType(security_group='local')],
)
sg2.set_security_group_entries(PolicyEntriesType([rule]))
self._vnc_lib.security_group_create(sg2)
list_result = self.list_resource(
'security_group_rule',
self.project_id,
req_filters={
'security_group_id': [sg1.uuid],
},
)
self.assertEqual(set([sgr1_id]), {sgr['id'] for sgr in list_result})
list_result = self.list_resource(
'security_group_rule',
self.project_id,
req_filters={
'security_group_id': [sg1.uuid, sg2.uuid],
},
)
self.assertEqual(set([sgr1_id, sgr2_id]),
{sgr['id'] for sgr in list_result})
list_result = self.list_resource('security_group_rule',
self.project_id)
self.assertTrue(set([sgr1_id, sgr2_id]).issubset(
{sgr['id'] for sgr in list_result}))
def test_cannot_set_sg_id(self):
sg_obj = SecurityGroup('%s-sg' % self.id())
sg_obj.set_security_group_id(8000042)
with ExpectedException(PermissionDenied):
self.api.security_group_create(sg_obj)
def _update_security_groups(self, ns_name, proj_obj, network_policy):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(
security_group=proj_obj.get_fq_name_str() + ':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
sg_dict = {}
# create default security group
sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'default'])
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if network_policy and 'ingress' in network_policy:
ingress_policy = network_policy['ingress']
if ingress_policy and 'isolation' in ingress_policy:
isolation = ingress_policy['isolation']
if isolation == 'DefaultDeny':
ingress = False
if ingress:
if self._is_service_isolated(ns_name):
rules.append(_get_rule(True, sg_name, None, 'IPv4'))
rules.append(_get_rule(True, sg_name, None, 'IPv6'))
else:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[sg_name] = sg_uuid
# create namespace security group
ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg'])
NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group"
id_perms = IdPermsType(enable=True,
description=NAMESPACE_SECGROUP_DESCRIPTION)
sg_obj = SecurityGroup(name=ns_sg_name, parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=None)
SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
pass
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[ns_sg_name] = sg_uuid
return sg_dict
def _update_security_groups(self, ns_name, proj_obj, network_policy):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
sg_dict = {}
# create default security group
sg_name = "-".join(
[vnc_kube_config.cluster_name(), ns_name, 'default'])
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if network_policy and 'ingress' in network_policy:
ingress_policy = network_policy['ingress']
if ingress_policy and 'isolation' in ingress_policy:
isolation = ingress_policy['isolation']
if isolation == 'DefaultDeny':
ingress = False
if ingress:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name,
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self,
sg_obj,
namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[sg_name] = sg_uuid
# create namespace security group
ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg'])
NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group"
id_perms = IdPermsType(enable=True,
description=NAMESPACE_SECGROUP_DESCRIPTION)
sg_obj = SecurityGroup(name=ns_sg_name,
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=None)
SecurityGroupKM.add_annotations(self,
sg_obj,
namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
pass
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[ns_sg_name] = sg_uuid
return sg_dict
def test_security_logging_object_with_policy_and_security_group(self):
# Add a Network Policy Rule and a Security Group Rule to a
# SLO
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
rule1 = {
"protocol": "udp",
"direction": "<>",
"src": {
"type": "vn",
"value": vn1
},
"dst": {
"type": "cidr",
"value": "10.2.1.1/32"
},
"action": "deny"
}
np = self.create_network_policy_with_multiple_rules([rule1])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
sg_obj = SecurityGroup(name=self.id() + '_sg1')
self._vnc_lib.security_group_create(sg_obj)
sgr_uuid = str(uuid.uuid4())
sg_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4')
sg_policy_rules = PolicyEntriesType([sg_rule])
sg_obj.set_security_group_entries(sg_policy_rules)
self._vnc_lib.security_group_update(sg_obj)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
np_rule1 = np.get_network_policy_entries().get_policy_rule()[0]
np_fqdn = np.get_fq_name_str()
np_rule1_uuid = np_rule1.get_rule_uuid()
slo_rule_entries = []
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(np_rule1_uuid, rate=300))
slo_rule_entries.append(
SecurityLoggingObjectRuleEntryType(sgr_uuid, rate=300))
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
slo_obj.add_network_policy(np, None)
sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid())
slo_obj.add_security_group(sg_obj, None)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries)
slo_obj.del_network_policy(np)
slo_obj.del_security_group(sg_obj)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_policy_and_security_group(self):
# Add a Network Policy Rule and a Security Group Rule to a
# SLO
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
rule1 = {"protocol": "udp",
"direction": "<>",
"src": {"type": "vn", "value": vn1},
"dst": {"type": "cidr", "value": "10.2.1.1/32"},
"action": "deny"
}
np = self.create_network_policy_with_multiple_rules([rule1])
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
sg_obj = SecurityGroup(name=self.id() + '_sg1')
self._vnc_lib.security_group_create(sg_obj)
sgr_uuid = str(uuid.uuid4())
sg_rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4')
sg_policy_rules = PolicyEntriesType([sg_rule])
sg_obj.set_security_group_entries(sg_policy_rules)
self._vnc_lib.security_group_update(sg_obj)
project = self._vnc_lib.project_read(fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(config_db.SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
np_rule1 = np.get_network_policy_entries().get_policy_rule()[0]
np_fqdn = np.get_fq_name_str()
np_rule1_uuid = np_rule1.get_rule_uuid()
slo_rule_entries = []
slo_rule_entries.append(SecurityLoggingObjectRuleEntryType(np_rule1_uuid,
rate=300))
slo_rule_entries.append(SecurityLoggingObjectRuleEntryType(sgr_uuid,
rate=300))
slo_obj = self._vnc_lib.security_logging_object_read(fq_name=slo_obj.get_fq_name())
slo_obj.add_network_policy(np, None)
sg_obj = self._vnc_lib.security_group_read(id=sg_obj.get_uuid())
slo_obj.add_security_group(sg_obj, None)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = to_bgp.SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, slo_rule_entries)
slo_obj.del_network_policy(np)
slo_obj.del_security_group(sg_obj)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = to_bgp.SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def security_group_create(self, sg_name, project_fq_name):
project_obj = self._vnc_lib.project_read(project_fq_name)
sg_obj = SecurityGroup(name=sg_name, parent_obj=project_obj)
self._vnc_lib.security_group_create(sg_obj)
return sg_obj
def _update_security_groups(self, ns_name, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
# create default security group
sg_name = vnc_kube_config.get_default_sg_name(ns_name)
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if ingress:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name,
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self,
sg_obj,
namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg = SecurityGroupKM.locate(sg_obj.get_uuid())
return sg
def test_cannot_set_sg_id(self):
sg_obj = SecurityGroup('%s-sg' % self.id())
sg_obj.set_security_group_id(8000042)
with ExpectedException(PermissionDenied):
self.api.security_group_create(sg_obj)
