def _create_svc_egress_sg_rule(self,
policy_namespace,
sg_rule_body_list,
resource=None,
port=None,
protocol=None):
services = driver_utils.get_services()
if not resource:
svc_subnet = utils.get_subnet_cidr(
CONF.neutron_defaults.service_subnet)
rule = driver_utils.create_security_group_rule_body(
'egress', port, protocol=protocol, cidr=svc_subnet)
if rule not in sg_rule_body_list:
sg_rule_body_list.append(rule)
return
for service in services.get('items'):
if self._is_pod(resource):
pod_labels = resource['metadata'].get('labels')
svc_selector = service['spec'].get('selector')
if not svc_selector or not pod_labels:
continue
else:
if not driver_utils.match_labels(svc_selector, pod_labels):
continue
elif resource.get('cidr'):
# NOTE(maysams) Accounts for traffic to pods under
# a service matching an IPBlock rule.
svc_namespace = service['metadata']['namespace']
if svc_namespace != policy_namespace:
continue
svc_selector = service['spec'].get('selector')
pods = driver_utils.get_pods({
'selector': svc_selector
}, svc_namespace).get('items')
if not self._pods_in_ip_block(pods, resource):
continue
else:
ns_name = service['metadata']['namespace']
if ns_name != resource['metadata']['name']:
continue
cluster_ip = service['spec'].get('clusterIP')
if not cluster_ip:
continue
rule = driver_utils.create_security_group_rule_body(
'egress', port, protocol=protocol, cidr=cluster_ip)
if rule not in sg_rule_body_list:
sg_rule_body_list.append(rule)
def _create_svc_egress_sg_rule(self,
policy_namespace,
sg_rule_body_list,
resource=None,
port=None,
protocol=None):
# FIXME(dulek): We could probably filter by namespace here for pods
# and namespace resources?
services = driver_utils.get_services()
if not resource:
svc_subnet = utils.get_subnet_cidr(
CONF.neutron_defaults.service_subnet)
rule = driver_utils.create_security_group_rule_body(
'egress', port, protocol=protocol, cidr=svc_subnet)
if rule not in sg_rule_body_list:
sg_rule_body_list.append(rule)
return
for service in services.get('items'):
if service['metadata'].get('deletionTimestamp'):
# Ignore services being deleted
continue
cluster_ip = service['spec'].get('clusterIP')
if not cluster_ip or cluster_ip == 'None':
# Headless services has 'None' as clusterIP, ignore.
continue
svc_name = service['metadata']['name']
svc_namespace = service['metadata']['namespace']
if self._is_pod(resource):
pod_labels = resource['metadata'].get('labels')
svc_selector = service['spec'].get('selector')
if not svc_selector:
targets = driver_utils.get_endpoints_targets(
svc_name, svc_namespace)
pod_ip = resource['status'].get('podIP')
if pod_ip and pod_ip not in targets:
continue
elif pod_labels:
if not driver_utils.match_labels(svc_selector, pod_labels):
continue
elif resource.get('cidr'):
# NOTE(maysams) Accounts for traffic to pods under
# a service matching an IPBlock rule.
svc_selector = service['spec'].get('selector')
if not svc_selector:
# Retrieving targets of services on any Namespace
targets = driver_utils.get_endpoints_targets(
svc_name, svc_namespace)
if (not targets or
not self._targets_in_ip_block(targets, resource)):
continue
else:
if svc_namespace != policy_namespace:
continue
pods = driver_utils.get_pods({
'selector': svc_selector
}, svc_namespace).get('items')
if not self._pods_in_ip_block(pods, resource):
continue
else:
ns_name = service['metadata']['namespace']
if ns_name != resource['metadata']['name']:
continue
rule = driver_utils.create_security_group_rule_body(
'egress', port, protocol=protocol, cidr=cluster_ip)
if rule not in sg_rule_body_list:
sg_rule_body_list.append(rule)