def add_namespace_security_policy(self, k8s_namespace_uuid):
"""
Create a firwall rule for default behavior on a namespace.
"""
ns = self._get_namespace(k8s_namespace_uuid)
if not ns:
return
# Add custom namespace label on the namespace object.
self._labels.append(k8s_namespace_uuid,
self._labels.get_namespace_label(ns.name))
if not ns.firewall_ingress_allow_rule_uuid:
ingress_rule_name = self._get_namespace_firewall_ingress_rule_name(
ns.name)
# Create a rule for default allow behavior on this namespace.
ns.firewall_ingress_allow_rule_uuid =\
VncSecurityPolicy.create_firewall_rule_allow_all(
ingress_rule_name,
self._labels.get_namespace_label(ns.name))
# Add default allow rule to the "global allow" firewall policy.
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.allow_all_fw_policy_uuid,
ns.firewall_ingress_allow_rule_uuid)
if not ns.firewall_egress_allow_rule_uuid:
egress_rule_name = self._get_namespace_firewall_egress_rule_name(
ns.name)
# Create a rule for default egress allow behavior on this namespace.
ns.firewall_egress_allow_rule_uuid =\
VncSecurityPolicy.create_firewall_rule_allow_all(
egress_rule_name, {},
self._labels.get_namespace_label(ns.name))
# Add default egress allow rule to "global allow" firewall policy.
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.allow_all_fw_policy_uuid,
ns.firewall_egress_allow_rule_uuid)
def add_namespace_security_policy(self, k8s_namespace_uuid):
"""
Create a firwall rule for default behavior on a namespace.
"""
ns = self._get_namespace(k8s_namespace_uuid)
if not ns:
return
# Add custom namespace label on the namespace object.
self._labels.append(k8s_namespace_uuid,
self._labels.get_namespace_label(ns.name))
if not ns.firewall_ingress_allow_rule_uuid:
ingress_rule_name = self._get_namespace_firewall_ingress_rule_name(
ns.name)
# Create a rule for default allow behavior on this namespace.
ns.firewall_ingress_allow_rule_uuid =\
VncSecurityPolicy.create_firewall_rule_allow_all(
ingress_rule_name,
self._labels.get_namespace_label(ns.name))
# Add default allow rule to the "global allow" firewall policy.
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.allow_all_fw_policy_uuid,
ns.firewall_ingress_allow_rule_uuid)
if not ns.firewall_egress_allow_rule_uuid:
egress_rule_name = self._get_namespace_firewall_egress_rule_name(
ns.name)
# Create a rule for default egress allow behavior on this namespace.
ns.firewall_egress_allow_rule_uuid =\
VncSecurityPolicy.create_firewall_rule_allow_all(
egress_rule_name, {},
self._labels.get_namespace_label(ns.name))
# Add default egress allow rule to "global allow" firewall policy.
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.allow_all_fw_policy_uuid,
ns.firewall_egress_allow_rule_uuid)
def add_ingress_to_service_rule(cls, ns_name, ingress_name, service_name):
"""
Add a ingress-to-service allow rule to ingress firewall policy.
"""
if VncSecurityPolicy.ingress_svc_fw_policy_uuid:
ingress_labels = XLabelCache.get_ingress_label(
cls.get_ingress_label_name(ns_name, ingress_name))
service_labels = XLabelCache.get_service_label(service_name)
rule_name = VncIngress._get_ingress_firewall_rule_name(
ns_name, ingress_name, service_name)
fw_rule_uuid = VncSecurityPolicy.create_firewall_rule_allow_all(
rule_name, service_labels, ingress_labels)
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.ingress_svc_fw_policy_uuid, fw_rule_uuid)
return fw_rule_uuid