def delete_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Deleting SG rules for namespace: %s", ns_name) crd_selectors = [] knp_crds = driver_utils.get_kuryrnetworkpolicy_crds() for crd in knp_crds: crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched = _parse_rules_on_delete_namespace( ingress_rule_list, "ingress", ns_name) e_matched = _parse_rules_on_delete_namespace( egress_rule_list, "egress", ns_name) if i_matched or e_matched: try: driver_utils.bump_networkpolicy(crd) except exceptions.K8sResourceNotFound: # The NP got deleted, ignore it. continue if i_matched: crd_selectors.append(crd_selector) return crd_selectors
def delete_sg_rules(self, pod): LOG.debug("Deleting SG rules for pod: %s", pod['metadata']['name']) pod_ip = driver_utils.get_pod_ip(pod) crd_pod_selectors = [] if not pod_ip: LOG.debug("Skipping SG rule deletion as pod %s has no IP assigned", pod['metadata']['name']) return crd_pod_selectors knp_crds = driver_utils.get_kuryrnetworkpolicy_crds() for crd in knp_crds: crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched = _parse_rules_on_delete_pod(ingress_rule_list, "ingress", pod_ip) e_matched = _parse_rules_on_delete_pod(egress_rule_list, "egress", pod_ip) if i_matched or e_matched: try: driver_utils.bump_networkpolicy(crd) except exceptions.K8sResourceNotFound: # The NP got deleted, ignore it. continue if i_matched: crd_pod_selectors.append(crd_selector) return crd_pod_selectors
def _get_pod_sgs(pod): sg_list = [] pod_labels = pod['metadata'].get('labels') pod_namespace = pod['metadata']['namespace'] knp_crds = driver_utils.get_kuryrnetworkpolicy_crds( namespace=pod_namespace) for crd in knp_crds: pod_selector = crd['spec'].get('podSelector') if driver_utils.match_selector(pod_selector, pod_labels): sg_id = crd['status'].get('securityGroupId') if not sg_id: # NOTE(dulek): We could just assume KNP handler will apply it, # but it's possible that when it gets this pod it # will have no IP yet and will be skipped. LOG.warning('SG for NP %s not created yet, will retry.', utils.get_res_unique_name(crd)) raise exceptions.ResourceNotReady(pod) LOG.debug("Appending %s", crd['status']['securityGroupId']) sg_list.append(crd['status']['securityGroupId']) # NOTE(maysams) Pods that are not selected by any Networkpolicy # are fully accessible. Thus, the default security group is associated. if not sg_list: sg_list = config.CONF.neutron_defaults.pod_security_groups if not sg_list: raise cfg.RequiredOptError('pod_security_groups', cfg.OptGroup('neutron_defaults')) return sg_list[:]
def create_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Creating SG rules for namespace: %s", ns_name) crd_selectors = [] knp_crds = driver_utils.get_kuryrnetworkpolicy_crds() nps = driver_utils.get_networkpolicies() pairs = driver_utils.zip_knp_np(knp_crds, nps) for crd, policy in pairs: crd_selector = crd['spec'].get('podSelector') spec = policy.get('spec') i_matched = _parse_rules('ingress', crd, spec, namespace=namespace) e_matched = _parse_rules('egress', crd, spec, namespace=namespace) if i_matched or e_matched: _bump_networkpolicy(crd) if i_matched: crd_selectors.append(crd_selector) return crd_selectors
def delete_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Deleting SG rules for namespace: %s", ns_name) crd_selectors = [] knp_crds = driver_utils.get_kuryrnetworkpolicy_crds() for crd in knp_crds: crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched = _parse_rules_on_delete_namespace( ingress_rule_list, "ingress", ns_name) e_matched = _parse_rules_on_delete_namespace( egress_rule_list, "egress", ns_name) if i_matched or e_matched: _bump_networkpolicy(crd) if i_matched: crd_selectors.append(crd_selector) return crd_selectors
def create_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Creating SG rules for namespace: %s", ns_name) crd_selectors = [] knp_crds = driver_utils.get_kuryrnetworkpolicy_crds() nps = driver_utils.get_networkpolicies() pairs = driver_utils.zip_knp_np(knp_crds, nps) for crd, policy in pairs: crd_selector = crd['spec'].get('podSelector') spec = policy.get('spec') i_matched = _parse_rules('ingress', crd, spec, namespace=namespace) e_matched = _parse_rules('egress', crd, spec, namespace=namespace) if i_matched or e_matched: try: driver_utils.bump_networkpolicy(crd) except exceptions.K8sResourceNotFound: # The NP got deleted, ignore it. continue if i_matched: crd_selectors.append(crd_selector) return crd_selectors