def on_present(self, kuryrnet_crd): ns_name = kuryrnet_crd['spec']['nsName'] project_id = kuryrnet_crd['spec']['projectId'] kns_status = kuryrnet_crd.get('status', {}) crd_creation = False net_id = kns_status.get('netId') if not net_id: net_id = self._drv_subnets.create_network(ns_name, project_id) status = {'netId': net_id} self._patch_kuryrnetwork_crd(kuryrnet_crd, status) crd_creation = True subnet_id = kns_status.get('subnetId') if not subnet_id or crd_creation: subnet_id, subnet_cidr = self._drv_subnets.create_subnet( ns_name, project_id, net_id) status = {'subnetId': subnet_id, 'subnetCIDR': subnet_cidr} self._patch_kuryrnetwork_crd(kuryrnet_crd, status) crd_creation = True if not kns_status.get('routerId') or crd_creation: router_id = self._drv_subnets.add_subnet_to_router(subnet_id) status = {'routerId': router_id, 'populated': False} self._patch_kuryrnetwork_crd(kuryrnet_crd, status) crd_creation = True # check labels to create sg rules ns_labels = kns_status.get('nsLabels', {}) if (crd_creation or ns_labels != kuryrnet_crd['spec']['nsLabels']): # update SG and svc SGs namespace = driver_utils.get_namespace(ns_name) crd_selectors = self._drv_sg.update_namespace_sg_rules(namespace) if (self._is_network_policy_enabled() and crd_selectors and oslo_cfg.CONF.octavia_defaults.enforce_sg_rules): services = driver_utils.get_services() self._update_services(services, crd_selectors, project_id) # update status status = {'nsLabels': kuryrnet_crd['spec']['nsLabels']} self._patch_kuryrnetwork_crd(kuryrnet_crd, status, labels=True)
def _create_sg_rule_on_text_port(sg_id, direction, port, rule_selected_pods, crd_rules, matched, crd, allow_all=False, namespace=None): matched_pods = {} spec_pod_selector = crd['spec'].get('podSelector') policy_namespace = crd['metadata']['namespace'] spec_pods = driver_utils.get_pods(spec_pod_selector, policy_namespace).get('items') if direction == 'ingress': for spec_pod in spec_pods: container_ports = driver_utils.get_ports(spec_pod, port) for rule_selected_pod in rule_selected_pods: matched = _create_sg_rules_with_container_ports( matched_pods, container_ports, allow_all, namespace, matched, crd_rules, sg_id, direction, port, rule_selected_pod) elif direction == 'egress': for rule_selected_pod in rule_selected_pods: pod_label = rule_selected_pod['metadata'].get('labels') pod_ns = rule_selected_pod['metadata'].get('namespace') # NOTE(maysams) Do not allow egress traffic to the actual # set of pods the NP is enforced on. if (driver_utils.match_selector(spec_pod_selector, pod_label) and policy_namespace == pod_ns): continue container_ports = driver_utils.get_ports(rule_selected_pod, port) matched = _create_sg_rules_with_container_ports( matched_pods, container_ports, allow_all, namespace, matched, crd_rules, sg_id, direction, port, rule_selected_pod) for container_port, pods in matched_pods.items(): if allow_all: sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), pods=pods) else: namespace_obj = driver_utils.get_namespace(namespace) if not namespace_obj: LOG.debug("Skipping SG rule creation. Inexistent" " namespace.") continue namespace_cidr = driver_utils.get_namespace_subnet_cidr( namespace_obj) sg_rule = driver_utils.create_security_group_rule_body( sg_id, direction, container_port, protocol=port.get('protocol'), cidr=namespace_cidr, pods=pods) sgr_id = driver_utils.create_security_group_rule(sg_rule) sg_rule['security_group_rule']['id'] = sgr_id if sg_rule not in crd_rules: crd_rules.append(sg_rule) return matched
def on_present(self, kuryrnet_crd, *args, **kwargs): ns_name = kuryrnet_crd['spec']['nsName'] project_id = kuryrnet_crd['spec']['projectId'] kns_status = kuryrnet_crd.get('status', {}) namespace = driver_utils.get_namespace(ns_name) crd_creation = False net_id = kns_status.get('netId') if not net_id: try: net_id = self._drv_subnets.create_network(namespace, project_id) except os_exc.SDKException as ex: self.k8s.add_event(kuryrnet_crd, 'CreateNetworkFailed', f'Error during creating Neutron network: ' f'{ex.details}', 'Warning') raise status = {'netId': net_id} self._patch_kuryrnetwork_crd(kuryrnet_crd, status) self.k8s.add_event(kuryrnet_crd, 'CreateNetworkSucceed', f'Neutron network {net_id} for namespace') crd_creation = True subnet_id = kns_status.get('subnetId') if not subnet_id or crd_creation: try: subnet_id, subnet_cidr = self._drv_subnets.create_subnet( namespace, project_id, net_id) except os_exc.ConflictException as ex: self.k8s.add_event(kuryrnet_crd, 'CreateSubnetFailed', f'Error during creating Neutron subnet ' f'for network {net_id}: {ex.details}', 'Warning') raise status = {'subnetId': subnet_id, 'subnetCIDR': subnet_cidr} self._patch_kuryrnetwork_crd(kuryrnet_crd, status) self.k8s.add_event(kuryrnet_crd, 'CreateSubnetSucceed', f'Neutron subnet {subnet_id} for network ' f'{net_id}') crd_creation = True if not kns_status.get('routerId') or crd_creation: try: router_id = self._drv_subnets.add_subnet_to_router(subnet_id) except os_exc.SDKException as ex: self.k8s.add_event(kuryrnet_crd, 'AddingSubnetToRouterFailed', f'Error adding Neutron subnet {subnet_id} ' f'to router {router_id}: {ex.details}', 'Warning') raise status = {'routerId': router_id, 'populated': False} self._patch_kuryrnetwork_crd(kuryrnet_crd, status) self.k8s.add_event(kuryrnet_crd, 'AddingSubnetToRouterSucceed', f'Neutron subnet {subnet_id} added to router ' f'{router_id}') crd_creation = True # check labels to create sg rules ns_labels = kns_status.get('nsLabels', {}) if (crd_creation or ns_labels != kuryrnet_crd['spec']['nsLabels']): # update SG and svc SGs crd_selectors = self._drv_sg.update_namespace_sg_rules(namespace) if (driver_utils.is_network_policy_enabled() and crd_selectors and oslo_cfg.CONF.octavia_defaults.enforce_sg_rules): services = driver_utils.get_services() self._update_services(services, crd_selectors, project_id) # update status status = {'nsLabels': kuryrnet_crd['spec']['nsLabels']} self._patch_kuryrnetwork_crd(kuryrnet_crd, status, labels=True) self.k8s.add_event(kuryrnet_crd, 'SGUpdateTriggered', 'Neutron security groups update has been ' 'triggered')