def on_deleted(self, pod): if driver_utils.is_host_network(pod): return project_id = self._drv_project.get_project(pod) crd_pod_selectors = self._drv_sg.delete_sg_rules(pod) try: security_groups = self._drv_sg.get_security_groups(pod, project_id) except k_exc.ResourceNotReady: # NOTE(ltomasbo): If the namespace object gets deleted first the # namespace security group driver will raise a ResourceNotReady # exception as it cannot access anymore the kuryrnet CRD annotated # on the namespace object. In such case we set security groups to # empty list so that if pools are enabled they will be properly # released. security_groups = [] state = driver_utils.get_pod_state(pod) LOG.debug("Got VIFs from annotation: %r", state) if state: for ifname, vif in state.vifs.items(): self._drv_vif_pool.release_vif(pod, vif, project_id, security_groups) if (self._is_network_policy_enabled() and oslo_cfg.CONF.octavia_defaults.enforce_sg_rules): services = driver_utils.get_services() self._update_services(services, crd_pod_selectors, project_id)
def update_vif_sgs(self, pod, security_groups): os_net = clients.get_network_client() pod_state = utils.get_pod_state(pod) if pod_state: # NOTE(ltomasbo): It just updates the default_vif security group port_id = pod_state.vifs[constants.DEFAULT_IFNAME].id os_net.update_port(port_id, security_groups=list(security_groups))
def on_present(self, pod): if driver_utils.is_host_network(pod) or not self._is_pending_node(pod): # REVISIT(ivc): consider an additional configurable check that # would allow skipping pods to enable heterogeneous environments # where certain pods/namespaces/nodes can be managed by other # networking solutions/CNI drivers. return state = driver_utils.get_pod_state(pod) LOG.debug("Got VIFs from annotation: %r", state) project_id = self._drv_project.get_project(pod) if not state: security_groups = self._drv_sg.get_security_groups(pod, project_id) subnets = self._drv_subnets.get_subnets(pod, project_id) # Request the default interface of pod main_vif = self._drv_vif_pool.request_vif(pod, project_id, subnets, security_groups) state = objects.vif.PodState(default_vif=main_vif) # Request the additional interfaces from multiple dirvers additional_vifs = [] for driver in self._drv_multi_vif: additional_vifs.extend( driver.request_additional_vifs(pod, project_id, security_groups)) if additional_vifs: state.additional_vifs = {} for i, vif in enumerate(additional_vifs, start=1): k = constants.ADDITIONAL_IFNAME_PREFIX + str(i) state.additional_vifs[k] = vif try: self._set_pod_state(pod, state) except k_exc.K8sClientException as ex: LOG.debug("Failed to set annotation: %s", ex) # FIXME(ivc): improve granularity of K8sClient exceptions: # only resourceVersion conflict should be ignored for ifname, vif in state.vifs.items(): self._drv_vif_pool.release_vif(pod, vif, project_id, security_groups) else: changed = False try: for ifname, vif in state.vifs.items(): if vif.plugin == constants.KURYR_VIF_TYPE_SRIOV: driver_utils.update_port_pci_info(pod, vif) if not vif.active: self._drv_vif_pool.activate_vif(pod, vif) changed = True finally: if changed: self._set_pod_state(pod, state) if self._is_network_policy_enabled(): crd_pod_selectors = self._drv_sg.create_sg_rules(pod) if oslo_cfg.CONF.octavia_defaults.enforce_sg_rules: services = driver_utils.get_services() self._update_services(services, crd_pod_selectors, project_id)
def update_vif_sgs(self, pod, security_groups): neutron = clients.get_neutron_client() pod_state = utils.get_pod_state(pod) # NOTE(ltomasbo): It just updates the default_vif security group port_id = pod_state.vifs[constants.DEFAULT_IFNAME].id neutron.update_port( port_id, {"port": { 'security_groups': list(security_groups) }})
def on_deleted(self, pod): if (driver_utils.is_host_network(pod) or not pod['spec'].get('nodeName')): return project_id = self._drv_project.get_project(pod) try: crd_pod_selectors = self._drv_sg.delete_sg_rules(pod) except k_exc.ResourceNotReady: # NOTE(ltomasbo): If the pod is being deleted before # kuryr-controller annotated any information about the port # associated, there is no need for deleting sg rules associated to # it. So this exception could be safetly ignored for the current # sg drivers. Only the NP driver associates rules to the pods ips, # and that waits for annotations to start. LOG.debug( "Pod was not yet annotated by Kuryr-controller. " "Skipping SG rules deletion associated to the pod %s", pod) crd_pod_selectors = [] try: security_groups = self._drv_sg.get_security_groups(pod, project_id) except k_exc.ResourceNotReady: # NOTE(ltomasbo): If the namespace object gets deleted first the # namespace security group driver will raise a ResourceNotReady # exception as it cannot access anymore the kuryrnet CRD annotated # on the namespace object. In such case we set security groups to # empty list so that if pools are enabled they will be properly # released. security_groups = [] state = driver_utils.get_pod_state(pod) LOG.debug("Got VIFs from annotation: %r", state) if state: for ifname, vif in state.vifs.items(): self._drv_vif_pool.release_vif(pod, vif, project_id, security_groups) if (self._is_network_policy_enabled() and crd_pod_selectors and oslo_cfg.CONF.octavia_defaults.enforce_sg_rules): services = driver_utils.get_services() self._update_services(services, crd_pod_selectors, project_id)
def on_present(self, pod): if (driver_utils.is_host_network(pod) or not self._is_pod_scheduled(pod)): # REVISIT(ivc): consider an additional configurable check that # would allow skipping pods to enable heterogeneous environments # where certain pods/namespaces/nodes can be managed by other # networking solutions/CNI drivers. return state = driver_utils.get_pod_state(pod) LOG.debug("Got VIFs from annotation: %r", state) project_id = self._drv_project.get_project(pod) security_groups = self._drv_sg.get_security_groups(pod, project_id) if not state: try: subnets = self._drv_subnets.get_subnets(pod, project_id) except (os_exc.ResourceNotFound, k_exc.K8sResourceNotFound): LOG.warning("Subnet does not exists. If namespace driver is " "used, probably the namespace for the pod is " "already deleted. So this pod does not need to " "get a port as it will be deleted too. If the " "default subnet driver is used, then you must " "select an existing subnet to be used by Kuryr.") return # Request the default interface of pod main_vif = self._drv_vif_pool.request_vif(pod, project_id, subnets, security_groups) if not main_vif: pod_name = pod['metadata']['name'] LOG.warning( "Ignoring event due to pod %s not being " "scheduled yet.", pod_name) return state = objects.vif.PodState(default_vif=main_vif) # Request the additional interfaces from multiple dirvers additional_vifs = [] for driver in self._drv_multi_vif: additional_vifs.extend( driver.request_additional_vifs(pod, project_id, security_groups)) if additional_vifs: state.additional_vifs = {} for i, vif in enumerate(additional_vifs, start=1): k = (oslo_cfg.CONF.kubernetes.additional_ifname_prefix + str(i)) state.additional_vifs[k] = vif try: self._set_pod_state(pod, state) except k_exc.K8sClientException as ex: LOG.debug("Failed to set annotation: %s", ex) # FIXME(ivc): improve granularity of K8sClient exceptions: # only resourceVersion conflict should be ignored for ifname, vif in state.vifs.items(): self._drv_vif_pool.release_vif(pod, vif, project_id, security_groups) else: changed = False try: for ifname, vif in state.vifs.items(): if vif.plugin == constants.KURYR_VIF_TYPE_SRIOV: driver_utils.update_port_pci_info(pod, vif) if not vif.active: try: self._drv_vif_pool.activate_vif(pod, vif) changed = True except n_exc.PortNotFoundClient: LOG.debug("Port not found, possibly already " "deleted. No need to activate it") finally: if changed: try: self._set_pod_state(pod, state) except k_exc.K8sResourceNotFound as ex: LOG.exception("Failed to set annotation: %s", ex) for ifname, vif in state.vifs.items(): self._drv_vif_pool.release_vif( pod, vif, project_id, security_groups) except k_exc.K8sClientException: pod_name = pod['metadata']['name'] raise k_exc.ResourceNotReady(pod_name) if self._is_network_policy_enabled(): crd_pod_selectors = self._drv_sg.create_sg_rules(pod) if oslo_cfg.CONF.octavia_defaults.enforce_sg_rules: services = driver_utils.get_services() self._update_services(services, crd_pod_selectors, project_id)