def delete_sg_rules(self, pod): LOG.debug("Deleting sg rule for pod: %s", pod['metadata']['name']) pod_ip = driver_utils.get_pod_ip(pod) if not pod_ip: LOG.debug("Skipping SG rule deletion as pod %s has no IP assigned", pod['metadata']['name']) return None crd_pod_selectors = [] knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched, i_rules = _parse_rules_on_delete_pod( ingress_rule_list, "ingress", pod_ip) e_matched, e_rules = _parse_rules_on_delete_pod( egress_rule_list, "egress", pod_ip) if i_matched or e_matched: driver_utils.patch_kuryrnetworkpolicy_crd( crd, i_rules, e_rules, crd_selector) if i_matched: crd_pod_selectors.append(crd_selector) return crd_pod_selectors
def update_security_group_rules_from_network_policy(self, policy): """Update security group rules This method updates security group rules based on CRUD events gotten from a configuration or patch to an existing network policy """ crd = self.get_kuryrnetpolicy_crd(policy) crd_name = crd['metadata']['name'] LOG.debug("Already existing CRD %s", crd_name) sg_id = crd['spec']['securityGroupId'] # Fetch existing SG rules from kuryrnetpolicy CRD existing_sg_rules = [] existing_i_rules = crd['spec'].get('ingressSgRules') existing_e_rules = crd['spec'].get('egressSgRules') if existing_i_rules or existing_e_rules: existing_sg_rules = existing_i_rules + existing_e_rules existing_pod_selector = crd['spec'].get('podSelector') # Parse network policy update and get new ruleset i_rules, e_rules = self.parse_network_policy_rules(policy, sg_id) current_sg_rules = i_rules + e_rules # Get existing security group rules ids sgr_ids = [x['security_group_rule'].pop('id') for x in existing_sg_rules] # SG rules that are meant to be kept get their id back sg_rules_to_keep = [existing_sg_rules.index(rule) for rule in existing_sg_rules if rule in current_sg_rules] for sg_rule in sg_rules_to_keep: sgr_id = sgr_ids[sg_rule] existing_sg_rules[sg_rule]['security_group_rule']['id'] = sgr_id # Delete SG rules that are no longer in the updated policy sg_rules_to_delete = [existing_sg_rules.index(rule) for rule in existing_sg_rules if rule not in current_sg_rules] for sg_rule in sg_rules_to_delete: try: driver_utils.delete_security_group_rule(sgr_ids[sg_rule]) except n_exc.NotFound: LOG.debug('Trying to delete non existing sg_rule %s', sg_rule) # Create new rules that weren't already on the security group sg_rules_to_add = [rule for rule in current_sg_rules if rule not in existing_sg_rules] for sg_rule in sg_rules_to_add: sgr_id = driver_utils.create_security_group_rule(sg_rule) if sg_rule['security_group_rule'].get('direction') == 'ingress': for i_rule in i_rules: if sg_rule == i_rule: i_rule["security_group_rule"]["id"] = sgr_id else: for e_rule in e_rules: if sg_rule == e_rule: e_rule["security_group_rule"]["id"] = sgr_id # Annotate kuryrnetpolicy CRD with current policy and ruleset pod_selector = policy['spec'].get('podSelector') driver_utils.patch_kuryrnetworkpolicy_crd(crd, i_rules, e_rules, pod_selector, np_spec=policy['spec']) if existing_pod_selector != pod_selector: return existing_pod_selector return False
def create_sg_rules(self, pod): LOG.debug("Creating sg rule for pod: %s", pod['metadata']['name']) crd_pod_selectors = [] knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') i_matched, i_rules = _parse_rules('ingress', crd, pod=pod) e_matched, e_rules = _parse_rules('egress', crd, pod=pod) if i_matched or e_matched: driver_utils.patch_kuryrnetworkpolicy_crd( crd, i_rules, e_rules, crd_selector) if i_matched: crd_pod_selectors.append(crd_selector) return crd_pod_selectors
def create_namespace_sg_rules(self, namespace): kubernetes = clients.get_kubernetes_client() ns_name = namespace['metadata']['name'] LOG.debug("Creating sg rule for namespace: %s", ns_name) namespace = kubernetes.get( '{}/namespaces/{}'.format(constants.K8S_API_BASE, ns_name)) knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') i_matched, i_rules = _parse_rules( 'ingress', crd, namespace=namespace) e_matched, e_rules = _parse_rules( 'egress', crd, namespace=namespace) if i_matched or e_matched: driver_utils.patch_kuryrnetworkpolicy_crd(crd, i_rules, e_rules, crd_selector)
def delete_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Deleting sg rule for namespace: %s", ns_name) knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched, i_rules = _parse_rules_on_delete_namespace( ingress_rule_list, "ingress", ns_name) e_matched, e_rules = _parse_rules_on_delete_namespace( egress_rule_list, "egress", ns_name) if i_matched or e_matched: driver_utils.patch_kuryrnetworkpolicy_crd( crd, i_rules, e_rules, crd_selector)