def _create_all_nodes_pods_nsgroup(nsxt_client): nsgroup_manager = NSGroupManager(nsxt_client) ip_set_manager = IPSetManager(nsxt_client) nsgroup = nsgroup_manager.get_nsgroup(name=ALL_NODES_PODS_NSGROUP_NAME) if not nsgroup: all_nodes_ip_set_id = ip_set_manager.get_ip_set( name=ALL_NODES_IP_SET_NAME)['id'] all_pods_ip_set_id = ip_set_manager.get_ip_set( name=ALL_PODS_IP_SET_NAME)['id'] nsxt_client.LOGGER.debug(f"Creating NSGroup : " f"{ALL_NODES_PODS_NSGROUP_NAME}") nsgroup = nsgroup_manager.create_nsgroup_from_ipsets( name=ALL_NODES_PODS_NSGROUP_NAME, ipset_ids=[all_nodes_ip_set_id, all_pods_ip_set_id]) else: nsxt_client.LOGGER.debug( f"NSGroup : {ALL_NODES_PODS_NSGROUP_NAME} already exists.")
def isolate_cluster(self, cluster_name, cluster_id): """Isolate a PKS cluster's network. :param str cluster_name: name of the cluster whose network needs isolation. :param str cluster_id: id of the cluster whose network needs isolation. Cluster id is used to identify the tagged logical switch and ports powering the T1 routers of the cluster. """ n_id, p_id, np_id = self._create_nsgroups_for_cluster( cluster_name, cluster_id) sec_id = self._create_firewall_section_for_cluster( cluster_name, np_id).get('id') nsgroup_manager = NSGroupManager(self._nsxt_client) anp_id = \ nsgroup_manager.get_nsgroup(ALL_NODES_PODS_NSGROUP_NAME).get('id') self._create_firewall_rules_for_cluster(sec_id, n_id, p_id, np_id, anp_id)
def _create_nsgroup_for_cluster_nodes_and_pods(self, cluster_name, nodes_nsgroup_id, pods_nsgroup_id): """Create NSGroup for all nodes and pods in a cluster. If NSGroup already exists, delete it and re-create it. Since this group is based on cluster name, it possible that a previously deployed cluster on deletion failed to cleanup it's NSGroups, we shouldn't re-use that group rather create it afresh with the proper member NSGroups ids. :param str cluster_name: name of the cluster whose network is being isolated. :param str nodes_nsgroup_id: :param str pods_nsgroup_id: :return: NSGroup containing all the nodes and pods in the cluster, as a JSON dictionary. :rtype: dict """ name = self._get_nodes_pods_nsgroup_name(cluster_name) nsgroup_manager = NSGroupManager(self._nsxt_client) nodes_pods_nsgroup = nsgroup_manager.get_nsgroup(name) if nodes_pods_nsgroup: self._nsxt_client.LOGGER.debug(f"NSGroup : {name} already exists.") nsgroup_manager.delete_nsgroup(name, force=True) self._nsxt_client.LOGGER.debug(f"Deleted NSGroup : {name}.") member1 = {} member1['resource_type'] = "NSGroupSimpleExpression" member1['target_type'] = "NSGroup" member1['target_property'] = "id" member1['op'] = "EQUALS" member1['value'] = nodes_nsgroup_id member2 = {} member2['resource_type'] = "NSGroupSimpleExpression" member2['target_type'] = "NSGroup" member2['target_property'] = "id" member2['op'] = "EQUALS" member2['value'] = pods_nsgroup_id members = [member1, member2] self._nsxt_client.LOGGER.debug(f"Creating NSGroup : {name}.") nodes_pods_nsgroup = nsgroup_manager.create_nsgroup(name, members=members) return nodes_pods_nsgroup
def remove_cluster_isolation(self, cluster_name): """Revert isolation of a PKS cluster's network. :param str cluster_name: name of the cluster whose network isolation needs to be reverted. """ firewall_section_name = \ self._get_firewall_section_name_for_cluster(cluster_name) nodes_nsgroup_name = self._get_nodes_nsgroup_name(cluster_name) pods_nsgroup_name = self._get_pods_nsgroup_name(cluster_name) nodes_pods_nsgroup_name = \ self._get_nodes_pods_nsgroup_name(cluster_name) dfw_manager = DFWManager(self._nsxt_client) nsgroup_manager = NSGroupManager(self._nsxt_client) dfw_manager.delete_firewall_section(firewall_section_name, cascade=True) nsgroup_manager.delete_nsgroup(nodes_pods_nsgroup_name, force=True) nsgroup_manager.delete_nsgroup(nodes_nsgroup_name, force=True) nsgroup_manager.delete_nsgroup(pods_nsgroup_name, force=True)
def _create_nsgroup_for_cluster_nodes(self, cluster_name, cluster_id): """Create NSGroup for all nodes in the cluster. If NSGroup already exists, delete it and re-create it. Since this group is based on cluster name, it possible that a previously deployed cluster on deletion failed to cleanup it's NSGroups, we shouldn't re-use that group rather create it afresh with the proper cluster id tag based membership criteria. :param str cluster_name: name of the cluster whose network is being isolated. :param str cluster_id: id of the cluster whose network is being isolated. :return: NSGroup containing all the nodes in the cluster, as a JSON dictionary. :rtype: dict """ name = self._get_nodes_nsgroup_name(cluster_name) nsgroup_manager = NSGroupManager(self._nsxt_client) nodes_nsgroup = nsgroup_manager.get_nsgroup(name) if nodes_nsgroup: self._nsxt_client.LOGGER.debug(f"NSGroup : {name} already exists.") nsgroup_manager.delete_nsgroup(name, force=True) self._nsxt_client.LOGGER.debug(f"Deleted NSGroup : {name}.") criteria = {} criteria['resource_type'] = "NSGroupComplexExpression" expression1 = {} expression1['resource_type'] = "NSGroupTagExpression" expression1['target_type'] = "LogicalSwitch" expression1['scope'] = "pks/cluster" expression1['tag'] = str(cluster_id) expression2 = { 'resource_type': "NSGroupTagExpression", 'target_type': "LogicalSwitch", 'scope': "pks/floating_ip" } criteria['expressions'] = [expression1, expression2] self._nsxt_client.LOGGER.debug(f"Creating NSGroup : {name}.") nodes_nsgroup = nsgroup_manager.create_nsgroup( name, membership_criteria=[criteria]) return nodes_nsgroup
def _create_nsgroup_for_cluster_pods(self, cluster_name, cluster_id): """Create NSGroup for all pods in a cluster. If NSGroup already exists, delete it and re-create it. Since this group is based on cluster name, it possible that a previously deployed cluster on deletion failed to cleanup it's NSGroups, we shouldn't re-use that group rather create it afresh with the proper cluster id tag based membership criteria. :param str cluster_name: name of the cluster whose network is being isolated. :param str cluster_id: id of the cluster whose network is being isolated. :return: NSGroup containing all the pods in the cluster, as a JSON dictionary. :rtype: dict """ name = self._get_pods_nsgroup_name(cluster_name) nsgroup_manager = NSGroupManager(self._nsxt_client) pods_nsgroup = nsgroup_manager.get_nsgroup(name) if pods_nsgroup: self._nsxt_client.LOGGER.debug(f"NSGroup : {name} already exists.") nsgroup_manager.delete_nsgroup(name, force=True) self._nsxt_client.LOGGER.debug(f"Deleted NSGroup : {name}.") criteria = {} criteria['resource_type'] = "NSGroupTagExpression" criteria['target_type'] = "LogicalPort" criteria['scope'] = "ncp/cluster" criteria['tag'] = f"pks-{cluster_id}" self._nsxt_client.LOGGER.debug(f"Creating NSGroup : {name}.") pods_nsgroup = nsgroup_manager.create_nsgroup( name, membership_criteria=[criteria]) return pods_nsgroup