def _delete_virtual_network(self, ns_name, vn_name):
"""
Delete the virtual network associated with this namespace.
"""
# First lookup the cache for the entry.
vn = VirtualNetworkKM.find_by_name_or_uuid(vn_name)
if not vn:
return
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns_name)
try:
vn_obj = self._vnc_lib.virtual_network_read(fq_name=vn.fq_name)
# Delete/cleanup ipams allocated for this network.
ipam_refs = vn_obj.get_network_ipam_refs()
if ipam_refs:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
for ipam in ipam_refs:
ipam_obj = NetworkIpam(
name=ipam['to'][-1], parent_obj=proj_obj)
vn_obj.del_network_ipam(ipam_obj)
self._vnc_lib.virtual_network_update(vn_obj)
except RefsExistError as e:
# Delete of custom network when it is still in use is not
# supported yet. Log deletion attempt and return without deleting VN
self._logger.error("%s: Cannot delete Network %s . %s"
% (self._name, vn_name, str(e)))
return
except NoIdError:
pass
# Delete the network.
self._vnc_lib.virtual_network_delete(id=vn.uuid)
# Delete the network from cache.
VirtualNetworkKM.delete(vn.uuid)
def _delete_virtual_network(self, ns_name, vn_name):
"""
Delete the virtual network associated with this namespace.
"""
# First lookup the cache for the entry.
vn = VirtualNetworkKM.find_by_name_or_uuid(vn_name)
if not vn:
return
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns_name)
try:
vn_obj = self._vnc_lib.virtual_network_read(fq_name=vn.fq_name)
# Delete/cleanup ipams allocated for this network.
ipam_refs = vn_obj.get_network_ipam_refs()
if ipam_refs:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
for ipam in ipam_refs:
ipam_obj = NetworkIpam(name=ipam['to'][-1],
parent_obj=proj_obj)
vn_obj.del_network_ipam(ipam_obj)
self._vnc_lib.virtual_network_update(vn_obj)
except NoIdError:
pass
# Delete the network.
self._vnc_lib.virtual_network_delete(id=vn.uuid)
# Delete the network from cache.
VirtualNetworkKM.delete(vn.uuid)
def _get_loadbalancer_id_or_none(self, service_name, service_namespace):
"""
Get ID of loadbalancer given service name and namespace.
Return None if loadbalancer for the given service does not exist.
"""
service_info = self._kube.get_resource('service', service_name,
service_namespace)
if service_info is None or 'metadata' not in service_info:
return None
service_uid = service_info['metadata'].get('uid')
if not service_uid:
return None
lb_name = VncCommon.make_name(service_name, service_uid)
project_fq_name = vnc_kube_config.cluster_project_fq_name(
service_namespace)
lb_fq_name = project_fq_name + [lb_name]
try:
loadbalancer = self._vnc_lib.loadbalancer_read(fq_name=lb_fq_name)
except NoIdError:
return None
if loadbalancer is None:
return None
return loadbalancer.uuid
def _get_linklocal_entry_name(name, k8s_ns):
if not k8s_ns:
project_fq_name = vnc_kube_config.cluster_default_project_fq_name()
else:
project_fq_name = vnc_kube_config.cluster_project_fq_name(k8s_ns)
ll_name = project_fq_name + [name]
return "-".join(ll_name)
def _delete_virtual_network(self, ns_name, vn_name):
"""
Delete the virtual network associated with this namespace.
"""
# First lookup the cache for the entry.
vn = VirtualNetworkKM.find_by_name_or_uuid(vn_name)
if not vn:
return
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns_name)
try:
vn_obj = self._vnc_lib.virtual_network_read(fq_name=vn.fq_name)
# Delete/cleanup ipams allocated for this network.
ipam_refs = vn_obj.get_network_ipam_refs()
if ipam_refs:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
for ipam in ipam_refs:
ipam_obj = NetworkIpam(
name=ipam['to'][-1], parent_obj=proj_obj)
vn_obj.del_network_ipam(ipam_obj)
self._vnc_lib.virtual_network_update(vn_obj)
except NoIdError:
pass
# Delete the network.
self._vnc_lib.virtual_network_delete(id=vn.uuid)
# Delete the network from cache.
VirtualNetworkKM.delete(vn.uuid)
def _delete_virtual_network(self, ns_name, vn_name):
"""
Delete the virtual network associated with this namespace.
"""
# First lookup the cache for the entry.
vn = VirtualNetworkKM.find_by_name_or_uuid(vn_name)
if not vn:
return
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns_name)
try:
vn_obj = self._vnc_lib.virtual_network_read(fq_name=vn.fq_name)
# Delete/cleanup ipams allocated for this network.
ipam_refs = vn_obj.get_network_ipam_refs()
if ipam_refs:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
for ipam in ipam_refs:
ipam_obj = NetworkIpam(
name=ipam['to'][-1], parent_obj=proj_obj)
vn_obj.del_network_ipam(ipam_obj)
self._vnc_lib.virtual_network_update(vn_obj)
except RefsExistError as e:
# Delete of custom network when it is still in use is not
# supported yet. Log deletion attempt and return without deleting VN
self._logger.error("%s: Cannot delete Network %s . %s"
%(self._name, vn_name, str(e)))
return
except NoIdError:
pass
# Delete the network.
self._vnc_lib.virtual_network_delete(id=vn.uuid)
# Delete the network from cache.
VirtualNetworkKM.delete(vn.uuid)
def _get_ns_address_list(self, np_sg_uuid, labels=None):
address_list = []
if not labels:
ns_uuid_list = list(NamespaceKM.keys())
labels = self._get_ns_allow_all_label()
else:
ns_uuid_set = self._find_namespaces(labels)
ns_uuid_list = list(ns_uuid_set)
for ns_uuid in ns_uuid_list or []:
address = {}
ns = NamespaceKM.get(ns_uuid)
if not ns:
continue
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns.name)
ns_sg_fq_name = proj_fq_name[:]
ns_sg = "-".join([vnc_kube_config.cluster_name(), ns.name, 'sg'])
ns_sg_fq_name.append(ns_sg)
address['security_group'] = ns_sg_fq_name
address['ns_selector'] = labels
if ns_sg in self._default_ns_sgs[ns.name]:
address['ns_sg_uuid'] = self._default_ns_sgs[ns.name][ns_sg]
address_list.append(address)
for label in list(labels.items()):
key = self._label_cache._get_key(label)
self._label_cache._locate_label(key, self._ingress_ns_label_cache,
label, np_sg_uuid)
return address_list
def vnc_namespace_delete(self, namespace_id, name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
project_uuid = ProjectKM.get_fq_name_to_uuid(proj_fq_name)
if not project_uuid:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
project = ProjectKM.get(project_uuid)
if not project:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
try:
# If the namespace is isolated, delete its virtual network.
if self._is_namespace_isolated(name):
self._delete_policy(name, proj_fq_name)
vn_name = self._get_namespace_pod_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# Clear pod network info from namespace entry.
self._set_namespace_pod_virtual_network(name, None)
vn_name = self._get_namespace_service_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# Clear service network info from namespace entry.
self._set_namespace_service_virtual_network(name, None)
# delete security groups
security_groups = project.get_security_groups()
for sg_uuid in security_groups:
sg = SecurityGroupKM.get(sg_uuid)
if not sg:
continue
sg_name = vnc_kube_config.get_default_sg_name(name)
if sg.name != sg_name:
continue
for vmi_id in list(sg.virtual_machine_interfaces):
try:
self._vnc_lib.ref_update('virtual-machine-interface', vmi_id,
'security-group', sg.uuid, None, 'DELETE')
except NoIdError:
pass
self._vnc_lib.security_group_delete(id=sg_uuid)
# delete the label cache
if project:
self._clear_namespace_label_cache(namespace_id, project)
# delete the namespace
self._delete_namespace(name)
# If project was created for this namesspace, delete the project.
if vnc_kube_config.get_project_name_for_namespace(name) ==\
project.name:
self._vnc_lib.project_delete(fq_name=proj_fq_name)
except:
# Raise it up to be logged.
raise
def _get_loadbalancer_id_or_none(self, service_name, service_namespace):
"""
Get ID of loadbalancer given service name and namespace.
Return None if loadbalancer for the given service does not exist.
"""
service_info = self._kube.get_resource(
'services', service_name, service_namespace)
if service_info is None or 'metadata' not in service_info:
return None
service_uid = service_info['metadata'].get('uid')
if not service_uid:
return None
lb_name = VncCommon.make_name(service_name, service_uid)
project_fq_name = vnc_kube_config.cluster_project_fq_name(
service_namespace)
lb_fq_name = project_fq_name + [lb_name]
try:
loadbalancer = self._vnc_lib.loadbalancer_read(fq_name=lb_fq_name)
except NoIdError:
return None
if loadbalancer is None:
return None
return loadbalancer.uuid
def vnc_namespace_delete(self, namespace_id, name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
project_uuid = ProjectKM.get_fq_name_to_uuid(proj_fq_name)
if not project_uuid:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
project = ProjectKM.get(project_uuid)
if not project:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
default_sg_fq_name = proj_fq_name[:]
sg = "-".join([vnc_kube_config.cluster_name(), name, 'default'])
default_sg_fq_name.append(sg)
ns_sg_fq_name = proj_fq_name[:]
ns_sg = "-".join([vnc_kube_config.cluster_name(), name, 'sg'])
ns_sg_fq_name.append(ns_sg)
sg_list = [default_sg_fq_name, ns_sg_fq_name]
try:
# If the namespace is isolated, delete its virtual network.
if self._is_namespace_isolated(name):
self._delete_policy(name, proj_fq_name)
vn_name = self._get_namespace_pod_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# Clear pod network info from namespace entry.
self._set_namespace_pod_virtual_network(name, None)
vn_name = self._get_namespace_service_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# Clear service network info from namespace entry.
self._set_namespace_service_virtual_network(name, None)
# delete default-sg and ns-sg security groups
security_groups = project.get_security_groups()
for sg_uuid in security_groups:
sg = SecurityGroupKM.get(sg_uuid)
if sg and sg.fq_name in sg_list[:]:
self._vnc_lib.security_group_delete(id=sg_uuid)
sg_list.remove(sg.fq_name)
if not len(sg_list):
break
# delete the label cache
if project:
self._clear_namespace_label_cache(namespace_id, project)
# delete the namespace
self._delete_namespace(name)
# If namespace=project, delete the project
if vnc_kube_config.cluster_project_name(name) == name:
self._vnc_lib.project_delete(fq_name=proj_fq_name)
except:
# Raise it up to be logged.
raise
def vnc_namespace_delete(self, namespace_id, name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
project_uuid = ProjectKM.get_fq_name_to_uuid(proj_fq_name)
if not project_uuid:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
project = ProjectKM.get(project_uuid)
if not project:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
try:
# If the namespace is isolated, delete its virtual network.
if self._is_namespace_isolated(name):
self._delete_policy(name, proj_fq_name)
vn_name = self._get_namespace_pod_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# Clear pod network info from namespace entry.
self._set_namespace_pod_virtual_network(name, None)
vn_name = self._get_namespace_service_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# Clear service network info from namespace entry.
self._set_namespace_service_virtual_network(name, None)
# delete security groups
security_groups = project.get_security_groups()
for sg_uuid in security_groups:
sg = SecurityGroupKM.get(sg_uuid)
if not sg:
continue
sg_name = vnc_kube_config.get_default_sg_name(name)
if sg.name != sg_name:
continue
for vmi_id in list(sg.virtual_machine_interfaces):
try:
self._vnc_lib.ref_update('virtual-machine-interface',
vmi_id, 'security-group',
sg.uuid, None, 'DELETE')
except NoIdError:
pass
self._vnc_lib.security_group_delete(id=sg_uuid)
# delete the label cache
if project:
self._clear_namespace_label_cache(namespace_id, project)
# delete the namespace
self._delete_namespace(name)
# If namespace=project, delete the project
if vnc_kube_config.cluster_project_name(name) == name:
self._vnc_lib.project_delete(fq_name=proj_fq_name)
except:
# Raise it up to be logged.
raise
def _get_project(self, service_namespace):
proj_fq_name =\
vnc_kube_config.cluster_project_fq_name(service_namespace)
try:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
return proj_obj
except NoIdError:
return None
def _get_project(self, service_namespace):
proj_fq_name =\
vnc_kube_config.cluster_project_fq_name(service_namespace)
try:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
return proj_obj
except NoIdError:
return None
def _get_ns_address(self, ns_name):
address = {}
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns_name)
ns_sg_fq_name = proj_fq_name[:]
ns_sg = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg'])
ns_sg_fq_name.append(ns_sg)
address['security_group'] = ns_sg_fq_name
return address
def _create_project(self, project_name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(project_name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
try:
self.vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self.vnc_lib.project_read(fq_name=proj_fq_name)
ProjectKM.locate(proj_obj.uuid)
return proj_obj
def _get_project(self, ns_name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(ns_name)
try:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
except NoIdError:
self._logger.error("%s - %s Not Found" %
(self._name, proj_fq_name))
return None
return proj_obj
def _check_service_uuid_change(self, svc_uuid, svc_name, svc_namespace,
ports):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(svc_namespace)
lb_fq_name = proj_fq_name + [svc_name]
lb_uuid = LoadbalancerKM.get_fq_name_to_uuid(lb_fq_name)
if lb_uuid is None:
return
if svc_uuid != lb_uuid:
self.vnc_service_delete(lb_uuid, svc_name, svc_namespace, ports)
self.logger.notice("Uuid change detected for service %s. "
"Deleteing old service" % lb_fq_name)
def _create_vmi(self,
pod_name,
pod_namespace,
pod_id,
vm_obj,
vn_obj,
parent_vmi,
idx,
network=None):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(pod_namespace)
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
if network and 'namespace' in network:
network.pop('namespace')
vmi_prop = None
if self._is_pod_nested() and parent_vmi:
# Pod is nested.
# Allocate a vlan-id for this pod from the vlan space managed
# in the VMI of the underlay VM.
parent_vmi = VirtualMachineInterfaceKM.get(parent_vmi.uuid)
vlan_id = parent_vmi.alloc_vlan()
vmi_prop = VirtualMachineInterfacePropertiesType(
sub_interface_vlan_tag=vlan_id)
obj_uuid = str(uuid.uuid1())
name = VncCommon.make_name(pod_name, obj_uuid)
vmi_obj = VirtualMachineInterface(
name=name,
parent_obj=proj_obj,
virtual_machine_interface_properties=vmi_prop,
display_name=name)
vmi_obj.uuid = obj_uuid
vmi_obj.set_virtual_network(vn_obj)
vmi_obj.set_virtual_machine(vm_obj)
self._associate_security_groups(vmi_obj, proj_obj, pod_namespace)
vmi_obj.port_security_enabled = True
VirtualMachineInterfaceKM.add_annotations(self,
vmi_obj,
pod_namespace,
pod_name,
index=idx,
**network)
try:
vmi_uuid = self._vnc_lib.virtual_machine_interface_create(vmi_obj)
except RefsExistError:
vmi_uuid = self._vnc_lib.virtual_machine_interface_update(vmi_obj)
VirtualMachineInterfaceKM.locate(vmi_uuid)
return vmi_uuid
def vnc_namespace_delete(self, namespace_id, name):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
project_uuid = ProjectKM.get_fq_name_to_uuid(proj_fq_name)
if not project_uuid:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
project = ProjectKM.get(project_uuid)
if not project:
self._logger.error("Unable to locate project for k8s namespace "
"[%s]" % (name))
return
default_sg_fq_name = proj_fq_name[:]
sg = "-".join([vnc_kube_config.cluster_name(), name, 'default'])
default_sg_fq_name.append(sg)
ns_sg_fq_name = proj_fq_name[:]
ns_sg = "-".join([vnc_kube_config.cluster_name(), name, 'sg'])
ns_sg_fq_name.append(ns_sg)
sg_list = [default_sg_fq_name, ns_sg_fq_name]
try:
# If the namespace is isolated, delete its virtual network.
if self._is_namespace_isolated(name):
vn_name = self._get_namespace_vn_name(name)
self._delete_isolated_ns_virtual_network(
name, vn_name=vn_name, proj_fq_name=proj_fq_name)
# delete default-sg and ns-sg security groups
security_groups = project.get_security_groups()
for sg_uuid in security_groups:
sg = SecurityGroupKM.get(sg_uuid)
if sg and sg.fq_name in sg_list[:]:
self._vnc_lib.security_group_delete(id=sg_uuid)
sg_list.remove(sg.fq_name)
if not len(sg_list):
break
# delete the label cache
if project:
self._clear_namespace_label_cache(namespace_id, project)
# delete the namespace
self._delete_namespace(name)
# If namespace=project, delete the project
if vnc_kube_config.cluster_project_name(name) == name:
self._vnc_lib.project_delete(fq_name=proj_fq_name)
except:
pass
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self,
proj_obj,
namespace=name,
name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
return None
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True:
vn_name = self._get_namespace_vn_name(name)
self._create_isolated_ns_virtual_network(ns_name=name,
vn_name=vn_name,
proj_obj=proj_obj)
try:
network_policy = self._get_network_policy_annotations(name)
sg_dict = self._update_security_groups(name, proj_obj,
network_policy)
self._ns_sg[name] = sg_dict
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
return project
def _get_ingress_sg_rule_list(self,
namespace,
name,
ingress_rule_list,
ingress_pod_sg_create=True):
ingress_pod_sgs = set()
ingress_ns_sgs = set()
ingress_sg_rule_list = []
ingress_pod_sg_dict = {}
for ingress_rule in ingress_rule_list or []:
proj_fq_name = vnc_kube_config.cluster_project_fq_name(namespace)
src_sg_fq_name = proj_fq_name[:]
dst_port = ingress_rule['dst_port']
src_address = ingress_rule['src_address']
if 'pod_selector' in src_address:
pod_sg_created = False
src_sg_name = src_address['src_sg_name']
pod_selector = src_address['pod_selector']
if src_sg_name in ingress_pod_sg_dict:
pod_sg_created = True
if ingress_pod_sg_create and not pod_sg_created:
pod_sg = self._create_ingress_sg(namespace, src_sg_name,
json.dumps(pod_selector))
if not pod_sg:
continue
ingress_pod_sg_dict[src_sg_name] = pod_sg.uuid
pod_sg.ingress_pod_selector = pod_selector
ingress_pod_sgs.add(pod_sg.uuid)
self._update_sg_cache(self._ingress_pod_label_cache,
pod_selector, pod_sg.uuid)
pod_ids = self._find_pods(pod_selector)
for pod_id in pod_ids:
self._update_sg_pod_link(namespace,
pod_id,
pod_sg.uuid,
'ADD',
validate_vm=True)
src_sg_fq_name.append(src_sg_name)
else:
if 'ns_selector' in src_address:
ns_sg_uuid = src_address['ns_sg_uuid']
ingress_ns_sgs.add(ns_sg_uuid)
src_sg_fq_name = src_address['security_group']
ingress_sg_rule = self._get_ingress_sg_rule(
src_sg_fq_name, dst_port)
ingress_sg_rule_list.append(ingress_sg_rule)
return ingress_sg_rule_list, ingress_pod_sgs, ingress_ns_sgs
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self, proj_obj, namespace=name, name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
return None
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True:
vn_name = self._get_namespace_vn_name(name)
self._create_isolated_ns_virtual_network(ns_name=name,
vn_name=vn_name,
proj_obj=proj_obj)
try:
network_policy = self._get_network_policy_annotations(name)
sg_dict = self._update_security_groups(name, proj_obj,
network_policy)
self._ns_sg[name] = sg_dict
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
return project
def __init__(self):
self._name = type(self).__name__
self._vnc_lib = vnc_kube_config.vnc_lib()
self._logger = vnc_kube_config.logger()
self.proj_obj = None
proj_name = vnc_kube_config.get_configured_project_name()
if not vnc_kube_config.is_global_tags() and proj_name:
proj_fq_name = vnc_kube_config.cluster_project_fq_name()
try:
self.proj_obj = self._vnc_lib.project_read(
fq_name=proj_fq_name)
except NoIdError as e:
self._logger.error("Unable to locate project object for [%s]"
". Error [%s]" % (proj_fq_name, str(e)))
self._logger.debug(
"All tags for this cluster will created with be in "
"global space as project object was not found.")
else:
self._logger.debug(
"All tags will be created within the scope of project [%s]"
% (proj_fq_name))
def __init__(self):
self._name = type(self).__name__
self._vnc_lib = vnc_kube_config.vnc_lib()
self._logger = vnc_kube_config.logger()
self.proj_obj = None
proj_name = vnc_kube_config.get_configured_project_name()
if not vnc_kube_config.is_global_tags() and proj_name:
proj_fq_name = vnc_kube_config.cluster_project_fq_name()
try:
self.proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate project object for [%s]"
". Error [%s]" %\
(proj_fq_name, str(e)))
self._logger.debug(
"All tags for this cluster will created with be in "
"global space as project object was not found.")
else:
self._logger.debug(
"All tags will be created within the scope of project [%s]"%\
(proj_fq_name))
def _vnc_create_sg(self,
np_spec,
namespace,
name,
uuid=None,
**kwargs_annotations):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(namespace)
proj_obj = Project(name=proj_fq_name[-1],
fq_name=proj_fq_name,
parent='domain')
sg_obj = SecurityGroup(name=name, parent_obj=proj_obj)
if uuid:
sg_obj.uuid = uuid
if np_spec:
kwargs_annotations.update({'np_spec': json.dumps(np_spec)})
self._set_sg_annotations(namespace, name, sg_obj, **kwargs_annotations)
try:
self._vnc_lib.security_group_create(sg_obj)
except Exception:
self._logger.error("%s - %s SG Not Created" % (self._name, name))
return None
sg = SecurityGroupKM.locate(sg_obj.uuid)
return sg
def _create_vmi(self, pod_name, pod_namespace, pod_id, vm_obj, vn_obj,
parent_vmi, idx, nw_name=''):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(pod_namespace)
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
vmi_prop = None
if self._is_pod_nested() and parent_vmi:
# Pod is nested.
# Allocate a vlan-id for this pod from the vlan space managed
# in the VMI of the underlay VM.
parent_vmi = VirtualMachineInterfaceKM.get(parent_vmi.uuid)
vlan_id = parent_vmi.alloc_vlan()
vmi_prop = VirtualMachineInterfacePropertiesType(
sub_interface_vlan_tag=vlan_id)
obj_uuid = str(uuid.uuid1())
name = VncCommon.make_name(pod_name, obj_uuid)
vmi_obj = VirtualMachineInterface(
name=name, parent_obj=proj_obj,
virtual_machine_interface_properties=vmi_prop,
display_name=name)
vmi_obj.uuid = obj_uuid
vmi_obj.set_virtual_network(vn_obj)
vmi_obj.set_virtual_machine(vm_obj)
self._associate_security_groups(vmi_obj, proj_obj, pod_namespace)
vmi_obj.port_security_enabled = True
VirtualMachineInterfaceKM.add_annotations(self, vmi_obj, pod_namespace,
pod_name, index=idx, network=nw_name)
try:
vmi_uuid = self._vnc_lib.virtual_machine_interface_create(vmi_obj)
except RefsExistError:
vmi_uuid = self._vnc_lib.virtual_machine_interface_update(vmi_obj)
VirtualMachineInterfaceKM.locate(vmi_uuid)
return vmi_uuid
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self,
proj_obj,
namespace=name,
name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
return None
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True:
vn_name = self._get_namespace_pod_vn_name(name)
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
pod_vn = self._create_isolated_ns_virtual_network( \
ns_name=name, vn_name=vn_name, proj_obj=proj_obj,
ipam_obj=ipam_obj, provider=self._ip_fabric_vn_obj)
# Cache pod network info in namespace entry.
self._set_namespace_pod_virtual_network(name, pod_vn.get_fq_name())
vn_name = self._get_namespace_service_vn_name(name)
ipam_fq_name = vnc_kube_config.service_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
service_vn = self._create_isolated_ns_virtual_network( \
ns_name=name, vn_name=vn_name,
ipam_obj=ipam_obj,proj_obj=proj_obj)
# Cache service network info in namespace entry.
self._set_namespace_service_virtual_network(
name, service_vn.get_fq_name())
self._create_attach_policy(name, proj_obj, \
self._ip_fabric_vn_obj, pod_vn, service_vn)
try:
self._update_security_groups(name, proj_obj)
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
proj_obj = self._vnc_lib.project_read(id=project.uuid)
self._vnc_lib.set_tags(
proj_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return project
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
# Check if policy enforcement is enabled at project level.
# If not, then security will be enforced at VN level.
if DBBaseKM.is_nested():
# In nested mode, policy is always enforced at network level.
# This is so that we do not enforce policy on other virtual
# networks that may co-exist in the current project.
secure_project = False
else:
secure_project = vnc_kube_config.is_secure_project_enabled()
secure_vn = not secure_project
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self,
proj_obj,
namespace=name,
name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True or name == 'default':
vn_name = self._get_namespace_pod_vn_name(name)
if self._is_ip_fabric_forwarding_enabled(name):
ipam_fq_name = vnc_kube_config.ip_fabric_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(
fq_name=ipam_fq_name)
provider = self._ip_fabric_vn_obj
else:
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(
fq_name=ipam_fq_name)
provider = None
pod_vn = self._create_isolated_ns_virtual_network(
ns_name=name,
vn_name=vn_name,
vn_type='pod-network',
proj_obj=proj_obj,
ipam_obj=ipam_obj,
provider=provider,
enforce_policy=secure_vn)
# Cache pod network info in namespace entry.
self._set_namespace_pod_virtual_network(name, pod_vn.get_fq_name())
vn_name = self._get_namespace_service_vn_name(name)
ipam_fq_name = vnc_kube_config.service_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
service_vn = self._create_isolated_ns_virtual_network(
ns_name=name,
vn_name=vn_name,
vn_type='service-network',
ipam_obj=ipam_obj,
proj_obj=proj_obj,
enforce_policy=secure_vn)
# Cache service network info in namespace entry.
self._set_namespace_service_virtual_network(
name, service_vn.get_fq_name())
self._create_attach_policy(name, proj_obj, self._ip_fabric_vn_obj,
pod_vn, service_vn)
try:
self._update_security_groups(name, proj_obj)
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
# If requested, enforce security policy at project level.
if secure_project:
proj_obj = self._vnc_lib.project_read(id=project.uuid)
self._vnc_lib.set_tags(
proj_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return project
def vnc_namespace_add(self, namespace_id, name, labels):
isolated_ns_ann = 'True' if self._is_namespace_isolated(name) \
else 'False'
# Check if policy enforcement is enabled at project level.
# If not, then security will be enforced at VN level.
if DBBaseKM.is_nested():
# In nested mode, policy is always enforced at network level.
# This is so that we do not enforce policy on other virtual
# networks that may co-exist in the current project.
secure_project = False
else:
secure_project = vnc_kube_config.is_secure_project_enabled()
secure_vn = not secure_project
proj_fq_name = vnc_kube_config.cluster_project_fq_name(name)
proj_obj = Project(name=proj_fq_name[-1], fq_name=proj_fq_name)
ProjectKM.add_annotations(self, proj_obj, namespace=name, name=name,
k8s_uuid=(namespace_id),
isolated=isolated_ns_ann)
try:
self._vnc_lib.project_create(proj_obj)
except RefsExistError:
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
project = ProjectKM.locate(proj_obj.uuid)
# Validate the presence of annotated virtual network.
ann_vn_fq_name = self._get_annotated_virtual_network(name)
if ann_vn_fq_name:
# Validate that VN exists.
try:
self._vnc_lib.virtual_network_read(ann_vn_fq_name)
except NoIdError as e:
self._logger.error(
"Unable to locate virtual network [%s]"
"annotated on namespace [%s]. Error [%s]" %\
(ann_vn_fq_name, name, str(e)))
# If this namespace is isolated, create it own network.
if self._is_namespace_isolated(name) == True or name == 'default':
vn_name = self._get_namespace_pod_vn_name(name)
if self._is_ip_fabric_forwarding_enabled(name):
ipam_fq_name = vnc_kube_config.ip_fabric_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
provider = self._ip_fabric_vn_obj
else:
ipam_fq_name = vnc_kube_config.pod_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
provider = None
pod_vn = self._create_isolated_ns_virtual_network(
ns_name=name, vn_name=vn_name, vn_type='pod-network',
proj_obj=proj_obj, ipam_obj=ipam_obj, provider=provider,
enforce_policy = secure_vn)
# Cache pod network info in namespace entry.
self._set_namespace_pod_virtual_network(name, pod_vn.get_fq_name())
vn_name = self._get_namespace_service_vn_name(name)
ipam_fq_name = vnc_kube_config.service_ipam_fq_name()
ipam_obj = self._vnc_lib.network_ipam_read(fq_name=ipam_fq_name)
service_vn = self._create_isolated_ns_virtual_network(
ns_name=name, vn_name=vn_name, vn_type='service-network',
ipam_obj=ipam_obj,proj_obj=proj_obj,
enforce_policy = secure_vn)
# Cache service network info in namespace entry.
self._set_namespace_service_virtual_network(
name, service_vn.get_fq_name())
self._create_attach_policy(name, proj_obj,
self._ip_fabric_vn_obj, pod_vn, service_vn)
try:
self._update_security_groups(name, proj_obj)
except RefsExistError:
pass
if project:
self._update_namespace_label_cache(labels, namespace_id, project)
# If requested, enforce security policy at project level.
if secure_project:
proj_obj = self._vnc_lib.project_read(id=project.uuid)
self._vnc_lib.set_tags(proj_obj,
self._labels.get_labels_dict(
VncSecurityPolicy.cluster_aps_uuid))
return project
def vnc_pod_add(self, pod_id, pod_name, pod_namespace, pod_node, node_ip,
labels, vm_vmi):
vm = VirtualMachineKM.get(pod_id)
if vm:
vm.pod_namespace = pod_namespace
if not vm.virtual_router:
self._link_vm_to_node(vm, pod_node, node_ip)
self._set_label_to_pod_cache(labels, vm)
# Update tags.
self._set_tags_on_pod_vmi(pod_id)
return vm
vn_obj = self._get_default_network(pod_id, pod_name, pod_namespace)
if not vn_obj:
return
pod = PodKM.find_by_name_or_uuid(pod_id)
total_interface_count = len(pod.networks) + 1
# network_status: Dict of network name to vmi_uuid
network_status = {}
proj_fq_name = vnc_kube_config.cluster_project_fq_name(pod_namespace)
proj_obj = self._vnc_lib.project_read(fq_name=proj_fq_name)
vm_obj = self._create_vm(pod_namespace, pod_id, pod_name, labels,
proj_obj.uuid)
index = str(0) + "/" + str(total_interface_count)
default_network = {'network': 'default'}
vmi_uuid = self.vnc_pod_vmi_create(pod_id, pod_name, pod_namespace,
pod_node, node_ip, vm_obj, vn_obj,
proj_obj, vm_vmi, index,
default_network)
network_status['cluster-wide-default'] = vmi_uuid
for idx, network in enumerate(pod.networks, start=1):
net_namespace = pod_namespace
net_name = network['network']
if 'namespace' in network:
net_namespace = network['namespace']
vn_obj = self._get_user_defined_network(net_name, net_namespace)
index = str(idx) + "/" + str(total_interface_count)
vmi_uuid = self.vnc_pod_vmi_create(pod_id, pod_name, pod_namespace,
pod_node, node_ip, vm_obj,
vn_obj, proj_obj, vm_vmi, index,
network)
network_status[net_name] = vmi_uuid
if not self._is_pod_nested():
self._link_vm_to_node(vm_obj, pod_node, node_ip)
vm = VirtualMachineKM.locate(pod_id)
if vm:
vm.pod_namespace = pod_namespace
vm.pod_node = pod_node
vm.node_ip = node_ip
self._set_label_to_pod_cache(labels, vm)
self._set_tags_on_pod_vmi(pod_id)
# Update network-status in pod description
self._update_network_status(pod_name, pod_namespace,
network_status)
return vm
