Python get_kuryrnetworkpolicy_crds 예제들

예제 #1

파일: network_policy_security_groups.py 프로젝트: openshift/kuryr-kubernetes

    def delete_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Deleting SG rules for namespace: %s", ns_name)

        crd_selectors = []
        knp_crds = driver_utils.get_kuryrnetworkpolicy_crds()
        for crd in knp_crds:
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')

            i_matched = _parse_rules_on_delete_namespace(
                ingress_rule_list, "ingress", ns_name)
            e_matched = _parse_rules_on_delete_namespace(
                egress_rule_list, "egress", ns_name)

            if i_matched or e_matched:
                try:
                    driver_utils.bump_networkpolicy(crd)
                except exceptions.K8sResourceNotFound:
                    # The NP got deleted, ignore it.
                    continue
            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors

예제 #2

파일: network_policy_security_groups.py 프로젝트: openshift/kuryr-kubernetes

    def delete_sg_rules(self, pod):
        LOG.debug("Deleting SG rules for pod: %s", pod['metadata']['name'])
        pod_ip = driver_utils.get_pod_ip(pod)
        crd_pod_selectors = []
        if not pod_ip:
            LOG.debug("Skipping SG rule deletion as pod %s has no IP assigned",
                      pod['metadata']['name'])
            return crd_pod_selectors
        knp_crds = driver_utils.get_kuryrnetworkpolicy_crds()
        for crd in knp_crds:
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')

            i_matched = _parse_rules_on_delete_pod(ingress_rule_list,
                                                   "ingress", pod_ip)
            e_matched = _parse_rules_on_delete_pod(egress_rule_list, "egress",
                                                   pod_ip)

            if i_matched or e_matched:
                try:
                    driver_utils.bump_networkpolicy(crd)
                except exceptions.K8sResourceNotFound:
                    # The NP got deleted, ignore it.
                    continue
            if i_matched:
                crd_pod_selectors.append(crd_selector)
        return crd_pod_selectors

예제 #3

파일: network_policy_security_groups.py 프로젝트: openshift/kuryr-kubernetes

def _get_pod_sgs(pod):
    sg_list = []

    pod_labels = pod['metadata'].get('labels')
    pod_namespace = pod['metadata']['namespace']

    knp_crds = driver_utils.get_kuryrnetworkpolicy_crds(
        namespace=pod_namespace)
    for crd in knp_crds:
        pod_selector = crd['spec'].get('podSelector')
        if driver_utils.match_selector(pod_selector, pod_labels):
            sg_id = crd['status'].get('securityGroupId')
            if not sg_id:
                # NOTE(dulek): We could just assume KNP handler will apply it,
                #              but it's possible that when it gets this pod it
                #              will have no IP yet and will be skipped.
                LOG.warning('SG for NP %s not created yet, will retry.',
                            utils.get_res_unique_name(crd))
                raise exceptions.ResourceNotReady(pod)
            LOG.debug("Appending %s", crd['status']['securityGroupId'])
            sg_list.append(crd['status']['securityGroupId'])

    # NOTE(maysams) Pods that are not selected by any Networkpolicy
    # are fully accessible. Thus, the default security group is associated.
    if not sg_list:
        sg_list = config.CONF.neutron_defaults.pod_security_groups
        if not sg_list:
            raise cfg.RequiredOptError('pod_security_groups',
                                       cfg.OptGroup('neutron_defaults'))

    return sg_list[:]

예제 #4

파일: network_policy_security_groups.py 프로젝트: openshift-bot/kuryr-kubernetes

    def create_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Creating SG rules for namespace: %s", ns_name)
        crd_selectors = []
        knp_crds = driver_utils.get_kuryrnetworkpolicy_crds()
        nps = driver_utils.get_networkpolicies()
        pairs = driver_utils.zip_knp_np(knp_crds, nps)
        for crd, policy in pairs:
            crd_selector = crd['spec'].get('podSelector')
            spec = policy.get('spec')
            i_matched = _parse_rules('ingress', crd, spec, namespace=namespace)
            e_matched = _parse_rules('egress', crd, spec, namespace=namespace)

            if i_matched or e_matched:
                _bump_networkpolicy(crd)
            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors

예제 #5

파일: network_policy_security_groups.py 프로젝트: openshift-bot/kuryr-kubernetes

    def delete_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Deleting SG rules for namespace: %s", ns_name)

        crd_selectors = []
        knp_crds = driver_utils.get_kuryrnetworkpolicy_crds()
        for crd in knp_crds:
            crd_selector = crd['spec'].get('podSelector')
            ingress_rule_list = crd['spec'].get('ingressSgRules')
            egress_rule_list = crd['spec'].get('egressSgRules')

            i_matched = _parse_rules_on_delete_namespace(
                ingress_rule_list, "ingress", ns_name)
            e_matched = _parse_rules_on_delete_namespace(
                egress_rule_list, "egress", ns_name)

            if i_matched or e_matched:
                _bump_networkpolicy(crd)
            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors

예제 #6

파일: network_policy_security_groups.py 프로젝트: openshift/kuryr-kubernetes

    def create_namespace_sg_rules(self, namespace):
        ns_name = namespace['metadata']['name']
        LOG.debug("Creating SG rules for namespace: %s", ns_name)
        crd_selectors = []
        knp_crds = driver_utils.get_kuryrnetworkpolicy_crds()
        nps = driver_utils.get_networkpolicies()
        pairs = driver_utils.zip_knp_np(knp_crds, nps)
        for crd, policy in pairs:
            crd_selector = crd['spec'].get('podSelector')
            spec = policy.get('spec')
            i_matched = _parse_rules('ingress', crd, spec, namespace=namespace)
            e_matched = _parse_rules('egress', crd, spec, namespace=namespace)

            if i_matched or e_matched:
                try:
                    driver_utils.bump_networkpolicy(crd)
                except exceptions.K8sResourceNotFound:
                    # The NP got deleted, ignore it.
                    continue
            if i_matched:
                crd_selectors.append(crd_selector)
        return crd_selectors