def on_present(self, kuryrnet_crd):
ns_name = kuryrnet_crd['spec']['nsName']
project_id = kuryrnet_crd['spec']['projectId']
kns_status = kuryrnet_crd.get('status', {})
crd_creation = False
net_id = kns_status.get('netId')
if not net_id:
net_id = self._drv_subnets.create_network(ns_name, project_id)
status = {'netId': net_id}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status)
crd_creation = True
subnet_id = kns_status.get('subnetId')
if not subnet_id or crd_creation:
subnet_id, subnet_cidr = self._drv_subnets.create_subnet(
ns_name, project_id, net_id)
status = {'subnetId': subnet_id, 'subnetCIDR': subnet_cidr}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status)
crd_creation = True
if not kns_status.get('routerId') or crd_creation:
router_id = self._drv_subnets.add_subnet_to_router(subnet_id)
status = {'routerId': router_id, 'populated': False}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status)
crd_creation = True
# check labels to create sg rules
ns_labels = kns_status.get('nsLabels', {})
if (crd_creation or
ns_labels != kuryrnet_crd['spec']['nsLabels']):
# update SG and svc SGs
namespace = driver_utils.get_namespace(ns_name)
crd_selectors = self._drv_sg.update_namespace_sg_rules(namespace)
if (self._is_network_policy_enabled() and crd_selectors and
oslo_cfg.CONF.octavia_defaults.enforce_sg_rules):
services = driver_utils.get_services()
self._update_services(services, crd_selectors, project_id)
# update status
status = {'nsLabels': kuryrnet_crd['spec']['nsLabels']}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status, labels=True)
def _create_sg_rule_on_text_port(sg_id,
direction,
port,
rule_selected_pods,
crd_rules,
matched,
crd,
allow_all=False,
namespace=None):
matched_pods = {}
spec_pod_selector = crd['spec'].get('podSelector')
policy_namespace = crd['metadata']['namespace']
spec_pods = driver_utils.get_pods(spec_pod_selector,
policy_namespace).get('items')
if direction == 'ingress':
for spec_pod in spec_pods:
container_ports = driver_utils.get_ports(spec_pod, port)
for rule_selected_pod in rule_selected_pods:
matched = _create_sg_rules_with_container_ports(
matched_pods, container_ports, allow_all, namespace,
matched, crd_rules, sg_id, direction, port,
rule_selected_pod)
elif direction == 'egress':
for rule_selected_pod in rule_selected_pods:
pod_label = rule_selected_pod['metadata'].get('labels')
pod_ns = rule_selected_pod['metadata'].get('namespace')
# NOTE(maysams) Do not allow egress traffic to the actual
# set of pods the NP is enforced on.
if (driver_utils.match_selector(spec_pod_selector, pod_label)
and policy_namespace == pod_ns):
continue
container_ports = driver_utils.get_ports(rule_selected_pod, port)
matched = _create_sg_rules_with_container_ports(
matched_pods, container_ports, allow_all, namespace, matched,
crd_rules, sg_id, direction, port, rule_selected_pod)
for container_port, pods in matched_pods.items():
if allow_all:
sg_rule = driver_utils.create_security_group_rule_body(
sg_id,
direction,
container_port,
protocol=port.get('protocol'),
pods=pods)
else:
namespace_obj = driver_utils.get_namespace(namespace)
if not namespace_obj:
LOG.debug("Skipping SG rule creation. Inexistent"
" namespace.")
continue
namespace_cidr = driver_utils.get_namespace_subnet_cidr(
namespace_obj)
sg_rule = driver_utils.create_security_group_rule_body(
sg_id,
direction,
container_port,
protocol=port.get('protocol'),
cidr=namespace_cidr,
pods=pods)
sgr_id = driver_utils.create_security_group_rule(sg_rule)
sg_rule['security_group_rule']['id'] = sgr_id
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
return matched
def on_present(self, kuryrnet_crd, *args, **kwargs):
ns_name = kuryrnet_crd['spec']['nsName']
project_id = kuryrnet_crd['spec']['projectId']
kns_status = kuryrnet_crd.get('status', {})
namespace = driver_utils.get_namespace(ns_name)
crd_creation = False
net_id = kns_status.get('netId')
if not net_id:
try:
net_id = self._drv_subnets.create_network(namespace,
project_id)
except os_exc.SDKException as ex:
self.k8s.add_event(kuryrnet_crd, 'CreateNetworkFailed',
f'Error during creating Neutron network: '
f'{ex.details}', 'Warning')
raise
status = {'netId': net_id}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status)
self.k8s.add_event(kuryrnet_crd, 'CreateNetworkSucceed',
f'Neutron network {net_id} for namespace')
crd_creation = True
subnet_id = kns_status.get('subnetId')
if not subnet_id or crd_creation:
try:
subnet_id, subnet_cidr = self._drv_subnets.create_subnet(
namespace, project_id, net_id)
except os_exc.ConflictException as ex:
self.k8s.add_event(kuryrnet_crd, 'CreateSubnetFailed',
f'Error during creating Neutron subnet '
f'for network {net_id}: {ex.details}',
'Warning')
raise
status = {'subnetId': subnet_id, 'subnetCIDR': subnet_cidr}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status)
self.k8s.add_event(kuryrnet_crd, 'CreateSubnetSucceed',
f'Neutron subnet {subnet_id} for network '
f'{net_id}')
crd_creation = True
if not kns_status.get('routerId') or crd_creation:
try:
router_id = self._drv_subnets.add_subnet_to_router(subnet_id)
except os_exc.SDKException as ex:
self.k8s.add_event(kuryrnet_crd, 'AddingSubnetToRouterFailed',
f'Error adding Neutron subnet {subnet_id} '
f'to router {router_id}: {ex.details}',
'Warning')
raise
status = {'routerId': router_id, 'populated': False}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status)
self.k8s.add_event(kuryrnet_crd, 'AddingSubnetToRouterSucceed',
f'Neutron subnet {subnet_id} added to router '
f'{router_id}')
crd_creation = True
# check labels to create sg rules
ns_labels = kns_status.get('nsLabels', {})
if (crd_creation or
ns_labels != kuryrnet_crd['spec']['nsLabels']):
# update SG and svc SGs
crd_selectors = self._drv_sg.update_namespace_sg_rules(namespace)
if (driver_utils.is_network_policy_enabled() and crd_selectors and
oslo_cfg.CONF.octavia_defaults.enforce_sg_rules):
services = driver_utils.get_services()
self._update_services(services, crd_selectors, project_id)
# update status
status = {'nsLabels': kuryrnet_crd['spec']['nsLabels']}
self._patch_kuryrnetwork_crd(kuryrnet_crd, status, labels=True)
self.k8s.add_event(kuryrnet_crd, 'SGUpdateTriggered',
'Neutron security groups update has been '
'triggered')
