def add_namespace_security_policy(self, k8s_namespace_uuid): """ Create a firwall rule for default behavior on a namespace. """ ns = self._get_namespace(k8s_namespace_uuid) if not ns: return # Add custom namespace label on the namespace object. self._labels.append(k8s_namespace_uuid, self._labels.get_namespace_label(ns.name)) if not ns.firewall_ingress_allow_rule_uuid: ingress_rule_name = self._get_namespace_firewall_ingress_rule_name( ns.name) # Create a rule for default allow behavior on this namespace. ns.firewall_ingress_allow_rule_uuid =\ VncSecurityPolicy.create_firewall_rule_allow_all( ingress_rule_name, self._labels.get_namespace_label(ns.name)) # Add default allow rule to the "global allow" firewall policy. VncSecurityPolicy.add_firewall_rule( VncSecurityPolicy.allow_all_fw_policy_uuid, ns.firewall_ingress_allow_rule_uuid) if not ns.firewall_egress_allow_rule_uuid: egress_rule_name = self._get_namespace_firewall_egress_rule_name( ns.name) # Create a rule for default egress allow behavior on this namespace. ns.firewall_egress_allow_rule_uuid =\ VncSecurityPolicy.create_firewall_rule_allow_all( egress_rule_name, {}, self._labels.get_namespace_label(ns.name)) # Add default egress allow rule to "global allow" firewall policy. VncSecurityPolicy.add_firewall_rule( VncSecurityPolicy.allow_all_fw_policy_uuid, ns.firewall_egress_allow_rule_uuid)
def add_ingress_to_service_rule(cls, ns_name, ingress_name, service_name): """ Add a ingress-to-service allow rule to ingress firewall policy. """ if VncSecurityPolicy.ingress_svc_fw_policy_uuid: ingress_labels = XLabelCache.get_ingress_label( cls.get_ingress_label_name(ns_name, ingress_name)) service_labels = XLabelCache.get_service_label(service_name) rule_name = VncIngress._get_ingress_firewall_rule_name( ns_name, ingress_name, service_name) fw_rule_uuid = VncSecurityPolicy.create_firewall_rule_allow_all( rule_name, service_labels, ingress_labels) VncSecurityPolicy.add_firewall_rule( VncSecurityPolicy.ingress_svc_fw_policy_uuid, fw_rule_uuid) return fw_rule_uuid