def _create_ncp_boundary_firewall_section(
nsxt_client,
anchor_id,
firewall_section_name,
tag_value):
dfw_manager = DFWManager(nsxt_client)
section = dfw_manager.get_firewall_section(name=firewall_section_name)
if not section:
tag = {}
tag['scope'] = "ncp/fw_sect_marker"
tag['tag'] = tag_value
tags = [tag]
nsxt_client.LOGGER.debug(
f"Creating DFW section : {firewall_section_name}")
section = dfw_manager.create_firewall_section(
name=firewall_section_name,
tags=tags,
anchor_id=anchor_id,
insert_policy=INSERT_POLICY.INSERT_BEFORE)
else:
nsxt_client.LOGGER.debug(f"DFW section : {firewall_section_name} "
"already exists.")
return section
def is_cluster_isolated(self, cluster_name):
"""."""
# check for the presence of the firewall section
firewall_section_name = \
self._get_firewall_section_name_for_cluster(cluster_name)
dfw_manager = DFWManager(self._nsxt_client)
firewall_section = dfw_manager.get_firewall_section(
name=firewall_section_name)
if not firewall_section:
return False
rules = dfw_manager.get_all_rules_in_section(
section_id=firewall_section['id'])
# Check for presence of the isolation DFW rules.
# The checks are overly rigid, because we don't want any tampering with
# the network isolation rules created by CSE on NSX-T. If the number of
# rules are changed in future, this piece of logic should be updated
# accordingly.
if len(rules) != 2:
return False
found_rule_names = set(
[rules[0]['display_name'], rules[1]['display_name']])
if self.RULE2_NAME not in found_rule_names or \
self.RULE3_NAME not in found_rule_names:
return False
return True
def setup_nsxt_constructs(nsxt_client,
nodes_ip_block_id,
pods_ip_block_id,
ncp_boundary_firewall_section_anchor_id):
"""Set up one time NSX-T construct which will aid in network isolation.
:param list nodes_ip_block_id: list of strings, where each entry represents
id of a non routable ip block from which ip of cluster nodes will be
assigned.
:param list pods_ip_block_id: list of strings, where each entry represents
id of a non routable ip block from which ip of cluster pods will be
assigned.
:param str ncp_boundary_firewall_section_anchor_id: id of the firewal
section which will act as anchor for the NCP fw_sector/top firewall
section.
"""
_create_ipset_for_node_pod_ip_blocks(nsxt_client,
nodes_ip_block_id,
pods_ip_block_id)
_create_all_nodes_pods_nsgroup(nsxt_client)
dfw_manager = DFWManager(nsxt_client)
dfw_manager.delete_firewall_section(
name=NCP_BOUNDARY_FIREWALL_SECTION_NAME)
_create_ncp_boundary_firewall_section(
nsxt_client, ncp_boundary_firewall_section_anchor_id,
NCP_BOUNDARY_TOP_FIREWALL_SECTION_NAME, "top")
_create_ncp_boundary_firewall_section(
nsxt_client, ncp_boundary_firewall_section_anchor_id,
NCP_BOUNDARY_BOTTOM_FIREWALL_SECTION_NAME, "bottom")
def _create_ncp_boundary_firewall_section(
nsxt_client,
ncp_boundary_firewall_section_anchor_id):
dfw_manager = DFWManager(nsxt_client)
section = dfw_manager.get_firewall_section(
name=NCP_BOUNDARY_FIREWALL_SECTION_NAME)
if not section:
tag = {}
tag['scope'] = "ncp/fw_sect_marker"
tag['tag'] = "top"
tags = [tag]
nsxt_client.LOGGER.debug(
f"Creating DFW section : {NCP_BOUNDARY_FIREWALL_SECTION_NAME}")
section = dfw_manager.create_firewall_section(
name=NCP_BOUNDARY_FIREWALL_SECTION_NAME,
tags=tags,
anchor_id=ncp_boundary_firewall_section_anchor_id,
insert_policy=INSERT_POLICY.INSERT_BEFORE)
else:
nsxt_client.LOGGER.debug("DFW section : "
f"{NCP_BOUNDARY_FIREWALL_SECTION_NAME}"
" already exists.")
return section
def _create_firewall_rules_for_cluster(self, section_id, nodes_nsgroup_id,
pods_nsgroup_id,
nodes_pods_nsgroup_id,
all_nodes_pods_nsgroup_id):
"""Create DFW Rules to isolate a cluster network.
One rule to limit communication from pods to nodes.
One rule to allow other form of communication between nodes and pods.
One rule to isolate the nodes and pods of this cluster from other
clusters.
:param str section_id: id of the DFW Section where these rules will be
added.
:param str nodes_nsgroup_id:
:param str pods_nsgroup_id:
:param str nodes_pods_nsgroup_id:
:param str all_nodes_pods_nsgroup_id:
"""
dfw_manager = DFWManager(self._nsxt_client)
# self._nsxt_client.LOGGER.debug(
# f"Creating DFW rule : {self.RULE1_NAME}")
# rule1 = dfw_manager.create_dfw_rule(
# section_id=section_id,
# rule_name=self.RULE1_NAME,
# source_nsgroup_id=pods_nsgroup_id,
# dest_nsgroup_id=nodes_nsgroup_id,
# action=FIREWALL_ACTION.DROP)
self._nsxt_client.LOGGER.debug(
f"Creating DFW rule : {self.RULE2_NAME}")
rule2 = dfw_manager.create_dfw_rule(
section_id=section_id,
rule_name=self.RULE2_NAME,
source_nsgroup_id=nodes_pods_nsgroup_id,
dest_nsgroup_id=nodes_pods_nsgroup_id,
action=FIREWALL_ACTION.ALLOW,
# anchor_rule_id=rule1['id'],
# insert_policy=INSERT_POLICY.INSERT_AFTER
)
self._nsxt_client.LOGGER.debug(
f"Creating DFW rule : {self.RULE3_NAME}")
dfw_manager.create_dfw_rule(section_id=section_id,
rule_name=self.RULE3_NAME,
source_nsgroup_id=nodes_pods_nsgroup_id,
dest_nsgroup_id=all_nodes_pods_nsgroup_id,
action=FIREWALL_ACTION.DROP,
anchor_rule_id=rule2['id'],
insert_policy=INSERT_POLICY.INSERT_AFTER)
def remove_cluster_isolation(self, cluster_name):
"""Revert isolatation of a PKS cluster's network.
:param str cluster_name: name of the cluster whose network isolation
needs to be reverted.
"""
firewall_section_name = \
self._get_firewall_section_name_for_cluster(cluster_name)
nodes_nsgroup_name = self._get_nodes_nsgroup_name(cluster_name)
pods_nsgroup_name = self._get_pods_nsgroup_name(cluster_name)
nodes_pods_nsgroup_name = \
self._get_nodes_pods_nsgroup_name(cluster_name)
dfw_manager = DFWManager(self._nsxt_client)
nsgroup_manager = NSGroupManager(self._nsxt_client)
dfw_manager.delete_firewall_section(firewall_section_name,
cascade=True)
nsgroup_manager.delete_nsgroup(nodes_pods_nsgroup_name, force=True)
nsgroup_manager.delete_nsgroup(nodes_nsgroup_name, force=True)
nsgroup_manager.delete_nsgroup(pods_nsgroup_name, force=True)
def _create_firewall_section_for_cluster(self, cluster_name,
applied_to_nsgroup_id):
"""Create DFW Section for the cluster.
If DFW Section already exists, delete it and re-create it. Since this
section is based on cluster name, it possible that a previously
deployed cluster on deletion failed to cleanup properly. We shouldn't
re-use such a section rather create it afresh with new rules pointing
to the correct NSGroups.
:param str cluster_name: name of the cluster whose network is being
isolated.
:param str applied_to_nsgroup_id: id of the NSGroup on which the rules
in this DFW SEction will apply to.
"""
section_name = self._get_firewall_section_name_for_cluster(
cluster_name)
dfw_manager = DFWManager(self._nsxt_client)
section = dfw_manager.get_firewall_section(section_name)
if section:
self._nsxt_client.LOGGER.debug(f"DFW section : {section_name} "
"already exists.")
dfw_manager.delete_firewall_section(section_name, cascade=True)
self._nsxt_client.LOGGER.debug("Deleted DFW section : "
f"{section_name} ")
target = {}
target['target_type'] = "NSGroup"
target['target_id'] = applied_to_nsgroup_id
anchor_section = dfw_manager.get_firewall_section(
NCP_BOUNDARY_BOTTOM_FIREWALL_SECTION_NAME)
self._nsxt_client.LOGGER.debug("Creating DFW section : "
f"{section_name}")
section = dfw_manager.create_firewall_section(
name=section_name,
applied_tos=[target],
anchor_id=anchor_section['id'],
insert_policy=INSERT_POLICY.INSERT_AFTER)
return section
def _validate_pks_config_data_integrity(pks_config,
msg_update_callback=NullPrinter(),
logger_debug=NULL_LOGGER,
logger_wire=NULL_LOGGER):
all_pks_servers = \
[entry['name'] for entry in pks_config[PKS_SERVERS_SECTION_KEY]]
all_pks_accounts = \
[entry['name'] for entry in pks_config[PKS_ACCOUNTS_SECTION_KEY]]
# Create a cache with pks_account to Credentials mapping
pks_account_info_table = {}
for pks_account in pks_config[PKS_ACCOUNTS_SECTION_KEY]:
pks_account_name = pks_account['pks_api_server']
credentials = Credentials(pks_account['username'],
pks_account['secret'])
pks_account_info_table[pks_account_name] = credentials
# Check for duplicate pks api server names
duplicate_pks_server_names = get_duplicate_items_in_list(all_pks_servers)
if len(duplicate_pks_server_names) != 0:
raise ValueError(
f"Duplicate PKS api server(s) : {duplicate_pks_server_names} found"
f" in Section : {PKS_SERVERS_SECTION_KEY}")
# Check for duplicate pks account names
duplicate_pks_account_names = get_duplicate_items_in_list(all_pks_accounts)
if len(duplicate_pks_account_names) != 0:
raise ValueError(
f"Duplicate PKS account(s) : {duplicate_pks_account_names} found"
f" in Section : {PKS_ACCOUNTS_SECTION_KEY}")
# Check validity of all PKS api servers referenced in PKS accounts section
for pks_account in pks_config[PKS_ACCOUNTS_SECTION_KEY]:
pks_server_name = pks_account.get('pks_api_server')
if pks_server_name not in all_pks_servers:
raise ValueError(
f"Unknown PKS api server : {pks_server_name} referenced by "
f"PKS account : {pks_account.get('name')} in Section : "
f"{PKS_ACCOUNTS_SECTION_KEY}")
# Check validity of all PKS accounts referenced in Orgs section
if PKS_ORGS_SECTION_KEY in pks_config.keys():
for org in pks_config[PKS_ORGS_SECTION_KEY]:
referenced_accounts = org.get('pks_accounts')
if not referenced_accounts:
continue
for account in referenced_accounts:
if account not in all_pks_accounts:
raise ValueError(f"Unknown PKS account : {account} refere"
f"nced by Org : {org.get('name')} in "
f"Section : {PKS_ORGS_SECTION_KEY}")
# Check validity of all PKS api servers referenced in PVDC section
for pvdc in pks_config[PKS_PVDCS_SECTION_KEY]:
pks_server_name = pvdc.get('pks_api_server')
if pks_server_name not in all_pks_servers:
raise ValueError(f"Unknown PKS api server : {pks_server_name} "
f"referenced by PVDC : {pvdc.get('name')} in "
f"Section : {PKS_PVDCS_SECTION_KEY}")
# Check validity of all PKS api servers referenced in the pks_api_servers
# section
for pks_server in pks_config[PKS_SERVERS_SECTION_KEY]:
pks_account = pks_account_info_table.get(pks_server.get('name'))
pks_configuration = Configuration()
pks_configuration.proxy = f"http://{pks_server['proxy']}:80" \
if pks_server.get('proxy') else None
pks_configuration.host = \
f"https://{pks_server['host']}:{pks_server['port']}/" \
f"{VERSION_V1}"
pks_configuration.access_token = None
pks_configuration.username = pks_account.username
pks_configuration.verify_ssl = pks_server['verify']
pks_configuration.secret = pks_account.secret
pks_configuration.uaac_uri = \
f"https://{pks_server['host']}:{pks_server['uaac_port']}"
uaaClient = UaaClient(pks_configuration.uaac_uri,
pks_configuration.username,
pks_configuration.secret,
proxy_uri=pks_configuration.proxy)
token = uaaClient.getToken()
if not token:
raise ValueError(
"Unable to connect to PKS server : "
f"{pks_server.get('name')} ({pks_server.get('host')})")
pks_configuration.token = token
client = ApiClient(configuration=pks_configuration)
if client:
msg_update_callback.general(
"Connected to PKS server ("
f"{pks_server.get('name')} : {pks_server.get('host')})")
# Check validity of all PKS api servers referenced in NSX-T section
for nsxt_server in pks_config[PKS_NSXT_SERVERS_SECTION_KEY]:
pks_server_name = nsxt_server.get('pks_api_server')
if pks_server_name not in all_pks_servers:
raise ValueError(
f"Unknown PKS api server : {pks_server_name} referenced by "
f"NSX-T server : {nsxt_server.get('name')} in Section : "
f"{PKS_NSXT_SERVERS_SECTION_KEY}")
# Create a NSX-T client and verify connection
# server
nsxt_client = NSXTClient(
host=nsxt_server.get('host'),
username=nsxt_server.get('username'),
password=nsxt_server.get('password'),
logger_debug=logger_debug,
logger_wire=logger_wire,
http_proxy=nsxt_server.get('proxy'),
https_proxy=nsxt_server.get('proxy'),
verify_ssl=nsxt_server.get('verify'))
if not nsxt_client.test_connectivity():
raise ValueError(
"Unable to connect to NSX-T server : "
f"{nsxt_server.get('name')} ({nsxt_server.get('host')})")
msg_update_callback.general(
f"Connected to NSX-T server ({nsxt_server.get('host')})")
ipset_manager = IPSetManager(nsxt_client)
if nsxt_server.get('nodes_ip_block_ids'):
block_not_found = False
try:
for ip_block_id in nsxt_server.get('nodes_ip_block_ids'):
if not ipset_manager.get_ip_block_by_id(ip_block_id):
block_not_found = True
except HTTPError:
block_not_found = True
if block_not_found:
raise ValueError(
f"Unknown Node IP Block : {ip_block_id} referenced by "
f"NSX-T server : {nsxt_server.get('name')}.")
if nsxt_server.get('pods_ip_block_ids'):
try:
block_not_found = False
for ip_block_id in nsxt_server.get('pods_ip_block_ids'):
if not ipset_manager.get_ip_block_by_id(ip_block_id):
block_not_found = True
except HTTPError:
block_not_found = True
if block_not_found:
raise ValueError(
f"Unknown Pod IP Block : {ip_block_id} referenced by "
f"NSX-T server : {nsxt_server.get('name')}.")
dfw_manager = DFWManager(nsxt_client)
fw_section_id = \
nsxt_server.get('distributed_firewall_section_anchor_id')
section = dfw_manager.get_firewall_section(id=fw_section_id)
if not section:
raise ValueError(
f"Unknown Firewall section : {fw_section_id} referenced by "
f"NSX-T server : {nsxt_server.get('name')}.")
