def _delete_network_policy(self, name, uuid, np_spec={}):
np_meta = {'name': name, 'uid': uuid, 'namespace': self.ns_name}
NetworkPolicyKM.delete(uuid)
np_del_event = self.create_event('NetworkPolicy', np_spec, np_meta,
'DELETED')
self.enqueue_event(np_del_event)
self.wait_for_all_tasks_done()
def _delete_network_policy(self, name, uuid, np_spec={}):
np_meta = {'name': name,
'uid': uuid,
'namespace': self.ns_name}
NetworkPolicyKM.delete(uuid)
np_del_event = self.create_event('NetworkPolicy', np_spec,
np_meta, 'DELETED')
self.enqueue_event(np_del_event)
self.wait_for_all_tasks_done()
def _validate_network_policy_resources(self,
name,
uuid,
spec={},
validate_delete=False,
namespace=None):
ns_name = namespace if namespace else self.ns_name
np_event_obj = NetworkPolicyKM.find_by_name_or_uuid(uuid)
if validate_delete:
self.assertIsNone(np_event_obj)
elif not spec:
fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(
name, ns_name)
fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
self.assertIsNotNone(np_event_obj)
self.assertIsNone(fw_policy)
else:
fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(
name, ns_name)
fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
self.assertIsNotNone(np_event_obj)
self.assertIsNotNone(fw_policy)
# Validate network policy spec.
self._validate_spec(spec, fw_policy)
def _add_update_network_policy(self, np_name, np_spec = {},
labels=None, locate=False):
np_uuid = str(uuid.uuid4())
np_meta = {'name': np_name,
'uid': np_uuid,
'namespace': self.ns_name}
if labels:
np_meta['labels'] = labels
np_add_event = self.create_event('NetworkPolicy', np_spec,
np_meta, 'ADDED')
NetworkPolicyKM.locate(np_uuid, np_add_event['object'])
self.enqueue_event(np_add_event)
self.wait_for_all_tasks_done()
return np_uuid
def _sync_np_sg(self):
sg_uuid_set = set(SecurityGroupKM.keys())
np_uuid_set = set(NetworkPolicyKM.keys())
deleted_np_set = sg_uuid_set - np_uuid_set
for uuid in deleted_np_set:
sg = SecurityGroupKM.get(uuid)
if not sg or sg.owner != 'k8s':
continue
if not sg.np_spec:
continue
self._create_network_policy_event('delete', sg.uuid)
return
def _sync_np_sg(self):
sg_uuid_set = set(SecurityGroupKM.keys())
np_uuid_set = set(NetworkPolicyKM.keys())
deleted_np_set = sg_uuid_set - np_uuid_set
for uuid in deleted_np_set:
sg = SecurityGroupKM.get(uuid)
if not sg or sg.owner != 'k8s':
continue
if not sg.np_spec:
continue
self._create_network_policy_event('delete', sg.uuid)
return
def vnc_network_policy_add(self, event, namespace, name, uid):
spec = event['object']['spec']
if not spec:
self._logger.error("%s - %s:%s Spec Not Found" \
%(self._name, name, uid))
return
fw_policy_uuid = VncSecurityPolicy.create_firewall_policy(name, namespace, spec)
VncSecurityPolicy.add_firewall_policy(fw_policy_uuid)
# Update kube config db entry for the network policy.
np = NetworkPolicyKM.find_by_name_or_uuid(uid)
if np:
fw_policy_obj = self._vnc_lib.firewall_policy_read(id=fw_policy_uuid)
np.set_vnc_fq_name(":".join(fw_policy_obj.get_fq_name()))
def vnc_network_policy_add(self, event, namespace, name, uid):
spec = event['object']['spec']
if not spec:
self._logger.error("%s - %s:%s Spec Not Found" \
%(self._name, name, uid))
return
fw_policy_uuid = VncSecurityPolicy.create_firewall_policy(name, namespace,
spec, k8s_uuid=uid)
VncSecurityPolicy.add_firewall_policy(fw_policy_uuid)
# Update kube config db entry for the network policy.
np = NetworkPolicyKM.find_by_name_or_uuid(uid)
if np:
fw_policy_obj = self._vnc_lib.firewall_policy_read(id=fw_policy_uuid)
np.set_vnc_fq_name(":".join(fw_policy_obj.get_fq_name()))
def _validate_network_policy_resources(self, name, uuid, spec={},
validate_delete=False,
namespace=None):
ns_name = namespace if namespace else self.ns_name
np_event_obj = NetworkPolicyKM.find_by_name_or_uuid(uuid)
if validate_delete:
self.assertIsNone(np_event_obj)
elif not spec:
fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(name,
ns_name)
fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
self.assertIsNotNone(np_event_obj)
self.assertIsNone(fw_policy)
else:
fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(name,
ns_name)
fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
self.assertIsNotNone(np_event_obj)
self.assertIsNotNone(fw_policy)
# Validate network policy spec.
self._validate_spec(spec, fw_policy)
def sync_cluster_security_policy(cls):
"""
Synchronize K8s network policies with Contrail Security policy.
Expects that FW policies on the APS are in proper order.
Returns a list of orphaned or invalid firewall policies.
"""
# If APS does not exist for this cluster, then there is nothing to do.
if not cls.cluster_aps_uuid:
return []
aps = ApplicationPolicySetKM.find_by_name_or_uuid(cls.cluster_aps_uuid)
if not aps:
return []
# If APS does not match this cluster name, then there is nothing to do.
if aps.name != vnc_kube_config.cluster_name():
return []
# Get the current list of firewall policies on the APS.
fw_policy_uuids = aps.get_firewall_policies()
# Construct list of firewall policies that belong to the cluster.
cluster_firewall_policies = []
for fw_policy_uuid in fw_policy_uuids:
fw_policy = FirewallPolicyKM.find_by_name_or_uuid(fw_policy_uuid)
if fw_policy.cluster_name != vnc_kube_config.cluster_name():
continue
cluster_firewall_policies.append(fw_policy_uuid)
# We are interested only in policies created by k8s user via network
# policy. These policies are sequenced between the infra created ingress
# policy and infra created deny-all policy.
try:
start_index = cluster_firewall_policies.index(
cls.ingress_svc_fw_policy_uuid)
end_index = cluster_firewall_policies.index(
cls.deny_all_fw_policy_uuid)
curr_user_firewall_policies =\
cluster_firewall_policies[start_index+1:end_index]
except ValueError:
return []
# Get list of user created network policies.
configured_network_policies = NetworkPolicyKM.get_configured_policies()
for nw_policy_uuid in configured_network_policies:
np = NetworkPolicyKM.find_by_name_or_uuid(nw_policy_uuid)
if not np or not np.get_vnc_fq_name():
continue
# Decipher the firewall policy corresponding to the network policy.
fw_policy_uuid = FirewallPolicyKM.get_fq_name_to_uuid(
np.get_vnc_fq_name().split(":"))
if not fw_policy_uuid:
# We are yet to process this network policy.
continue
# A firewall policy was found but it is not inbetween the infra
# created policies as expected. Add it again so it will be inserted
# in the right place.
if fw_policy_uuid not in curr_user_firewall_policies:
cls.add_firewall_policy(fw_policy_uuid)
else:
# Filter out processed policies.
curr_user_firewall_policies.remove(fw_policy_uuid)
# Return orphaned firewall policies that could not be validated against
# user created network policy.
headless_fw_policy_uuids = curr_user_firewall_policies
return headless_fw_policy_uuids