def _update_security_groups(self, ns_name, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
# create default security group
sg_name = vnc_kube_config.get_default_sg_name(ns_name)
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if ingress:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg = SecurityGroupKM.locate(sg_obj.get_uuid())
return sg
def _vnc_create_sg(self,
np_spec,
namespace,
name,
uuid=None,
**kwargs_annotations):
proj_fq_name = vnc_kube_config.cluster_project_fq_name(namespace)
proj_obj = Project(name=proj_fq_name[-1],
fq_name=proj_fq_name,
parent='domain')
sg_obj = SecurityGroup(name=name, parent_obj=proj_obj)
if uuid:
sg_obj.uuid = uuid
if np_spec:
kwargs_annotations.update({'np_spec': json.dumps(np_spec)})
self._set_sg_annotations(namespace, name, sg_obj, **kwargs_annotations)
try:
self._vnc_lib.security_group_create(sg_obj)
except Exception:
self._logger.error("%s - %s SG Not Created" % (self._name, name))
return None
sg = SecurityGroupKM.locate(sg_obj.uuid)
return sg
def _update_security_groups(self, ns_name, proj_obj, network_policy):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
sg_dict = {}
# create default security group
sg_name = "-".join(
[vnc_kube_config.cluster_name(), ns_name, 'default'])
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if network_policy and 'ingress' in network_policy:
ingress_policy = network_policy['ingress']
if ingress_policy and 'isolation' in ingress_policy:
isolation = ingress_policy['isolation']
if isolation == 'DefaultDeny':
ingress = False
if ingress:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name,
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self,
sg_obj,
namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[sg_name] = sg_uuid
# create namespace security group
ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg'])
NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group"
id_perms = IdPermsType(enable=True,
description=NAMESPACE_SECGROUP_DESCRIPTION)
sg_obj = SecurityGroup(name=ns_sg_name,
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=None)
SecurityGroupKM.add_annotations(self,
sg_obj,
namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
pass
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[ns_sg_name] = sg_uuid
return sg_dict
def _update_security_groups(self, ns_name, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
# create default security group
sg_name = vnc_kube_config.get_default_sg_name(ns_name)
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if ingress:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name,
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self,
sg_obj,
namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg = SecurityGroupKM.locate(sg_obj.get_uuid())
return sg
def _update_security_groups(self, ns_name, proj_obj, network_policy):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = AddressType(
security_group=proj_obj.get_fq_name_str() + ':' + sg)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
sg_dict = {}
# create default security group
sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'default'])
DEFAULT_SECGROUP_DESCRIPTION = "Default security group"
id_perms = IdPermsType(enable=True,
description=DEFAULT_SECGROUP_DESCRIPTION)
rules = []
ingress = True
egress = True
if network_policy and 'ingress' in network_policy:
ingress_policy = network_policy['ingress']
if ingress_policy and 'isolation' in ingress_policy:
isolation = ingress_policy['isolation']
if isolation == 'DefaultDeny':
ingress = False
if ingress:
if self._is_service_isolated(ns_name):
rules.append(_get_rule(True, sg_name, None, 'IPv4'))
rules.append(_get_rule(True, sg_name, None, 'IPv6'))
else:
rules.append(_get_rule(True, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(True, None, '::', 'IPv6'))
if egress:
rules.append(_get_rule(False, None, '0.0.0.0', 'IPv4'))
rules.append(_get_rule(False, None, '::', 'IPv6'))
sg_rules = PolicyEntriesType(rules)
sg_obj = SecurityGroup(name=sg_name, parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
self._vnc_lib.security_group_update(sg_obj)
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[sg_name] = sg_uuid
# create namespace security group
ns_sg_name = "-".join([vnc_kube_config.cluster_name(), ns_name, 'sg'])
NAMESPACE_SECGROUP_DESCRIPTION = "Namespace security group"
id_perms = IdPermsType(enable=True,
description=NAMESPACE_SECGROUP_DESCRIPTION)
sg_obj = SecurityGroup(name=ns_sg_name, parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=None)
SecurityGroupKM.add_annotations(self, sg_obj, namespace=ns_name,
name=sg_obj.name,
k8s_type=self._k8s_event_type)
try:
self._vnc_lib.security_group_create(sg_obj)
self._vnc_lib.chown(sg_obj.get_uuid(), proj_obj.get_uuid())
except RefsExistError:
pass
sg_obj = self._vnc_lib.security_group_read(sg_obj.fq_name)
sg_uuid = sg_obj.get_uuid()
SecurityGroupKM.locate(sg_uuid)
sg_dict[ns_sg_name] = sg_uuid
return sg_dict