def _get_pod_sgs(pod, project_id): sg_list = [] pod_labels = pod['metadata'].get('labels') pod_namespace = pod['metadata']['namespace'] knp_crds = driver_utils.get_kuryrnetpolicy_crds(namespace=pod_namespace) for crd in knp_crds.get('items'): pod_selector = crd['spec'].get('podSelector') if pod_selector: if driver_utils.match_selector(pod_selector, pod_labels): LOG.debug("Appending %s", str(crd['spec']['securityGroupId'])) sg_list.append(str(crd['spec']['securityGroupId'])) else: LOG.debug("Appending %s", str(crd['spec']['securityGroupId'])) sg_list.append(str(crd['spec']['securityGroupId'])) # NOTE(maysams) Pods that are not selected by any Networkpolicy # are fully accessible. Thus, the default security group is associated. if not sg_list: sg_list = config.CONF.neutron_defaults.pod_security_groups if not sg_list: raise cfg.RequiredOptError('pod_security_groups', cfg.OptGroup('neutron_defaults')) return sg_list[:]
def delete_sg_rules(self, pod): LOG.debug("Deleting sg rule for pod: %s", pod['metadata']['name']) pod_ip = driver_utils.get_pod_ip(pod) if not pod_ip: LOG.debug("Skipping SG rule deletion as pod %s has no IP assigned", pod['metadata']['name']) return None crd_pod_selectors = [] knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched, i_rules = _parse_rules_on_delete_pod( ingress_rule_list, "ingress", pod_ip) e_matched, e_rules = _parse_rules_on_delete_pod( egress_rule_list, "egress", pod_ip) if i_matched or e_matched: driver_utils.patch_kuryrnetworkpolicy_crd( crd, i_rules, e_rules, crd_selector) if i_matched: crd_pod_selectors.append(crd_selector) return crd_pod_selectors
def create_sg_rules(self, pod): LOG.debug("Creating sg rule for pod: %s", pod['metadata']['name']) knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') i_matched, i_rules = _parse_rules('ingress', crd, pod=pod) e_matched, e_rules = _parse_rules('egress', crd, pod=pod) if i_matched or e_matched: driver_utils.patch_kuryr_crd(crd, i_rules, e_rules, crd_selector)
def create_namespace_sg_rules(self, namespace): kubernetes = clients.get_kubernetes_client() ns_name = namespace['metadata']['name'] LOG.debug("Creating sg rule for namespace: %s", ns_name) namespace = kubernetes.get('{}/namespaces/{}'.format( constants.K8S_API_BASE, ns_name)) knp_crds = utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') i_matched, i_rules = _parse_rules('ingress', crd, namespace) e_matched, e_rules = _parse_rules('egress', crd, namespace) if i_matched or e_matched: utils.patch_kuryr_crd(crd, i_rules, e_rules, crd_selector)
def delete_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Deleting sg rule for namespace: %s", ns_name) knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_matched, i_rules = _parse_rules_on_delete_namespace( ingress_rule_list, "ingress", ns_name) e_matched, e_rules = _parse_rules_on_delete_namespace( egress_rule_list, "egress", ns_name) if i_matched or e_matched: driver_utils.patch_kuryr_crd(crd, i_rules, e_rules, crd_selector)
def create_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Creating sg rule for namespace: %s", ns_name) crd_selectors = [] knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') i_matched, i_rules = _parse_rules('ingress', crd, namespace=namespace) e_matched, e_rules = _parse_rules('egress', crd, namespace=namespace) if i_matched or e_matched: driver_utils.patch_kuryrnetworkpolicy_crd( crd, i_rules, e_rules, crd_selector) if i_matched: crd_selectors.append(crd_selector) return crd_selectors
def delete_sg_rules(self, pod): LOG.debug("Deleting sg rule for pod: %s", pod['metadata']['name']) pod_ip = driver_utils.get_pod_ip(pod) crd_pod_selectors = [] knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_rules = [] e_rules = [] matched = False for i_rule in ingress_rule_list: LOG.debug("Parsing ingress rule: %r", i_rule) remote_ip_prefix = i_rule['security_group_rule'].get( 'remote_ip_prefix') if remote_ip_prefix and remote_ip_prefix == pod_ip: matched = True driver_utils.delete_security_group_rule( i_rule['security_group_rule']['id']) else: i_rules.append(i_rule) for e_rule in egress_rule_list: LOG.debug("Parsing egress rule: %r", e_rule) remote_ip_prefix = e_rule['security_group_rule'].get( 'remote_ip_prefix') if remote_ip_prefix and remote_ip_prefix == pod_ip: matched = True driver_utils.delete_security_group_rule( e_rule['security_group_rule']['id']) else: e_rules.append(e_rule) if matched: driver_utils.patch_kuryr_crd(crd, i_rules, e_rules, crd_selector) crd_pod_selectors.append(crd_selector) return crd_pod_selectors
def delete_namespace_sg_rules(self, namespace): ns_name = namespace['metadata']['name'] LOG.debug("Deleting sg rule for namespace: %s", ns_name) knp_crds = driver_utils.get_kuryrnetpolicy_crds() for crd in knp_crds.get('items'): crd_selector = crd['spec'].get('podSelector') ingress_rule_list = crd['spec'].get('ingressSgRules') egress_rule_list = crd['spec'].get('egressSgRules') i_rules = [] e_rules = [] matched = False for i_rule in ingress_rule_list: LOG.debug("Parsing ingress rule: %r", i_rule) rule_namespace = i_rule.get('namespace', None) if rule_namespace and rule_namespace == ns_name: matched = True driver_utils.delete_security_group_rule( i_rule['security_group_rule']['id']) else: i_rules.append(i_rule) for e_rule in egress_rule_list: LOG.debug("Parsing egress rule: %r", e_rule) rule_namespace = e_rule.get('namespace', None) if rule_namespace and rule_namespace == ns_name: matched = True driver_utils.delete_security_group_rule( e_rule['security_group_rule']['id']) else: e_rules.append(e_rule) if matched: driver_utils.patch_kuryr_crd( crd, i_rules, e_rules, crd_selector)