From 7a715b7fb0dfb5629b4164aa54d188ac5dd58e39 Mon Sep 17 00:00:00 2001 From: dineshb-jnpr Date: Thu, 19 Jul 2018 17:35:38 -0700 Subject: [PATCH] Prepend cluster name to Firewall Policies. This commit prepends cluster name to Contrail Fw policy object. This is crucial in nested multi-cluster enviroment where netpol with same name can exist in more than one cluster. Hence the need to qualify the policy with cluster name so as to avoid collision. Change-Id: Ia0606fd6436f10c790afbe9c738245827453bb1d Closes-Bug: #1782541 --- .../kube-manager/kube_manager/vnc/vnc_ingress.py | 3 +-- .../kube_manager/vnc/vnc_network_policy.py | 5 +++-- .../kube_manager/vnc/vnc_security_policy.py | 13 +++++++------ 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/src/container/kube-manager/kube_manager/vnc/vnc_ingress.py b/src/container/kube-manager/kube_manager/vnc/vnc_ingress.py index 7c877f35cd7..ccfb8c9a5bf 100644 --- a/src/container/kube-manager/kube_manager/vnc/vnc_ingress.py +++ b/src/container/kube-manager/kube_manager/vnc/vnc_ingress.py @@ -951,8 +951,7 @@ def create_ingress_security_policy(self): """ if not VncSecurityPolicy.ingress_svc_fw_policy_uuid: VncSecurityPolicy.ingress_svc_fw_policy_uuid =\ - VncSecurityPolicy.create_firewall_policy( - "-".join([vnc_kube_config.cluster_name(), self._k8s_event_type]), + VncSecurityPolicy.create_firewall_policy(self._k8s_event_type, None, None, is_global=True) VncSecurityPolicy.add_firewall_policy( VncSecurityPolicy.ingress_svc_fw_policy_uuid) diff --git a/src/container/kube-manager/kube_manager/vnc/vnc_network_policy.py b/src/container/kube-manager/kube_manager/vnc/vnc_network_policy.py index 9f7e2defb62..9ce4e2b8857 100644 --- a/src/container/kube-manager/kube_manager/vnc/vnc_network_policy.py +++ b/src/container/kube-manager/kube_manager/vnc/vnc_network_policy.py @@ -560,8 +560,9 @@ def vnc_network_policy_add(self, event, namespace, name, uid): # Update kube config db entry for the network policy. np = NetworkPolicyKM.find_by_name_or_uuid(uid) - fw_policy_obj = self._vnc_lib.firewall_policy_read(id=fw_policy_uuid) - np.set_vnc_fq_name(":".join(fw_policy_obj.get_fq_name())) + if np: + fw_policy_obj = self._vnc_lib.firewall_policy_read(id=fw_policy_uuid) + np.set_vnc_fq_name(":".join(fw_policy_obj.get_fq_name())) def _vnc_delete_sg(self, sg): for vmi_id in list(sg.virtual_machine_interfaces): diff --git a/src/container/kube-manager/kube_manager/vnc/vnc_security_policy.py b/src/container/kube-manager/kube_manager/vnc/vnc_security_policy.py index 5e0388b6c14..134c33d9f3c 100644 --- a/src/container/kube-manager/kube_manager/vnc/vnc_security_policy.py +++ b/src/container/kube-manager/kube_manager/vnc/vnc_security_policy.py @@ -480,9 +480,12 @@ def tag_cluster_application_policy_set(cls): @classmethod def get_firewall_policy_name(cls, name, namespace, is_global): if is_global: - return name + policy_name = name else: - return "-".join([namespace, name]) + policy_name = "-".join([namespace, name]) + + # Always prepend firewall policy name with cluster name. + return "-".join([vnc_kube_config.cluster_name(), policy_name]) @classmethod def create_firewall_policy(cls, name, namespace, spec, tag_last=False, @@ -1003,8 +1006,7 @@ def delete_firewall_rule(cls, fw_policy_uuid, fw_rule_uuid): def create_allow_all_security_policy(cls): if not cls.allow_all_fw_policy_uuid: allow_all_fw_policy_uuid =\ - VncSecurityPolicy.create_firewall_policy( - "-".join([vnc_kube_config.cluster_name(), "allowall"]), + VncSecurityPolicy.create_firewall_policy("allowall", None, None, is_global=True) VncSecurityPolicy.add_firewall_policy(allow_all_fw_policy_uuid, append_after_tail=True) @@ -1014,8 +1016,7 @@ def create_allow_all_security_policy(cls): def create_deny_all_security_policy(cls): if not cls.deny_all_fw_policy_uuid: cls.deny_all_fw_policy_uuid =\ - VncSecurityPolicy.create_firewall_policy( - "-".join([vnc_kube_config.cluster_name(), "denyall"]), + VncSecurityPolicy.create_firewall_policy("denyall", None, None, tag_last=True, is_global=True) VncSecurityPolicy.add_firewall_policy(cls.deny_all_fw_policy_uuid)