Merge pull request #231 from luis5tb/remove-default-egress

Namespace SG driver: remove default egress rules
openshift · May 19, 2020 · a236070 · a236070
2 parents c54faa9 + 31214be
commit a236070
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/kuryr_kubernetes/controller/drivers/namespace_security_groups.py b/kuryr_kubernetes/controller/drivers/namespace_security_groups.py
@@ -34,13 +34,14 @@
                       "namespaces into the default namespace.")),
     cfg.StrOpt('sg_allow_from_default',
                help=_("Default security group to allow traffic from the "
-                      "default namespaces into the other namespaces."))
+                      "default namespaces into the other namespaces.")),
+    cfg.ListOpt('global_namespaces',
+                help=_("Global_namespaces. Default: default"),
+                default=['default'])
 ]
 
 cfg.CONF.register_opts(namespace_sg_driver_opts, "namespace_sg")
 
-DEFAULT_NAMESPACE = 'default'
-
 
 def _get_net_crd(namespace):
     kubernetes = clients.get_kubernetes_client()
@@ -87,7 +88,7 @@ def get_security_groups(self, pod, project_id):
 
     def _get_extra_sg(self, namespace):
         # Differentiates between default namespace and the rest
-        if namespace == DEFAULT_NAMESPACE:
+        if namespace in cfg.CONF.namespace_sg.global_namespaces:
             return [cfg.CONF.namespace_sg.sg_allow_from_namespaces]
         else:
             return [cfg.CONF.namespace_sg.sg_allow_from_default]
@@ -109,6 +110,14 @@ def create_namespace_sg(self, namespace, project_id, crd_spec):
                     }
                 }).get('security_group')
             utils.tag_neutron_resources('security-groups', [sg['id']])
+            # NOTE(ltomasbo): Neutron populates every new SG with two rules
+            #                 allowing egress on IPv4 and IPv6. As namespace
+            #                 isolation does not handle egress, we remove them
+            #                 and leave egress for the default pods SG, or
+            #                 open to modifications per namespace.
+            for sgr in sg['security_group_rules']:
+                neutron.delete_security_group_rule(sgr['id'])
+
             neutron.create_security_group_rule(
                 {
                     "security_group_rule": {
@@ -176,7 +185,7 @@ def get_security_groups(self, service, project_id):
 
     def _get_extra_sg(self, namespace):
         # Differentiates between default namespace and the rest
-        if namespace == DEFAULT_NAMESPACE:
+        if namespace in cfg.CONF.namespace_sg.global_namespaces:
             return [cfg.CONF.namespace_sg.sg_allow_from_default]
         else:
             return [cfg.CONF.namespace_sg.sg_allow_from_namespaces]
diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_namespace_security_groups.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_namespace_security_groups.py
@@ -221,7 +221,7 @@ def test_create_namespace_sg(self):
 
         namespace = 'test'
         project_id = mock.sentinel.project_id
-        sg = {'id': mock.sentinel.sg}
+        sg = {'id': mock.sentinel.sg, 'security_group_rules': []}
         subnet_cidr = mock.sentinel.subnet_cidr
         crd_spec = {
             'subnetCIDR': subnet_cidr