From 31214be86c5104fce2af7043545199e3ad719d4a Mon Sep 17 00:00:00 2001 From: Luis Tomas Bolivar Date: Thu, 14 May 2020 13:07:25 +0200 Subject: [PATCH] Namespace SG driver: remove default egress rules Namespace isolation does not handle egress, so there is no need to keep the egress rules on the namespace associated security groups. This is left to the default SG group and or to the customer to modified the needed SG egress rules on the namespaces as needed. It also adds the possibility of not only have the "default" namespace as exception for the isolation. Change-Id: I5531e4c5f1abde820a17a243217b1e3d3567ddbf --- .../drivers/namespace_security_groups.py | 19 ++++++++++++++----- .../drivers/test_namespace_security_groups.py | 2 +- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/kuryr_kubernetes/controller/drivers/namespace_security_groups.py b/kuryr_kubernetes/controller/drivers/namespace_security_groups.py index 477f5a3d1..ed2dc0c79 100644 --- a/kuryr_kubernetes/controller/drivers/namespace_security_groups.py +++ b/kuryr_kubernetes/controller/drivers/namespace_security_groups.py @@ -34,13 +34,14 @@ "namespaces into the default namespace.")), cfg.StrOpt('sg_allow_from_default', help=_("Default security group to allow traffic from the " - "default namespaces into the other namespaces.")) + "default namespaces into the other namespaces.")), + cfg.ListOpt('global_namespaces', + help=_("Global_namespaces. Default: default"), + default=['default']) ] cfg.CONF.register_opts(namespace_sg_driver_opts, "namespace_sg") -DEFAULT_NAMESPACE = 'default' - def _get_net_crd(namespace): kubernetes = clients.get_kubernetes_client() @@ -87,7 +88,7 @@ def get_security_groups(self, pod, project_id): def _get_extra_sg(self, namespace): # Differentiates between default namespace and the rest - if namespace == DEFAULT_NAMESPACE: + if namespace in cfg.CONF.namespace_sg.global_namespaces: return [cfg.CONF.namespace_sg.sg_allow_from_namespaces] else: return [cfg.CONF.namespace_sg.sg_allow_from_default] @@ -109,6 +110,14 @@ def create_namespace_sg(self, namespace, project_id, crd_spec): } }).get('security_group') utils.tag_neutron_resources('security-groups', [sg['id']]) + # NOTE(ltomasbo): Neutron populates every new SG with two rules + # allowing egress on IPv4 and IPv6. As namespace + # isolation does not handle egress, we remove them + # and leave egress for the default pods SG, or + # open to modifications per namespace. + for sgr in sg['security_group_rules']: + neutron.delete_security_group_rule(sgr['id']) + neutron.create_security_group_rule( { "security_group_rule": { @@ -176,7 +185,7 @@ def get_security_groups(self, service, project_id): def _get_extra_sg(self, namespace): # Differentiates between default namespace and the rest - if namespace == DEFAULT_NAMESPACE: + if namespace in cfg.CONF.namespace_sg.global_namespaces: return [cfg.CONF.namespace_sg.sg_allow_from_default] else: return [cfg.CONF.namespace_sg.sg_allow_from_namespaces] diff --git a/kuryr_kubernetes/tests/unit/controller/drivers/test_namespace_security_groups.py b/kuryr_kubernetes/tests/unit/controller/drivers/test_namespace_security_groups.py index 400438db3..694987c0d 100644 --- a/kuryr_kubernetes/tests/unit/controller/drivers/test_namespace_security_groups.py +++ b/kuryr_kubernetes/tests/unit/controller/drivers/test_namespace_security_groups.py @@ -221,7 +221,7 @@ def test_create_namespace_sg(self): namespace = 'test' project_id = mock.sentinel.project_id - sg = {'id': mock.sentinel.sg} + sg = {'id': mock.sentinel.sg, 'security_group_rules': []} subnet_cidr = mock.sentinel.subnet_cidr crd_spec = { 'subnetCIDR': subnet_cidr