This repository has been archived by the owner on Jun 26, 2020. It is now read-only.
/
cross_project_network.yaml
86 lines (85 loc) · 3.84 KB
/
cross_project_network.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
---
name: CrossProjectNetwork
description: >
Identify cross-project network connections unless the projects are defined as
being in the same group allowing for inter-connectivity.
The first four rules below define by name which projects belong in the same
group, where network inter-connectivity is expected. The use of name to
specify projects works under the assumption of having a single keystone
domain in which project names are unique. If names are unsuitable for
your use case, the policy can be customized to use specify
inter-connectivity groups by ID directly in the project_groups_by_id
table.
rules:
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(1, 'admin')
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(1, 'service')
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(2, 'demo')
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(2, 'alt_demo')
-
comment: >
Translates the project_groups_by_name defined above to
project_groups_by_id. If desired, this rule can be replaced by explicit
definition of the project_groups_by_id table.
rule: >
project_groups_by_id(group_id, project_id) :-
project_groups_by_name(group_id, project_name),
keystonev3:projects(name=project_name, id=project_id)
-
comment: "Define that projects belong to same group of expected inter-connectivity."
rule: >
same_group(project_a, project_b) :-
project_groups_by_id(group_id, project_a),
project_groups_by_id(group_id, project_b)
-
comment: >
Identify servers associated to a port belonging to a different project
not in the same group.
rule: >
unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name) :-
neutronv2:ports(id=port_id, tenant_id=port_project_id, network_id=network_id, device_id=server_id),
nova:servers(id=server_id, name=server_name, tenant_id=server_project_id),
not same_group(port_project_id, server_project_id)
-
comment: >
Identify servers connected to a network belonging to a different project
not in the same group.
rule: >
unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name) :-
neutronv2:ports(id=port_id, network_id=network_id, device_id=server_id),
nova:servers(id=server_id, name=server_name, tenant_id=server_project_id),
neutronv2:networks(id=network_id, tenant_id=network_project_id),
not same_group(server_project_id, network_project_id)
-
comment: >
Warn on servers associated to a port belonging to a different project
not in the same group.
rule: >
warning(server_project_name, server_project_id, port_project_name, port_project_id, server_name, server_id) :-
unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name),
keystonev3:projects(name=server_project_name, id=server_project_id),
keystonev3:projects(name=port_project_id, id=port_project_name)
-
comment: >
Error on servers connected to a network belonging to a different project
not in the same group.
rule: >
error(server_project_name, server_project_id, network_project_name, network_project_id, server_name, server_id) :-
unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name),
keystonev3:projects(name=server_project_name, id=server_project_id),
keystonev3:projects(name=network_project_name, id=network_project_id)