Network policy

Support by kuryr

Content

• Translation from Network Policy to Security-Group
• Pod creation flow
• How mapping data is saved
• Pod annotation format

spec:� podSelector:� matchLabels:� role: db� policyTypes:� - Ingress� ingress:� - from:� - ipBlock:� cidr: 1.1.1.0/24� except:� - 1.1.1.0/26� - namespaceSelector:� matchLabels:� project: myproject� - podSelector:� matchLabels:� role: frontend� ports:� - protocol: TCP� port: 6379

Neutron Translate:

Create SG that applied on pods with “role:db”

K8s watches:

Watch all pods “role: db” Watch callback - annotate pods with sg-id

Egress should allow all.

Ingress according to spec

Translated to set of remote ip prefix : (1.1.1.128/25 , 1.1.1.64/26)

remote_group_id :

Remote group uses for all ingress

Watch on namespace that matches to query “project: my project”

remote_group_id :

Remote group uses for all ingress

Watches on pods that matches to query “role: frontend”

Neutron security-groups ports and protocol

Execution flow:

Saving the data

• Each security-group will be tagged by it’s policy-id
• Ingress and egress groups will be tagged by policy_id and [“_ingress”/”_egress”] suffix.
• When policy is created it needs to set all watches , and the policy-id should be supplied for callbacks as metadata.
• On controller startup :
• Watch on network-policies is set - and for each policy the fetch the relevant SG by TAG.
• Reset all policy watches.
• Diff between selected pods should be done (query neutron and k8s and make diff).
• If policy was changed (it’s resource version could be saved as tag on SG) it should update the SG rules in case of a change.
• (Discussion - performance impact and what must to be done in first phase)

Pod annotation (pseudo code )

{

"Annotations": {

"openstack.org/kuryr-pod-policy-sg": [

"42410272-f907-11e7-bd05-d481d7c65424" ,

“d015b536-f90a-11e7-a9ff-d481d7c65424”

]

# maybe remote-groups will also be added here

}

}

​

​