Merge pull request #118 from cschwede/networkpolicy

Update Networkpolicy to allow traffic from dataplane and SwiftRing
openstack-k8s-operators · Feb 12, 2024 · b42e9d1 · b42e9d1
2 parents cbb5b08 + d68bac4
commit b42e9d1
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 19 deletions.
diff --git a/controllers/swiftstorage_controller.go b/controllers/swiftstorage_controller.go
@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"time"
 
@@ -54,6 +55,15 @@ type SwiftStorageReconciler struct {
 	Kclient kubernetes.Interface
 }
 
+// Partial struct of the NetworkAttachmentDefinition
+// config to retrieve the subnet range
+type Netconfig struct {
+	Name string `json:"name"`
+	Ipam struct {
+		Range string `json:"range"`
+	} `json:"ipam"`
+}
+
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swiftstorages,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swiftstorages/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swiftstorages/finalizers,verbs=update
@@ -161,18 +171,10 @@ func (r *SwiftStorageReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrlResult, nil
 	}
 
-	// Limit internal storage traffic to Swift services
-	np := swiftstorage.NewNetworkPolicy(swiftstorage.NetworkPolicy(instance), serviceLabels, 5*time.Second)
-	ctrlResult, err = np.CreateOrPatch(ctx, helper)
-	if err != nil {
-		return ctrlResult, err
-	} else if (ctrlResult != ctrl.Result{}) {
-		return ctrlResult, nil
-	}
-
 	// networks to attach to
+	storageNetworkRange := ""
 	for _, netAtt := range instance.Spec.NetworkAttachments {
-		_, err := networkattachment.GetNADWithName(ctx, helper, netAtt, instance.Namespace)
+		nad, err := networkattachment.GetNADWithName(ctx, helper, netAtt, instance.Namespace)
 		if err != nil {
 			if apierrors.IsNotFound(err) {
 				instance.Status.Conditions.Set(condition.FalseCondition(
@@ -191,6 +193,16 @@ func (r *SwiftStorageReconciler) Reconcile(ctx context.Context, req ctrl.Request
 				err.Error()))
 			return ctrl.Result{}, err
 		}
+
+		// Get the storage network subnet range to include it in the
+		// NetworkPolicy for the storage pods
+		config := Netconfig{}
+		if err = json.Unmarshal([]byte(nad.Spec.Config), &config); err != nil {
+			return ctrlResult, err
+		}
+		if config.Name == "storage" {
+			storageNetworkRange = config.Ipam.Range
+		}
 	}
 
 	serviceAnnotations, err := networkattachment.CreateNetworksAnnotation(instance.Namespace, instance.Spec.NetworkAttachments)
@@ -199,6 +211,15 @@ func (r *SwiftStorageReconciler) Reconcile(ctx context.Context, req ctrl.Request
 			instance.Spec.NetworkAttachments, err)
 	}
 
+	// Limit internal storage traffic to Swift services
+	np := swiftstorage.NewNetworkPolicy(swiftstorage.NetworkPolicy(instance, storageNetworkRange), serviceLabels, 5*time.Second)
+	ctrlResult, err = np.CreateOrPatch(ctx, helper)
+	if err != nil {
+		return ctrlResult, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return ctrlResult, nil
+	}
+
 	// Statefulset with all backend containers
 	sset := statefulset.NewStatefulSet(swiftstorage.StatefulSet(instance, serviceLabels, serviceAnnotations), 5*time.Second)
 	ctrlResult, err = sset.CreateOrPatch(ctx, helper)

diff --git a/pkg/swiftring/funcs.go b/pkg/swiftring/funcs.go
@@ -16,5 +16,5 @@ limitations under the License.
 package swiftring
 
 func Labels() map[string]string {
-	return map[string]string{"app.kubernetes.io/name": "SwiftRing"}
+	return map[string]string{"batch.kubernetes.io/job-name": "SwiftRing"}
 }
diff --git a/pkg/swiftstorage/networkpolicy.go b/pkg/swiftstorage/networkpolicy.go
@@ -32,12 +32,13 @@ import (
 	swiftv1beta1 "github.com/openstack-k8s-operators/swift-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/swift-operator/pkg/swift"
 	"github.com/openstack-k8s-operators/swift-operator/pkg/swiftproxy"
+	"github.com/openstack-k8s-operators/swift-operator/pkg/swiftring"
 )
 
 //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete
 
 func NetworkPolicy(
-	instance *swiftv1beta1.SwiftStorage) *networkingv1.NetworkPolicy {
+	instance *swiftv1beta1.SwiftStorage, storageNetworkRange string) *networkingv1.NetworkPolicy {
 
 	portAccountServer := intstr.FromInt(int(swift.AccountServerPort))
 	portContainerServer := intstr.FromInt(int(swift.ContainerServerPort))
@@ -46,6 +47,23 @@ func NetworkPolicy(
 
 	storageLabels := Labels()
 	proxyLabels := swiftproxy.Labels()
+	ringLabels := swiftring.Labels()
+
+	storagePeers := []networkingv1.NetworkPolicyPeer{
+		{
+			PodSelector: &metav1.LabelSelector{
+				MatchLabels: storageLabels,
+			},
+		},
+	}
+
+	if storageNetworkRange != "" {
+		storagePeers = append(storagePeers, networkingv1.NetworkPolicyPeer{
+			IPBlock: &networkingv1.IPBlock{
+				CIDR: storageNetworkRange,
+			},
+		})
+	}
 
 	return &networkingv1.NetworkPolicy{
 		ObjectMeta: metav1.ObjectMeta{
@@ -72,13 +90,7 @@ func NetworkPolicy(
 							Port: &portRsync,
 						},
 					},
-					From: []networkingv1.NetworkPolicyPeer{
-						{
-							PodSelector: &metav1.LabelSelector{
-								MatchLabels: storageLabels,
-							},
-						},
-					},
+					From: storagePeers,
 				},
 				{
 					Ports: []networkingv1.NetworkPolicyPort{
@@ -98,6 +110,11 @@ func NetworkPolicy(
 								MatchLabels: proxyLabels,
 							},
 						},
+						{
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels: ringLabels,
+							},
+						},
 					},
 				},
 			},