openstack/openstack-helm
Code Issues Proposed changes

Add keystone ingress netpol

Browse Source 
Change-Id: I75874b475039c1f7469f11e02e2231254cc9d8ca
Signed-off-by: Huang, Sophie (sh879n) <sh879n@att.com>
This commit is contained in:
Huang, Sophie (sh879n) 2019-09-12 17:06:05 -05:00
parent d2abe39d49
commit 313fe0ca3e
3 changed files with 77 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
keystone/values_overrides/netpol.yaml
View File

@ -1,73 +1,68 @@
manifests:
network_policy: true
#NOTE(gagehugo): Test the below whitelist after netpol gate works
#network_policy:
# keystone:
# ingress:
# - from:
# - podSelector:
# matchLabels:
# application: ceph
# - podSelector:
# matchLabels:
# application: ingress
# - podSelector:
# matchLabels:
# application: keystone
# - podSelector:
# matchLabels:
# application: heat
# - podSelector:
# matchLabels:
# application: glance
# - podSelector:
# matchLabels:
# application: cinder
# - podSelector:
# matchLabels:
# application: congress
# - podSelector:
# matchLabels:
# application: barbican
# - podSelector:
# matchLabels:
# application: ceilometer
# - podSelector:
# matchLabels:
# application: horizon
# - podSelector:
# matchLabels:
# application: ironic
# - podSelector:
# matchLabels:
# application: magnum
# - podSelector:
# matchLabels:
# application: mistral
# - podSelector:
# matchLabels:
# application: nova
# - podSelector:
# matchLabels:
# application: neutron
# - podSelector:
# matchLabels:
# application: senlin
# - podSelector:
# matchLabels:
# application: placement
# - podSelector:
# matchLabels:
# application: prometheus-openstack-exporter
# ports:
# - protocol: TCP
# port: 80
# - protocol: TCP
# port: 443
# - protocol: TCP
# port: 5000
# - protocol: TCP
# port: 35357
network_policy:
keystone:
ingress:
- from:
- podSelector:
matchLabels:
application: ceph
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: congress
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: prometheus-openstack-exporter
ports:
- protocol: TCP
port: 5000
- protocol: TCP
port: 35357
# egress:
# - to:
# - namespaceSelector:

13
tools/deployment/common/test-networkpolicy.sh
View File

@ -43,15 +43,22 @@ function test_netpol {
#test_netpol openstack mariadb server rabbitmq.openstack.svc.cluster.local:5672 fail
#test_netpol openstack rabbitmq-rabbitmq server memcached.openstack.svc.cluster.local:11211 fail
#test_netpol openstack memcached server mariadb.openstack.svc.cluster.local:3306 fail
test_netpol openstack mariadb server keystone-api.openstack.svc.cluster.local:5000 fail
test_netpol openstack mariadb ingress keystone-api.openstack.svc.cluster.local:5000 fail
test_netpol openstack memcached server keystone-api.openstack.svc.cluster.local:5000 fail
test_netpol openstack rabbitmq server keystone-api.openstack.svc.cluster.local:5000 fail
# Doing positive tests
test_netpol openstack keystone api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack keystone api rabbitmq.openstack.svc.cluster.local:5672 success
test_netpol openstack ingress server keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack prometheus-openstack-exporter exporter keystone-api.openstack.svc.cluster.local:5000 success
if kubectl -n openstack get pod -l application=cinder | grep Running ; then
# Negative Cinder Tests
#test_netpol openstack keystone api cinder-api.openstack.svc.cluster.local fail
# Positive Cinder Tests
test_netpol openstack cinder api rabbitmq.openstack.svc.cluster.local:5672 success
test_netpol openstack cinder api keystone-api.openstack.svc.cluster.local:5000 success
else
# Negative Compute-Kit Tests
#test_netpol openstack keystone api heat-api.openstack.svc.cluster.local fail
@ -59,6 +66,12 @@ else
# Positive Compute-Kit Tests
test_netpol openstack heat api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack glance api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack heat api keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack glance api keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack horizon server keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack nova os-api keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack nova compute keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack neutron l3-agent keystone-api.openstack.svc.cluster.local:5000 success
fi
echo Test Success

1
zuul.d/jobs-openstack-helm.yaml
View File

@ -289,6 +289,7 @@
- ./tools/deployment/component/nfs-provisioner/nfs-provisioner.sh
- ./tools/deployment/component/keystone/keystone.sh
- ./tools/deployment/component/heat/heat.sh
- ./tools/deployment/component/horizon/horizon.sh
- ./tools/deployment/component/glance/glance.sh
- ./tools/deployment/component/compute-kit/openvswitch.sh
- ./tools/deployment/component/compute-kit/libvirt.sh