Merge pull request #105 from caseydavenport/ganp

Modify controller to support GA NetworkPolicy
projectcalico · Jul 17, 2017 · 7b1470c · 7b1470c
2 parents 9dba9e1 + fa96715
commit 7b1470c
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 52 deletions.
diff --git a/constants.py b/constants.py
@@ -41,20 +41,13 @@
               RESOURCE_TYPE_NAMESPACE: "%s/api/v1/watch/namespaces",
               RESOURCE_TYPE_NETWORK_POLICY: NET_POLICY_WATCH_PATH}
 
-# Annotation to look for network-isolation on namespaces.
-NS_POLICY_ANNOTATION = "net.beta.kubernetes.io/network-policy"
-
 # Tier name /order to use for policies.
 NET_POL_TIER_ORDER = 1000
 
 # The priority assigned to network policies created by the controller.
 # Lower order -> higher priority.
 NET_POL_ORDER = 1000
 
-# The priority assigned to the backstop policy that applies
-# to traffic which doesn't match one of the configured policies.
-NET_POL_NO_MATCH_ORDER = int(os.environ.get("NO_MATCH_ORDER", 2000))
-
 # Environment variables for getting the Kubernetes API.
 K8S_SERVICE_PORT = "KUBERNETES_SERVICE_PORT"
 K8S_SERVICE_HOST = "KUBERNETES_SERVICE_HOST"

diff --git a/controller.py b/controller.py
@@ -164,17 +164,13 @@ def run(self):
         metadata = {"order": NET_POL_TIER_ORDER}
         self._client.set_policy_tier_metadata("default", metadata)
 
-        # Ensure the backstop policy exists.  This policy forwards
-        # any traffic to Kubernetes pods which doesn't match another policy
-        # to the next-tier (i.e the per-namespace Profiles).
-        selector = "has(%s)" % K8S_NAMESPACE_LABEL
-        rules = Rules(inbound_rules=[Rule(action="next-tier")],
-                      outbound_rules=[Rule(action="next-tier")])
-        self._client.create_policy("default",
-                                   "k8s-policy-no-match",
-                                   selector,
-                                   order=NET_POL_NO_MATCH_ORDER,
-                                   rules=rules)
+        # Previous versions of the controller may have installed a "no-match"
+        # policy, which is no longer desired.  Ensure that it no longer
+        # exists.
+        try:
+            self._client.remove_policy("default", "k8s-policy-no-match")
+        except KeyError:
+            pass
 
         # Read initial state from Kubernetes API.
         self.start_workers()

diff --git a/handlers/namespace.py b/handlers/namespace.py
@@ -24,47 +24,17 @@
 
 def add_update_namespace(namespace):
     """
-    Configures the necessary policy in Calico for this
-    namespace.  Uses the `net.alpha.kubernetes.io/network-isolation`
-    annotation.
+    Configures a Profile for the given Kubernetes namespace.
     """
     namespace_name = namespace["metadata"]["name"]
     _log.debug("Adding/updating namespace: %s", namespace_name)
 
-    # Determine the type of network-isolation specified by this namespace.
-    # This defaults to no isolation.
-    annotations = namespace["metadata"].get("annotations", {})
-    _log.debug("Namespace %s has annotations: %s", namespace_name, annotations)
-    policy_annotation = annotations.get(NS_POLICY_ANNOTATION, "{}")
-    try:
-        policy_annotation = json.loads(policy_annotation)
-    except ValueError, TypeError:
-        _log.exception("Failed to parse namespace annotations: %s", annotations)
-        return
-
-    # Parsed the annotation - get data.  Might not be a dict, so be careful
-    # to catch an AttributeError if it has no get() method.
-    try:
-        ingress_isolation = policy_annotation.get("ingress", {}).get("isolation", "")
-    except AttributeError:
-        _log.exception("Invalid namespace annotation: %s", policy_annotation)
-        return
-
-    isolate_ns = ingress_isolation == "DefaultDeny"
-    _log.debug("Namespace %s has %s.  Isolate=%s",
-            namespace_name, ingress_isolation, isolate_ns)
-
     # Determine the profile name to create.
     profile_name = NS_PROFILE_FMT % namespace_name
 
-    # Determine the rules to use.
-    outbound_rules = [Rule(action="allow")]
-    if isolate_ns:
-        inbound_rules = [Rule(action="deny")]
-    else:
-        inbound_rules = [Rule(action="allow")]
-    rules = Rules(inbound_rules=inbound_rules,
-                  outbound_rules=outbound_rules)
+    # Build the rules to use.
+    rules = Rules(inbound_rules=[Rule(action="allow")],
+                  outbound_rules=[Rule(action="allow")])
 
     # Assign labels to the profile.  We modify the keys to use
     # a special prefix to indicate that these labels are inherited

diff --git a/tests/system/apiserver-reconnection.sh b/tests/system/apiserver-reconnection.sh
@@ -32,6 +32,9 @@ docker run --detach --name=calico-policy-controller \
        calico/kube-policy-controller
 sleep 2
 
+# Create a trap which emits policy controller logs on failure.
+trap "echo 'Test failed - printing logs:'; docker logs calico-policy-controller" ERR
+
 # Create a namespace.
 NS_NAME=chocolate
 create_namespace ${NS_NAME}