Juniper Openstack

[k8s-R5.0.1]: k8s cluster name should be appended over the contrail firewall policy

Bug #1782541 reported by Pulkit Tandon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Committed
High
Dinesh Bakiaraj
Juniper Openstack r5.0.1
Trunk
Fix Committed
High
Dinesh Bakiaraj
Juniper Openstack r5.1.0

Bug Description

ocata-master-187

Nested k8s provisioning
Multi cluster setup

The contrail firewall policy created on creating k8s network policy should have cluster name appended over it to avoid conflicts.

Currently, the non default firewall policies created in contrail are having following name:
<namespace_name>-<policy_name>.
If we create same namespace and use same policy name across 2 different clusters, the latest setting override the previous one.
The same FW Policy is applied to both the APS groups of 2 different clusters and affect traffic of one of them.

Attached is the snapshot showing FW policy "test-test-Network-Policy" which is attached to APS of both k8s cluster named k8scluster2, k8scluster1.
Rules under the policy will be inferred from the recent update from wither of the cluster.

Revision history for this message
Pulkit Tandon (pulkitt) wrote :
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/44793
Submitter: Dinesh Bakiaraj (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0

Review in progress for https://review.opencontrail.org/44800
Submitter: Dinesh Bakiaraj (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/44793
Committed: http://github.com/Juniper/contrail-controller/commit/7a715b7fb0dfb5629b4164aa54d188ac5dd58e39
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 7a715b7fb0dfb5629b4164aa54d188ac5dd58e39
Author: dineshb-jnpr <email address hidden>
Date: Thu Jul 19 17:35:38 2018 -0700

Prepend cluster name to Firewall Policies.

This commit prepends cluster name to Contrail Fw policy object.
This is crucial in nested multi-cluster enviroment where netpol with
same name can exist in more than one cluster. Hence the need to qualify
the policy with cluster name so as to avoid collision.

Change-Id: Ia0606fd6436f10c790afbe9c738245827453bb1d
Closes-Bug: #1782541

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/44800
Committed: http://github.com/Juniper/contrail-controller/commit/df796dd49da5bb596ab8abebb4751c8ecc9f2af3
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit df796dd49da5bb596ab8abebb4751c8ecc9f2af3
Author: dineshb-jnpr <email address hidden>
Date: Thu Jul 19 17:35:38 2018 -0700

Prepend cluster name to Firewall Policies.

This commit prepends cluster name to Contrail Fw policy object.
This is crucial in nested multi-cluster enviroment where netpol with
same name can exist in more than one cluster. Hence the need to qualify
the policy with cluster name so as to avoid collision.

Change-Id: Ia0606fd6436f10c790afbe9c738245827453bb1d
Closes-Bug: #1782541

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.