[k8s-R5.0.1]: k8s cluster name should be appended over the contrail firewall policy

Bug #1782541 reported by Pulkit Tandon on 2018-07-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Committed
High
Dinesh Bakiaraj
Trunk
Fix Committed
High
Dinesh Bakiaraj

Bug Description

ocata-master-187

Nested k8s provisioning
Multi cluster setup

The contrail firewall policy created on creating k8s network policy should have cluster name appended over it to avoid conflicts.

Currently, the non default firewall policies created in contrail are having following name:
<namespace_name>-<policy_name>.
If we create same namespace and use same policy name across 2 different clusters, the latest setting override the previous one.
The same FW Policy is applied to both the APS groups of 2 different clusters and affect traffic of one of them.

Attached is the snapshot showing FW policy "test-test-Network-Policy" which is attached to APS of both k8s cluster named k8scluster2, k8scluster1.
Rules under the policy will be inferred from the recent update from wither of the cluster.

Pulkit Tandon (pulkitt) wrote :

Review in progress for https://review.opencontrail.org/44793
Submitter: Dinesh Bakiaraj (<email address hidden>)

Review in progress for https://review.opencontrail.org/44800
Submitter: Dinesh Bakiaraj (<email address hidden>)

Reviewed: https://review.opencontrail.org/44793
Committed: http://github.com/Juniper/contrail-controller/commit/7a715b7fb0dfb5629b4164aa54d188ac5dd58e39
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 7a715b7fb0dfb5629b4164aa54d188ac5dd58e39
Author: dineshb-jnpr <email address hidden>
Date: Thu Jul 19 17:35:38 2018 -0700

Prepend cluster name to Firewall Policies.

This commit prepends cluster name to Contrail Fw policy object.
This is crucial in nested multi-cluster enviroment where netpol with
same name can exist in more than one cluster. Hence the need to qualify
the policy with cluster name so as to avoid collision.

Change-Id: Ia0606fd6436f10c790afbe9c738245827453bb1d
Closes-Bug: #1782541

OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/44800
Committed: http://github.com/Juniper/contrail-controller/commit/df796dd49da5bb596ab8abebb4751c8ecc9f2af3
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit df796dd49da5bb596ab8abebb4751c8ecc9f2af3
Author: dineshb-jnpr <email address hidden>
Date: Thu Jul 19 17:35:38 2018 -0700

Prepend cluster name to Firewall Policies.

This commit prepends cluster name to Contrail Fw policy object.
This is crucial in nested multi-cluster enviroment where netpol with
same name can exist in more than one cluster. Hence the need to qualify
the policy with cluster name so as to avoid collision.

Change-Id: Ia0606fd6436f10c790afbe9c738245827453bb1d
Closes-Bug: #1782541

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers