From 6c65d21e945e907ae95995941b219d3f936604e5 Mon Sep 17 00:00:00 2001
From: Gayathri Kathiri <gayathri.devi@imaginea.com>
Date: Thu, 9 Jan 2020 11:58:34 +0000
Subject: [PATCH] Add Glance ingress network policy overrides
This patch set introduces the ingress network policy overrides
for Glance.
Change-Id: I2b28445dd6f0d2f1f8238d0d4bc1804136c92346
---
glance/values_overrides/netpol.yaml | 59 +++++++++----------
tools/deployment/common/test-networkpolicy.sh | 9 +++
2 files changed, 37 insertions(+), 31 deletions(-)
diff --git a/glance/values_overrides/netpol.yaml b/glance/values_overrides/netpol.yaml
index cdadaf1345..a1402dd588 100644
--- a/glance/values_overrides/netpol.yaml
+++ b/glance/values_overrides/netpol.yaml
@@ -1,38 +1,35 @@
manifests:
network_policy: true
-#NOTE(gagehugo): Test this whitelist when the netpol gate works
network_policy:
glance:
-# ingress:
-# - from:
-# - podSelector:
-# matchLabels:
-# application: glance
-# - podSelector:
-# matchLabels:
-# application: nova
-# - podSelector:
-# matchLabels:
-# application: horizon
-# - podSelector:
-# matchLabels:
-# application: ingress
-# - podSelector:
-# matchLabels:
-# application: heat
-# - podSelector:
-# matchLabels:
-# application: ironic
-# - podSelector:
-# matchLabels:
-# application: cinder
-# ports:
-# - protocol: TCP
-# port: 80
-# - protocol: TCP
-# port: 9191
-# - protocol: TCP
-# port: 9292
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: horizon
+ - podSelector:
+ matchLabels:
+ application: ingress
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: cinder
+ ports:
+ - protocol: TCP
+ port: 9191
+ - protocol: TCP
+ port: 9292
egress:
- to:
ports:
diff --git a/tools/deployment/common/test-networkpolicy.sh b/tools/deployment/common/test-networkpolicy.sh
index c4268a8f33..accd49a6d3 100755
--- a/tools/deployment/common/test-networkpolicy.sh
+++ b/tools/deployment/common/test-networkpolicy.sh
@@ -69,6 +69,10 @@ else
# Negative Compute-Kit Tests
#test_netpol openstack keystone api heat-api.openstack.svc.cluster.local fail
#test_netpol openstack keystone api glance-api.openstack.svc.cluster.local fail
+ test_netpol openstack mariadb server glance-api.openstack.svc.cluster.local:9292 fail
+ test_netpol openstack memcached server glance-api.openstack.svc.cluster.local:9292 fail
+ test_netpol openstack keystone api glance-api.openstack.svc.cluster.local:9292 fail
+
# Positive Compute-Kit Tests
test_netpol openstack heat api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack glance api mariadb.openstack.svc.cluster.local:3306 success
@@ -78,6 +82,11 @@ else
test_netpol openstack nova os-api keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack nova compute keystone-api.openstack.svc.cluster.local:5000 success
test_netpol openstack neutron l3-agent keystone-api.openstack.svc.cluster.local:5000 success
+ test_netpol openstack ingress server glance-api.openstack.svc.cluster.local:9292 success
+ test_netpol openstack nova os-api glance-api.openstack.svc.cluster.local:9292 success
+ test_netpol openstack nova compute glance-api.openstack.svc.cluster.local:9292 success
+ test_netpol openstack heat api glance-api.openstack.svc.cluster.local:9292 success
+ test_netpol openstack horizon server glance-api.openstack.svc.cluster.local:9292 success
fi
echo Test Success