Disable/enable PortSecurity at port level

Signed-off-by: Anwar Hassen <[email protected]>
kubernetes-sigs · Jul 26, 2021 · 3537479 · 3537479
1 parent 3fd8106
commit 3537479
Show file tree

Hide file tree

Showing 9 changed files with 97 additions and 14 deletions.
diff --git a/api/v1alpha4/types.go b/api/v1alpha4/types.go
@@ -130,7 +130,8 @@ type PortOpts struct {
 	ProjectID           string        `json:"projectId,omitempty"`
 	SecurityGroups      *[]string     `json:"securityGroups,omitempty"`
 	AllowedAddressPairs []AddressPair `json:"allowedAddressPairs,omitempty"`
-
+	// Disables PortSecurity at the port level. If not provided, it inherits the corresponding network level value
+	DisablePortSecurity *bool `json:"disablePortSecurity,omitempty"`
 	// The ID of the host where the port is allocated
 	HostID string `json:"hostId,omitempty"`
 

diff --git a/api/v1alpha4/zz_generated.deepcopy.go b/api/v1alpha4/zz_generated.deepcopy.go
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
@@ -1271,6 +1271,11 @@ spec:
                               type: array
                             description:
                               type: string
+                            disablePortSecurity:
+                              description: Disables PortSecurity at the port level.
+                                If not provided, it inherits the corresponding network
+                                level value
+                              type: boolean
                             fixedIPs:
                               description: Specify pairs of subnet and/or IP address.
                                 These should be subnets of the network with the given
@@ -1706,6 +1711,11 @@ spec:
                               type: array
                             description:
                               type: string
+                            disablePortSecurity:
+                              description: Disables PortSecurity at the port level.
+                                If not provided, it inherits the corresponding network
+                                level value
+                              type: boolean
                             fixedIPs:
                               description: Specify pairs of subnet and/or IP address.
                                 These should be subnets of the network with the given
@@ -1971,6 +1981,10 @@ spec:
                         type: array
                       description:
                         type: string
+                      disablePortSecurity:
+                        description: Disables PortSecurity at the port level. If not
+                          provided, it inherits the corresponding network level value
+                        type: boolean
                       fixedIPs:
                         description: Specify pairs of subnet and/or IP address. These
                           should be subnets of the network with the given NetworkID.
@@ -2147,6 +2161,10 @@ spec:
                         type: array
                       description:
                         type: string
+                      disablePortSecurity:
+                        description: Disables PortSecurity at the port level. If not
+                          provided, it inherits the corresponding network level value
+                        type: boolean
                       fixedIPs:
                         description: Specify pairs of subnet and/or IP address. These
                           should be subnets of the network with the given NetworkID.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
@@ -252,6 +252,11 @@ spec:
                                       type: array
                                     description:
                                       type: string
+                                    disablePortSecurity:
+                                      description: Disables PortSecurity at the port
+                                        level. If not provided, it inherits the corresponding
+                                        network level value
+                                      type: boolean
                                     fixedIPs:
                                       description: Specify pairs of subnet and/or
                                         IP address. These should be subnets of the

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml
@@ -564,6 +564,10 @@ spec:
                       type: array
                     description:
                       type: string
+                    disablePortSecurity:
+                      description: Disables PortSecurity at the port level. If not
+                        provided, it inherits the corresponding network level value
+                      type: boolean
                     fixedIPs:
                       description: Specify pairs of subnet and/or IP address. These
                         should be subnets of the network with the given NetworkID.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml
@@ -510,6 +510,11 @@ spec:
                               type: array
                             description:
                               type: string
+                            disablePortSecurity:
+                              description: Disables PortSecurity at the port level.
+                                If not provided, it inherits the corresponding network
+                                level value
+                              type: boolean
                             fixedIPs:
                               description: Specify pairs of subnet and/or IP address.
                                 These should be subnets of the network with the given

diff --git a/docs/book/src/clusteropenstack/configuration.md b/docs/book/src/clusteropenstack/configuration.md
@@ -231,6 +231,13 @@ spec:
 
 Any such ports are created in addition to ports used for connections to networks or subnets.
 
+If PortSecurity disabled for all ports either by setting `OpenStackCluster.spec.disablePortSecurity: true` or for each port individually, `managedSecurityGroups: false` is the only valid option. The following is not a valid coonfiguration and is not supported.
+
+```
+OpenStackCluster.spec.disablePortSecurity: true
+OpenStackCluster.spec.managedSecurityGroups: true
+```
+
 ## Tagging
 
 If your cluster supports tagging servers, you have the ability to tag all resources created by the cluster in the `cluster.yaml` file. Here is an example how to configure tagging:

diff --git a/pkg/cloud/services/compute/bastion.go b/pkg/cloud/services/compute/bastion.go
@@ -58,8 +58,8 @@ func (s *Service) CreateBastion(openStackCluster *infrav1.OpenStackCluster, clus
 		}}
 	}
 	input.Networks = &nets
-
-	out, err := s.createInstance(openStackCluster, clusterName, input)
+	networkLevelPortSecurityDisabled := openStackCluster.Spec.DisablePortSecurity
+	out, err := s.createInstance(openStackCluster, clusterName, input, networkLevelPortSecurityDisabled)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/cloud/services/compute/instance.go b/pkg/cloud/services/compute/instance.go
@@ -35,6 +35,7 @@ import (
 	netext "github.com/gophercloud/gophercloud/openstack/networking/v2/extensions"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/attributestags"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/portsbinding"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/portsecurity"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/trunks"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/networks"
@@ -65,6 +66,11 @@ const (
 	timeoutInstanceDelete = 5 * time.Minute
 )
 
+var portWithPortSecurityExtensions struct {
+	ports.Port
+	portsecurity.PortSecurityExt
+}
+
 func (s *Service) CreateInstance(openStackCluster *infrav1.OpenStackCluster, machine *clusterv1.Machine, openStackMachine *infrav1.OpenStackMachine, clusterName string, userData string) (instance *infrav1.Instance, err error) {
 	if openStackMachine == nil {
 		return nil, fmt.Errorf("create Options need be specified to create instace")
@@ -131,8 +137,8 @@ func (s *Service) CreateInstance(openStackCluster *infrav1.OpenStackCluster, mac
 		return nil, err
 	}
 	input.Networks = nets
-
-	out, err := s.createInstance(openStackMachine, clusterName, input)
+	networkLevelPortSecurityDisabled := openStackCluster.Spec.DisablePortSecurity
+	out, err := s.createInstance(openStackMachine, clusterName, input, networkLevelPortSecurityDisabled)
 	if err != nil {
 		return nil, err
 	}
@@ -143,6 +149,8 @@ func (s *Service) CreateInstance(openStackCluster *infrav1.OpenStackCluster, mac
 // If no networks or ports are in the spec, returns a single network item for a network connection to the default cluster network.
 func (s *Service) constructNetworks(openStackCluster *infrav1.OpenStackCluster, openStackMachine *infrav1.OpenStackMachine) (*[]infrav1.Network, error) {
 	var nets []infrav1.Network
+	// network level DisablePortSecurity
+	networkDisablePortSecurity := openStackCluster.Spec.DisablePortSecurity
 	if len(openStackMachine.Spec.Networks) > 0 {
 		var err error
 		nets, err = s.getServerNetworks(openStackMachine.Spec.Networks)
@@ -151,19 +159,20 @@ func (s *Service) constructNetworks(openStackCluster *infrav1.OpenStackCluster,
 		}
 	}
 	for i, port := range openStackMachine.Spec.Ports {
+		pOpts := &openStackMachine.Spec.Ports[i]
 		if port.NetworkID != "" {
 			nets = append(nets, infrav1.Network{
 				ID:       port.NetworkID,
 				Subnet:   &infrav1.Subnet{},
-				PortOpts: &openStackMachine.Spec.Ports[i],
+				PortOpts: pOpts,
 			})
 		} else {
 			nets = append(nets, infrav1.Network{
 				ID: openStackCluster.Status.Network.ID,
 				Subnet: &infrav1.Subnet{
 					ID: openStackCluster.Status.Network.Subnet.ID,
 				},
-				PortOpts: &openStackMachine.Spec.Ports[i],
+				PortOpts: pOpts,
 			})
 		}
 	}
@@ -174,20 +183,26 @@ func (s *Service) constructNetworks(openStackCluster *infrav1.OpenStackCluster,
 			Subnet: &infrav1.Subnet{
 				ID: openStackCluster.Status.Network.Subnet.ID,
 			},
+			PortOpts: &infrav1.PortOpts{
+				DisablePortSecurity: &networkDisablePortSecurity,
+			},
 		}}
 	}
 	return &nets, nil
 }
 
-func (s *Service) createInstance(eventObject runtime.Object, clusterName string, instance *infrav1.Instance) (*infrav1.Instance, error) {
+func (s *Service) createInstance(eventObject runtime.Object, clusterName string, instance *infrav1.Instance, networkLevelPortSecurityDisabled bool) (*infrav1.Instance, error) {
 	accessIPv4 := ""
 	portList := []servers.Network{}
 
 	for i, network := range *instance.Networks {
 		if network.ID == "" {
 			return nil, fmt.Errorf("no network was found or provided. Please check your machine configuration and try again")
 		}
-
+		// Port inheriting network level PortSecurity policy
+		if network.PortOpts.DisablePortSecurity == nil || networkLevelPortSecurityDisabled {
+			network.PortOpts.DisablePortSecurity = &networkLevelPortSecurityDisabled
+		}
 		portName := getPortName(instance.Name, network.PortOpts, i)
 		port, err := s.getOrCreatePort(eventObject, clusterName, portName, network, instance.SecurityGroups)
 		if err != nil {
@@ -474,13 +489,18 @@ func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string
 		AllowedAddressPairs: []ports.AddressPair{},
 	}
 
-	for _, ap := range portOpts.AllowedAddressPairs {
-		createOpts.AllowedAddressPairs = append(createOpts.AllowedAddressPairs, ports.AddressPair{
-			IPAddress:  ap.IPAddress,
-			MACAddress: ap.MACAddress,
-		})
+	if !*portOpts.DisablePortSecurity {
+		for _, ap := range portOpts.AllowedAddressPairs {
+			createOpts.AllowedAddressPairs = append(createOpts.AllowedAddressPairs, ports.AddressPair{
+				IPAddress:  ap.IPAddress,
+				MACAddress: ap.MACAddress,
+			})
+		}
 	}
 
+	if *portOpts.DisablePortSecurity {
+		createOpts.SecurityGroups = &[]string{}
+	}
 	fixedIPs := make([]ports.IP, 0, len(portOpts.FixedIPs)+1)
 	for _, fixedIP := range portOpts.FixedIPs {
 		fixedIPs = append(fixedIPs, ports.IP{
@@ -508,6 +528,24 @@ func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string
 	}
 
 	record.Eventf(eventObject, "SuccessfulCreatePort", "Created port %s with id %s", port.Name, port.ID)
+	if *portOpts.DisablePortSecurity {
+		err = ports.Get(s.networkClient, port.ID).ExtractInto(&portWithPortSecurityExtensions)
+		if err != nil {
+			return nil, fmt.Errorf("unable to retrieve por %s: %v", port.Name, err)
+		}
+		if portWithPortSecurityExtensions.PortSecurityEnabled {
+			iFalse := false
+			portUpdateOpts := ports.UpdateOpts{}
+			updateOpts := portsecurity.PortUpdateOptsExt{
+				UpdateOptsBuilder:   portUpdateOpts,
+				PortSecurityEnabled: &iFalse,
+			}
+			err := ports.Update(s.networkClient, port.ID, updateOpts).ExtractInto(&portWithPortSecurityExtensions)
+			if err != nil {
+				return nil, fmt.Errorf("unable to disable portSecurity at port level: %v", err)
+			}
+		}
+	}
 	return port, nil
 }