Disable/enable PortSecurity at port level

Signed-off-by: Anwar Hassen <[email protected]>
kubernetes-sigs · Jul 13, 2021 · ac16771 · ac16771
1 parent a1ccb52
commit ac16771
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 14 deletions.
diff --git a/api/v1alpha4/types.go b/api/v1alpha4/types.go
@@ -130,7 +130,8 @@ type PortOpts struct {
 	ProjectID           string        `json:"projectId,omitempty"`
 	SecurityGroups      *[]string     `json:"securityGroups,omitempty"`
 	AllowedAddressPairs []AddressPair `json:"allowedAddressPairs,omitempty"`
-
+	// Disables the PortSecurity at the network level. If disabled, PortSecurity is also disabled for all ports.
+	DisablePortSecurity bool `json:"disablePortSecurity,omitempty"`
 	// The ID of the host where the port is allocated
 	HostID string `json:"hostId,omitempty"`
 

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
@@ -1264,6 +1264,11 @@ spec:
                               type: array
                             description:
                               type: string
+                            disablePortSecurity:
+                              description: Disables the PortSecurity at the network
+                                level. If disabled, PortSecurity is also disabled
+                                for all ports.
+                              type: boolean
                             fixedIPs:
                               description: Specify pairs of subnet and/or IP address.
                                 These should be subnets of the network with the given
@@ -1693,6 +1698,11 @@ spec:
                               type: array
                             description:
                               type: string
+                            disablePortSecurity:
+                              description: Disables the PortSecurity at the network
+                                level. If disabled, PortSecurity is also disabled
+                                for all ports.
+                              type: boolean
                             fixedIPs:
                               description: Specify pairs of subnet and/or IP address.
                                 These should be subnets of the network with the given
@@ -1958,6 +1968,10 @@ spec:
                         type: array
                       description:
                         type: string
+                      disablePortSecurity:
+                        description: Disables the PortSecurity at the network level.
+                          If disabled, PortSecurity is also disabled for all ports.
+                        type: boolean
                       fixedIPs:
                         description: Specify pairs of subnet and/or IP address. These
                           should be subnets of the network with the given NetworkID.
@@ -2102,6 +2116,10 @@ spec:
                         type: array
                       description:
                         type: string
+                      disablePortSecurity:
+                        description: Disables the PortSecurity at the network level.
+                          If disabled, PortSecurity is also disabled for all ports.
+                        type: boolean
                       fixedIPs:
                         description: Specify pairs of subnet and/or IP address. These
                           should be subnets of the network with the given NetworkID.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml
@@ -558,6 +558,10 @@ spec:
                       type: array
                     description:
                       type: string
+                    disablePortSecurity:
+                      description: Disables the PortSecurity at the network level.
+                        If disabled, PortSecurity is also disabled for all ports.
+                      type: boolean
                     fixedIPs:
                       description: Specify pairs of subnet and/or IP address. These
                         should be subnets of the network with the given NetworkID.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml
@@ -503,6 +503,11 @@ spec:
                               type: array
                             description:
                               type: string
+                            disablePortSecurity:
+                              description: Disables the PortSecurity at the network
+                                level. If disabled, PortSecurity is also disabled
+                                for all ports.
+                              type: boolean
                             fixedIPs:
                               description: Specify pairs of subnet and/or IP address.
                                 These should be subnets of the network with the given

diff --git a/pkg/cloud/services/compute/bastion.go b/pkg/cloud/services/compute/bastion.go
@@ -58,8 +58,8 @@ func (s *Service) CreateBastion(openStackCluster *infrav1.OpenStackCluster, clus
 		}}
 	}
 	input.Networks = &nets
-
-	out, err := s.createInstance(openStackCluster, clusterName, input)
+	networkLevelPortSecurityDisabled := openStackCluster.Spec.DisablePortSecurity
+	out, err := s.createInstance(openStackCluster, clusterName, input, networkLevelPortSecurityDisabled)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/cloud/services/compute/instance.go b/pkg/cloud/services/compute/instance.go
@@ -35,6 +35,7 @@ import (
 	netext "github.com/gophercloud/gophercloud/openstack/networking/v2/extensions"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/attributestags"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/portsbinding"
+	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/portsecurity"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/trunks"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/networks"
@@ -65,6 +66,11 @@ const (
 	timeoutInstanceDelete = 5 * time.Minute
 )
 
+var portWithPortSecurityExtensions struct {
+	ports.Port
+	portsecurity.PortSecurityExt
+}
+
 func (s *Service) CreateInstance(openStackCluster *infrav1.OpenStackCluster, machine *clusterv1.Machine, openStackMachine *infrav1.OpenStackMachine, clusterName string, userData string) (instance *infrav1.Instance, err error) {
 	if openStackMachine == nil {
 		return nil, fmt.Errorf("create Options need be specified to create instace")
@@ -131,8 +137,8 @@ func (s *Service) CreateInstance(openStackCluster *infrav1.OpenStackCluster, mac
 		return nil, err
 	}
 	input.Networks = nets
-
-	out, err := s.createInstance(openStackMachine, clusterName, input)
+	networkLevelPortSecurityDisabled := openStackCluster.Spec.DisablePortSecurity
+	out, err := s.createInstance(openStackMachine, clusterName, input, networkLevelPortSecurityDisabled)
 	if err != nil {
 		return nil, err
 	}
@@ -179,7 +185,7 @@ func (s *Service) constructNetworks(openStackCluster *infrav1.OpenStackCluster,
 	return &nets, nil
 }
 
-func (s *Service) createInstance(eventObject runtime.Object, clusterName string, instance *infrav1.Instance) (*infrav1.Instance, error) {
+func (s *Service) createInstance(eventObject runtime.Object, clusterName string, instance *infrav1.Instance, networkLevelPortSecurityDisabled bool) (*infrav1.Instance, error) {
 	accessIPv4 := ""
 	portList := []servers.Network{}
 
@@ -189,7 +195,7 @@ func (s *Service) createInstance(eventObject runtime.Object, clusterName string,
 		}
 
 		portName := getPortName(instance.Name, network.PortOpts, i)
-		port, err := s.getOrCreatePort(eventObject, clusterName, portName, network, instance.SecurityGroups)
+		port, err := s.getOrCreatePort(eventObject, clusterName, portName, network, instance.SecurityGroups, networkLevelPortSecurityDisabled)
 		if err != nil {
 			return nil, err
 		}
@@ -421,7 +427,7 @@ func (s *Service) getServerNetworks(networkParams []infrav1.NetworkParam) ([]inf
 	return nets, nil
 }
 
-func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string, portName string, net infrav1.Network, instanceSecurityGroups *[]string) (*ports.Port, error) {
+func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string, portName string, net infrav1.Network, instanceSecurityGroups *[]string, networkDisabledPortSecurity bool) (*ports.Port, error) {
 	allPages, err := ports.List(s.networkClient, ports.ListOpts{
 		Name:      portName,
 		NetworkID: net.ID,
@@ -459,6 +465,10 @@ func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string
 		securityGroups = instanceSecurityGroups
 	}
 
+	if networkDisabledPortSecurity {
+		portOpts.DisablePortSecurity = true
+		record.Eventf(eventObject, "Port inherited network level PortSecurity policy", "port: %s", portName)
+	}
 	createOpts := ports.CreateOpts{
 		Name:                portName,
 		NetworkID:           net.ID,
@@ -471,13 +481,18 @@ func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string
 		AllowedAddressPairs: []ports.AddressPair{},
 	}
 
-	for _, ap := range portOpts.AllowedAddressPairs {
-		createOpts.AllowedAddressPairs = append(createOpts.AllowedAddressPairs, ports.AddressPair{
-			IPAddress:  ap.IPAddress,
-			MACAddress: ap.MACAddress,
-		})
+	if !portOpts.DisablePortSecurity {
+		for _, ap := range portOpts.AllowedAddressPairs {
+			createOpts.AllowedAddressPairs = append(createOpts.AllowedAddressPairs, ports.AddressPair{
+				IPAddress:  ap.IPAddress,
+				MACAddress: ap.MACAddress,
+			})
+		}
 	}
 
+	if portOpts.DisablePortSecurity {
+		createOpts.SecurityGroups = &[]string{}
+	}
 	fixedIPs := make([]ports.IP, 0, len(portOpts.FixedIPs)+1)
 	for _, fixedIP := range portOpts.FixedIPs {
 		fixedIPs = append(fixedIPs, ports.IP{
@@ -492,7 +507,6 @@ func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string
 		createOpts.FixedIPs = fixedIPs
 	}
 	mc := metrics.NewMetricPrometheusContext("port", "create")
-
 	port, err := ports.Create(s.networkClient, portsbinding.CreateOptsExt{
 		CreateOptsBuilder: createOpts,
 		HostID:            portOpts.HostID,
@@ -505,6 +519,24 @@ func (s *Service) getOrCreatePort(eventObject runtime.Object, clusterName string
 	}
 
 	record.Eventf(eventObject, "SuccessfulCreatePort", "Created port %s with id %s", port.Name, port.ID)
+	if portOpts.DisablePortSecurity {
+		err = ports.Get(s.networkClient, port.ID).ExtractInto(&portWithPortSecurityExtensions)
+		if err != nil {
+			return nil, fmt.Errorf("unable to retrieve por %s: %v", port.Name, err)
+		}
+		if portWithPortSecurityExtensions.PortSecurityEnabled {
+			iFalse := false
+			portUpdateOpts := ports.UpdateOpts{}
+			updateOpts := portsecurity.PortUpdateOptsExt{
+				UpdateOptsBuilder:   portUpdateOpts,
+				PortSecurityEnabled: &iFalse,
+			}
+			err := ports.Update(s.networkClient, port.ID, updateOpts).ExtractInto(&portWithPortSecurityExtensions)
+			if err != nil {
+				return nil, fmt.Errorf("unable to disable portSecurity at port level: %v", err)
+			}
+		}
+	}
 	return port, nil
 }