)]}'
{"kuryr_kubernetes/controller/drivers/network_policy.py":[{"author":{"_account_id":23567,"name":"Luis Tomas Bolivar","email":"ltomasbo@redhat.com","username":"ltomasbo"},"change_message_id":"09da24b3385db6ff9955212ea090ed9cb8e85bb6","unresolved":false,"context_lines":[{"line_number":547,"context_line":"            if self._is_pod(resource):"},{"line_number":548,"context_line":"                pod_labels \u003d resource[\u0027metadata\u0027].get(\u0027labels\u0027)"},{"line_number":549,"context_line":"                svc_selector \u003d service[\u0027spec\u0027].get(\u0027selector\u0027)"},{"line_number":550,"context_line":"                if not svc_selector:"},{"line_number":551,"context_line":"                    targets \u003d driver_utils.get_endpoints_targets("},{"line_number":552,"context_line":"                            svc_name, svc_namespace)"},{"line_number":553,"context_line":"                    pod_ip \u003d resource[\u0027status\u0027].get(\u0027podIP\u0027)"},{"line_number":554,"context_line":"                    if pod_ip and pod_ip not in targets:"},{"line_number":555,"context_line":"                        continue"},{"line_number":556,"context_line":"                elif pod_labels:"},{"line_number":557,"context_line":"                    if not driver_utils.match_labels("},{"line_number":558,"context_line":"                            svc_selector, pod_labels):"},{"line_number":559,"context_line":"                        continue"},{"line_number":560,"context_line":"            elif resource.get(\u0027cidr\u0027):"},{"line_number":561,"context_line":"                # NOTE(maysams) Accounts for traffic to pods under"},{"line_number":562,"context_line":"                # a service matching an IPBlock rule."}],"source_content_type":"text/x-python","patch_set":11,"id":"1f621f24_598f3574","line":559,"range":{"start_line":550,"start_character":0,"end_line":559,"end_character":32},"updated":"2020-11-11 08:19:20.000000000","message":"an \"if not pod_labels: continue\" is not needed anymore?","commit_id":"25143cf12d5c3dfcbd72ff04267f41f36f7aa3de"},{"author":{"_account_id":27032,"name":"Maysa de Macedo Souza","email":"maysa.macedo95@gmail.com","username":"maysa"},"change_message_id":"06c7afa60e6ff9c3406217889846e001990651a7","unresolved":false,"context_lines":[{"line_number":547,"context_line":"            if self._is_pod(resource):"},{"line_number":548,"context_line":"                pod_labels \u003d resource[\u0027metadata\u0027].get(\u0027labels\u0027)"},{"line_number":549,"context_line":"                svc_selector \u003d service[\u0027spec\u0027].get(\u0027selector\u0027)"},{"line_number":550,"context_line":"                if not svc_selector:"},{"line_number":551,"context_line":"                    targets \u003d driver_utils.get_endpoints_targets("},{"line_number":552,"context_line":"                            svc_name, svc_namespace)"},{"line_number":553,"context_line":"                    pod_ip \u003d resource[\u0027status\u0027].get(\u0027podIP\u0027)"},{"line_number":554,"context_line":"                    if pod_ip and pod_ip not in targets:"},{"line_number":555,"context_line":"                        continue"},{"line_number":556,"context_line":"                elif pod_labels:"},{"line_number":557,"context_line":"                    if not driver_utils.match_labels("},{"line_number":558,"context_line":"                            svc_selector, pod_labels):"},{"line_number":559,"context_line":"                        continue"},{"line_number":560,"context_line":"            elif resource.get(\u0027cidr\u0027):"},{"line_number":561,"context_line":"                # NOTE(maysams) Accounts for traffic to pods under"},{"line_number":562,"context_line":"                # a service matching an IPBlock rule."}],"source_content_type":"text/x-python","patch_set":11,"id":"1f621f24_a200d202","line":559,"range":{"start_line":550,"start_character":0,"end_line":559,"end_character":32},"in_reply_to":"1f621f24_598f3574","updated":"2020-11-11 12:12:43.000000000","message":"That code fragment was added to skip attempting to match_labels when there is none to be matched. With the way the conditions are enforced now I don\u0027t see a need to include it.","commit_id":"25143cf12d5c3dfcbd72ff04267f41f36f7aa3de"}],"kuryr_kubernetes/controller/drivers/network_policy_security_groups.py":[{"author":{"_account_id":23567,"name":"Luis Tomas Bolivar","email":"ltomasbo@redhat.com","username":"ltomasbo"},"change_message_id":"c912b173967deec51bf1471d68d0e565dbbbebde","unresolved":false,"context_lines":[{"line_number":449,"context_line":"                namespace\u003dsvc_namespace).get(\u0027items\u0027)"},{"line_number":450,"context_line":"            target_ips \u003d driver_utils.get_endpoints_targets("},{"line_number":451,"context_line":"                svc_name, svc_namespace)"},{"line_number":452,"context_line":"            for pod in pods:"},{"line_number":453,"context_line":"                pod_ip \u003d pod[\u0027status\u0027].get(\u0027podIP\u0027)"},{"line_number":454,"context_line":"                if pod_ip and pod_ip in target_ips:"},{"line_number":455,"context_line":"                    return _get_pod_sgs(pods[0])"},{"line_number":456,"context_line":"        return sg_list[:]"}],"source_content_type":"text/x-python","patch_set":7,"id":"3f65232a_fdc85b75","line":455,"range":{"start_line":452,"start_character":0,"end_line":455,"end_character":48},"updated":"2020-10-21 07:51:47.000000000","message":"should we leave a note about only supporting pods here?\n\nIn addition there may be 2 potential problems:\n- For selector based services we assume all the referenced pods are similar, at least policy wise (note at L441), can we assume the same for services without selectors?\n- What if the pod is hostnetworking, what _get_pod_sgs will return? What SGs should we apply in that case?","commit_id":"7a695f952b6fec45437302bc0d87e9a758d41dbf"},{"author":{"_account_id":27032,"name":"Maysa de Macedo Souza","email":"maysa.macedo95@gmail.com","username":"maysa"},"change_message_id":"388731a39571d4d8f74efa70cee4f7204145d8f1","unresolved":false,"context_lines":[{"line_number":449,"context_line":"                namespace\u003dsvc_namespace).get(\u0027items\u0027)"},{"line_number":450,"context_line":"            target_ips \u003d driver_utils.get_endpoints_targets("},{"line_number":451,"context_line":"                svc_name, svc_namespace)"},{"line_number":452,"context_line":"            for pod in pods:"},{"line_number":453,"context_line":"                pod_ip \u003d pod[\u0027status\u0027].get(\u0027podIP\u0027)"},{"line_number":454,"context_line":"                if pod_ip and pod_ip in target_ips:"},{"line_number":455,"context_line":"                    return _get_pod_sgs(pods[0])"},{"line_number":456,"context_line":"        return sg_list[:]"}],"source_content_type":"text/x-python","patch_set":7,"id":"3f65232a_6699501e","line":455,"range":{"start_line":452,"start_character":0,"end_line":455,"end_character":48},"in_reply_to":"3f65232a_fdc85b75","updated":"2020-10-21 20:26:56.000000000","message":"hm, for the first topic, I guess it\u0027s not a safe assumption that all the pods that are targets have the same sg.\n\nfor the second topic, I guess it would behave the same as with svcs with selectors... but in any case the default sgs should be passed.\n\nJust as a side note, I\u0027m trying to see if we can get ride of targetRef here https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/handlers/lbaas.py#L296","commit_id":"7a695f952b6fec45437302bc0d87e9a758d41dbf"},{"author":{"_account_id":23567,"name":"Luis Tomas Bolivar","email":"ltomasbo@redhat.com","username":"ltomasbo"},"change_message_id":"1441f76fe93353e96c8eb90b40403478d4f598a6","unresolved":false,"context_lines":[{"line_number":449,"context_line":"                namespace\u003dsvc_namespace).get(\u0027items\u0027)"},{"line_number":450,"context_line":"            target_ips \u003d driver_utils.get_endpoints_targets("},{"line_number":451,"context_line":"                svc_name, svc_namespace)"},{"line_number":452,"context_line":"            for pod in pods:"},{"line_number":453,"context_line":"                pod_ip \u003d pod[\u0027status\u0027].get(\u0027podIP\u0027)"},{"line_number":454,"context_line":"                if pod_ip and pod_ip in target_ips:"},{"line_number":455,"context_line":"                    return _get_pod_sgs(pods[0])"},{"line_number":456,"context_line":"        return sg_list[:]"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f65232a_d5f444d2","line":455,"range":{"start_line":452,"start_character":0,"end_line":455,"end_character":48},"updated":"2020-10-22 07:06:30.000000000","message":"ok, I think we need to leave a note about that, i.e., stating that we will consider (for normal pods) just one type of security group, the ones associated to the first pod found on the endpoints; and that if they are not pods (or pods with hostnetworking) we simply apply the default (allow-all) security group.\n\nAnother option is for selector-less services assume we do not block the access through the service (as this only affect to amphora services), and simply return the default SG\n\nI\u0027m actually tend to like the second option more, as it is more easy to explain, simpler, and more deterministic than just take the SGs from the first endpoint","commit_id":"26b9f27e31130a00f59521e55609e475d8782b77"},{"author":{"_account_id":27032,"name":"Maysa de Macedo Souza","email":"maysa.macedo95@gmail.com","username":"maysa"},"change_message_id":"0f49148be4a0f121cce906f79fc6da3c3d657fd8","unresolved":false,"context_lines":[{"line_number":449,"context_line":"                namespace\u003dsvc_namespace).get(\u0027items\u0027)"},{"line_number":450,"context_line":"            target_ips \u003d driver_utils.get_endpoints_targets("},{"line_number":451,"context_line":"                svc_name, svc_namespace)"},{"line_number":452,"context_line":"            for pod in pods:"},{"line_number":453,"context_line":"                pod_ip \u003d pod[\u0027status\u0027].get(\u0027podIP\u0027)"},{"line_number":454,"context_line":"                if pod_ip and pod_ip in target_ips:"},{"line_number":455,"context_line":"                    return _get_pod_sgs(pods[0])"},{"line_number":456,"context_line":"        return sg_list[:]"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f65232a_7b61e139","line":455,"range":{"start_line":452,"start_character":0,"end_line":455,"end_character":48},"in_reply_to":"3f65232a_d5f444d2","updated":"2020-10-22 09:50:46.000000000","message":"Right, another idea...\n\nWhat do you think about only allowing the update of the lb sg in case all the targets (and not any) on the service are affected by the policy being handled[1]? consequently I believe it would be sane to assume the same sg is applied to all the pods under that svc.\n\n[1] https://review.opendev.org/#/c/756397/8/kuryr_kubernetes/controller/drivers/utils.py@490","commit_id":"26b9f27e31130a00f59521e55609e475d8782b77"}],"kuryr_kubernetes/controller/drivers/utils.py":[{"author":{"_account_id":23567,"name":"Luis Tomas Bolivar","email":"ltomasbo@redhat.com","username":"ltomasbo"},"change_message_id":"c912b173967deec51bf1471d68d0e565dbbbebde","unresolved":false,"context_lines":[{"line_number":125,"context_line":"    else:"},{"line_number":126,"context_line":"        pods \u003d kubernetes.get("},{"line_number":127,"context_line":"            \u0027{}/pods?labelSelector\u003d{}\u0027.format(constants.K8S_API_BASE, labels))"},{"line_number":128,"context_line":"    if not labels:"},{"line_number":129,"context_line":"        pods \u003d kubernetes.get(\u0027{}/pods\u0027.format(constants.K8S_API_BASE))"},{"line_number":130,"context_line":"    return pods"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":""}],"source_content_type":"text/x-python","patch_set":7,"id":"3f65232a_fd017bb1","line":129,"range":{"start_line":128,"start_character":0,"end_line":129,"end_character":71},"updated":"2020-10-21 07:51:47.000000000","message":"the previous if is using labels, shouldn\u0027t this go before that?","commit_id":"7a695f952b6fec45437302bc0d87e9a758d41dbf"},{"author":{"_account_id":11600,"name":"Michał Dulko","email":"michal.dulko@gmail.com","username":"dulek"},"change_message_id":"4a89c027bd96ca689d39fbe0e4972f5eb43333f7","unresolved":false,"context_lines":[{"line_number":596,"context_line":"            f\u0027{constants.K8S_API_CRD_NAMESPACES}/{namespace}/\u0027"},{"line_number":597,"context_line":"            f\u0027kuryrloadbalancers/{name}\u0027)"},{"line_number":598,"context_line":"    except k_exc.K8sResourceNotFound:"},{"line_number":599,"context_line":"        LOG.debug(\"KuryrLoadBalancer not found: %s\","},{"line_number":600,"context_line":"                  name)"},{"line_number":601,"context_line":"        return target_ips"},{"line_number":602,"context_line":"    except k_exc.K8sClientException:"},{"line_number":603,"context_line":"        LOG.exception(\u0027Exception when getting K8s Endpoints.\u0027)"}],"source_content_type":"text/x-python","patch_set":13,"id":"1f621f24_d20ad81d","line":600,"range":{"start_line":599,"start_character":0,"end_line":600,"end_character":23},"updated":"2020-11-13 16:55:41.000000000","message":"No need to split line, also logging the namespace might be useful.","commit_id":"f3587154ca01d36024ae2770aab43e9521fd09cc"}],"kuryr_kubernetes/controller/handlers/kuryrnetworkpolicy.py":[{"author":{"_account_id":23567,"name":"Luis Tomas Bolivar","email":"ltomasbo@redhat.com","username":"ltomasbo"},"change_message_id":"09da24b3385db6ff9955212ea090ed9cb8e85bb6","unresolved":false,"context_lines":[{"line_number":217,"context_line":"            for service in services.get(\u0027items\u0027, []):"},{"line_number":218,"context_line":"                # TODO(ltomasbo): Skip other services that are not affected"},{"line_number":219,"context_line":"                #                 by the policy"},{"line_number":220,"context_line":"                if (not service[\u0027spec\u0027].get(\u0027selector\u0027) or not"},{"line_number":221,"context_line":"                        self._is_service_affected(service, pods_to_update)):"},{"line_number":222,"context_line":"                    continue"},{"line_number":223,"context_line":"                sgs \u003d self._drv_svc_sg.get_security_groups(service, project_id)"}],"source_content_type":"text/x-python","patch_set":11,"id":"1f621f24_99d38d60","line":220,"range":{"start_line":220,"start_character":0,"end_line":220,"end_character":55},"updated":"2020-11-11 08:19:20.000000000","message":"perhaps adding a note here about not supporting NPs on services without selector when using amphora driver could be added","commit_id":"25143cf12d5c3dfcbd72ff04267f41f36f7aa3de"}],"releasenotes/notes/network-policy-support-on-services-without-selectors-fea06ab71a8a6f2a.yaml":[{"author":{"_account_id":11600,"name":"Michał Dulko","email":"michal.dulko@gmail.com","username":"dulek"},"change_message_id":"4a89c027bd96ca689d39fbe0e4972f5eb43333f7","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Kuryr can now handle egress Network Policy that allows"},{"line_number":5,"context_line":"    traffic to Pods being Pointed by a Service without Selector."},{"line_number":6,"context_line":"    Also, ingress Network Policy is not enforced on Services"},{"line_number":7,"context_line":"    without Selectors when the Octavia provider is Amphora."}],"source_content_type":"text/x-yaml","patch_set":13,"id":"1f621f24_1753a26c","line":7,"range":{"start_line":4,"start_character":0,"end_line":7,"end_character":59},"updated":"2020-11-13 16:55:41.000000000","message":"Shouldn\u0027t this be added to docs as well?","commit_id":"f3587154ca01d36024ae2770aab43e9521fd09cc"},{"author":{"_account_id":23567,"name":"Luis Tomas Bolivar","email":"ltomasbo@redhat.com","username":"ltomasbo"},"change_message_id":"88e8073b08c4f27e3000dea9dc1f712f682a108c","unresolved":false,"context_lines":[{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Kuryr can now handle egress Network Policy that allows"},{"line_number":5,"context_line":"    traffic to Pods being Pointed by a Service without Selector."},{"line_number":6,"context_line":"    Also, ingress Network Policy is not enforced on Services"},{"line_number":7,"context_line":"    without Selectors when the Octavia provider is Amphora."}],"source_content_type":"text/x-yaml","patch_set":15,"id":"1f621f24_15c89e71","line":5,"range":{"start_line":5,"start_character":26,"end_line":5,"end_character":27},"updated":"2020-11-17 08:09:41.000000000","message":"p","commit_id":"525dc1521d856445efd9b0b40b975c80af68cbc7"}]}