Logging info

- Updated configuration.md with info about how to set and adjust log levels
- added .idea/ to .gitignore
- minor typo fixes in controller.py

replacing k8s-network-policy tier with default
- Replaced NET_POL_TIER_NAME with NET_POL_TIER_DEFAULT
- Added code to try and remove "k8s-network-policy" tier if it exists
- some minor pep8 and typo fixes

Removing constants and some now unnecessary checks
- Constants for tier name moved to literals in code
- Removed checks for per-namespace policies to remove as it should be unnecessary now

Moved removal of "k8s-network-policy" tier above creation of default

Author: heschlie

.gitignore

@@ -5,3 +5,4 @@ dist/
 *.tar
 *.created
 *.coverage
+.idea/

configuration.md

@@ -58,4 +58,6 @@ the root directory of the container. This can be done by mounting a file from th
 
 ### Other configuration
 
+* `LOG_LEVEL`: Supports the standard Python log levels. e.g. `LOG_LEVEL=debug`, defaults to `info`
+
 More information on leader election can be found in the [kubernetes/contrib](https://github.com/kubernetes/contrib/tree/master/election#simple-leader-election-with-kubernetes-and-docker) repository.

constants.py

@@ -29,7 +29,6 @@
 NS_POLICY_ANNOTATION = "net.beta.kubernetes.io/network-policy"
 
 # Tier name /order to use for policies.
-NET_POL_TIER_NAME = "k8s-network-policy"
 NET_POL_TIER_ORDER = 1000
 
 # The priority assigned to network policies created by the controller.

controller.py

@@ -20,6 +20,7 @@
 
 _log = logging.getLogger(__name__)
 
+
 # Raised upon receiving an error from the Kubernetes API.
 class KubernetesApiError(Exception):
     pass
@@ -60,7 +61,7 @@ def __init__(self):
         """
 
         elect = os.environ.get("LEADER_ELECTION", "false")
-        self._leader_elect = elect.lower() ==  "true"
+        self._leader_elect = elect.lower() == "true"
         """
         Whether or not leader election is enabled.  If set to False, this
         policy controller will assume it is the only instance.
@@ -133,17 +134,24 @@ def run(self):
             self._wait_for_leadership()
             self._start_leader_thread()
 
+        # Remove old tier if it exists
+        try:
+            _log.debug("Attempting to remove old tier k8s-network-policy")
+            self._client.delete_policy_tier("k8s-network-policy")
+        except KeyError:
+            pass
+
         # Ensure the tier exists.
         metadata = {"order": NET_POL_TIER_ORDER}
-        self._client.set_policy_tier_metadata(NET_POL_TIER_NAME, metadata)
+        self._client.set_policy_tier_metadata("default", metadata)
 
-        # Ensure the backstop policy exists.  This policy fowards
+        # Ensure the backstop policy exists.  This policy forwards
         # any traffic to Kubernetes pods which doesn't match another policy
         # to the next-tier (i.e the per-namespace Profiles).
         selector = "has(%s)" % K8S_NAMESPACE_LABEL
         rules = Rules(inbound_rules=[Rule(action="next-tier")],
                       outbound_rules=[Rule(action="next-tier")])
-        self._client.create_policy(NET_POL_TIER_NAME,
+        self._client.create_policy("default",
                                    "k8s-policy-no-match",
                                    selector,
                                    order=NET_POL_BACKSTOP_ORDER,

handlers/namespace.py

@@ -63,15 +63,6 @@ def add_update_namespace(namespace):
     # update it if it already exists.
     client.create_profile(profile_name, rules, labels)
 
-    # Delete any per-namespace policy.  Older versions of the policy-controller
-    # used to install these, but they're not relevant any more.
-    name = "calico-%s" % profile_name
-    try:
-        client.remove_policy(NET_POL_TIER_NAME, name)
-    except KeyError:
-        # Policy doesn't exist, we're all good.
-        pass
-
     _log.debug("Created/updated profile for namespace %s", namespace_name)
 
 
@@ -80,7 +71,7 @@ def delete_namespace(namespace):
     Takes a deleted namespace and removes the corresponding
     configuration from the Calico datastore.
     """
-    # Delete the Calico policy which represnets this namespace.
+    # Delete the Calico policy which represents this namespace.
     namespace_name = namespace["metadata"]["name"]
     profile_name = NS_PROFILE_FMT % namespace_name
     _log.debug("Deleting namespace profile: %s", profile_name)

handlers/network_policy.py

@@ -37,7 +37,7 @@ def add_update_network_policy(policy):
                       outbound_rules=[Rule(action="allow")])
 
         # Create the network policy using the calculated selector and rules.
-        client.create_policy(NET_POL_TIER_NAME,
+        client.create_policy("default",
                              name,
                              selector,
                              order=NET_POL_ORDER,
@@ -57,6 +57,6 @@ def delete_network_policy(policy):
 
     # Delete the corresponding Calico policy
     try:
-        client.remove_policy(NET_POL_TIER_NAME, name)
+        client.remove_policy("default", name)
     except KeyError:
         _log.info("Unable to find policy '%s' - already deleted", name)