Commit 57f4eea2 authored by Johan Thomsen's avatar Johan Thomsen Committed by Murali Reddy
Browse files

Implemented the use of both namespaceSelector and podSelector in network policy peers (#475) (#479)

* Moved code for evaluation of policy peers into separate func to avoid code duplication

* Ensured fallback to policy namespace, if namespaceSelector is not set
parent 99341199
Showing with 36 additions and 36 deletions
+36 -36
......@@ -1113,25 +1113,10 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() (*[]networkPolicy
} else {
ingressRule.matchAllSource = false
var matchingPods []*api.Pod
var err error
for _, peer := range specIngressRule.From {
// spec must have either of PodSelector or NamespaceSelector
if peer.PodSelector != nil {
matchingPods, err = npc.ListPodsByNamespaceAndLabels(policy.Namespace,
peer.PodSelector.MatchLabels)
} else if peer.NamespaceSelector != nil {
namespaces, err := npc.ListNamespaceByLabels(peer.NamespaceSelector.MatchLabels)
if err != nil {
return nil, errors.New("Failed to build network policies info due to " + err.Error())
}
for _, namespace := range namespaces {
namespacePods, err := npc.ListPodsByNamespaceAndLabels(namespace.Name, nil)
if err != nil {
return nil, errors.New("Failed to build network policies info due to " + err.Error())
}
matchingPods = append(matchingPods, namespacePods...)
}
} else if peer.IPBlock != nil {
peerPods, err := npc.evalPeer(policy, peer)
matchingPods = append(matchingPods, peerPods...)
if peer.PodSelector == nil && peer.NamespaceSelector == nil && peer.IPBlock != nil {
ingressRule.cidrs = append(ingressRule.cidrs, peer.IPBlock.CIDR)
}
if err == nil {
......@@ -1177,25 +1162,10 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() (*[]networkPolicy
} else {
egressRule.matchAllDestinations = false
var matchingPods []*api.Pod
var err error
for _, peer := range specEgressRule.To {
// spec must have either of PodSelector or NamespaceSelector
if peer.PodSelector != nil {
matchingPods, err = npc.ListPodsByNamespaceAndLabels(policy.Namespace,
peer.PodSelector.MatchLabels)
} else if peer.NamespaceSelector != nil {
namespaces, err := npc.ListNamespaceByLabels(peer.NamespaceSelector.MatchLabels)
if err != nil {
return nil, errors.New("Failed to build network policies info due to " + err.Error())
}
for _, namespace := range namespaces {
namespacePods, err := npc.ListPodsByNamespaceAndLabels(namespace.Name, nil)
if err != nil {
return nil, errors.New("Failed to build network policies info due to " + err.Error())
}
matchingPods = append(matchingPods, namespacePods...)
}
} else if peer.IPBlock != nil {
peerPods, err := npc.evalPeer(policy, peer)
matchingPods = append(matchingPods, peerPods...)
if peer.PodSelector == nil && peer.NamespaceSelector == nil && peer.IPBlock != nil {
egressRule.cidrs = append(egressRule.cidrs, peer.IPBlock.CIDR)
}
if err == nil {
......@@ -1218,6 +1188,36 @@ func (npc *NetworkPolicyController) buildNetworkPoliciesInfo() (*[]networkPolicy
return &NetworkPolicies, nil
}
func (npc *NetworkPolicyController) evalPeer(policy *networking.NetworkPolicy, peer networking.NetworkPolicyPeer) ([]*api.Pod, error) {
var matchingPods []*api.Pod
matchingPods = make([]*api.Pod, 0)
var err error
// spec can have both PodSelector AND NamespaceSelector
if peer.NamespaceSelector != nil {
namespaces, err := npc.ListNamespaceByLabels(peer.NamespaceSelector.MatchLabels)
if err != nil {
return nil, errors.New("Failed to build network policies info due to " + err.Error())
}
var podSelectorLabels map[string]string
if peer.PodSelector != nil {
podSelectorLabels = peer.PodSelector.MatchLabels
}
for _, namespace := range namespaces {
namespacePods, err := npc.ListPodsByNamespaceAndLabels(namespace.Name, podSelectorLabels)
if err != nil {
return nil, errors.New("Failed to build network policies info due to " + err.Error())
}
matchingPods = append(matchingPods, namespacePods...)
}
} else if peer.PodSelector != nil {
matchingPods, err = npc.ListPodsByNamespaceAndLabels(policy.Namespace, peer.PodSelector.MatchLabels)
}
return matchingPods, err
}
func (npc *NetworkPolicyController) ListPodsByNamespaceAndLabels(namespace string, labelsToMatch labels.Set) (ret []*api.Pod, err error) {
podLister := listers.NewPodLister(npc.podLister)
allMatchedNameSpacePods, err := podLister.Pods(namespace).List(labelsToMatch.AsSelector())
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment