Skip to content

Commit 77ed1f5

Browse files
authored
Merge pull request #46 from cybozu-go/fix-exclude-labels
Make excludeLabels only affects to the same NetworkPolicyAdmissionRule
2 parents c23bc41 + 778653e commit 77ed1f5

File tree

4 files changed

+32
-18
lines changed

4 files changed

+32
-18
lines changed

e2e/suite_test.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ var (
2424

2525
//go:embed t/node-deny-npar.yaml
2626
nodeDenyNetworkPolicyAdmissionRule []byte
27+
28+
//go:embed t/exclude-only-npar.yaml
29+
excludeOnlyNetworkPolicyAdmissionRule []byte
2730
)
2831

2932
func TestE2E(t *testing.T) {
@@ -47,4 +50,5 @@ var _ = BeforeSuite(func() {
4750
By("setting up default NetworkPolicyAdmissionRules")
4851
kubectlSafe(bmcDenyNetworkPolicyAdmissionRule, "apply", "-f", "-")
4952
kubectlSafe(nodeDenyNetworkPolicyAdmissionRule, "apply", "-f", "-")
53+
kubectlSafe(excludeOnlyNetworkPolicyAdmissionRule, "apply", "-f", "-")
5054
})

e2e/t/exclude-only-npar.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
apiVersion: tenet.cybozu.io/v1beta2
2+
kind: NetworkPolicyAdmissionRule
3+
metadata:
4+
name: exclude-only-npar
5+
spec:
6+
namespaceSelector:
7+
excludeLabels:
8+
team: tenant

hooks/ciliumnetworkpolicy.go

Lines changed: 10 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -73,25 +73,21 @@ func (v *ciliumNetworkPolicyValidator) handleCreateOrUpdate(ctx context.Context,
7373
return admission.Errored(http.StatusInternalServerError, err)
7474
}
7575

76-
if !v.shouldValidate(ns, &nparl) {
77-
return admission.Allowed("")
78-
}
79-
80-
res = v.validateIP(nparl, cnp)
76+
res = v.validateIP(nparl, cnp, ns.Labels)
8177
if !res.Allowed {
8278
return res
8379
}
8480

85-
return v.validateEntity(nparl, cnp)
81+
return v.validateEntity(nparl, cnp, ns.Labels)
8682
}
8783

88-
func (v *ciliumNetworkPolicyValidator) validateIP(nparl tenetv1beta2.NetworkPolicyAdmissionRuleList, cnp *unstructured.Unstructured) admission.Response {
84+
func (v *ciliumNetworkPolicyValidator) validateIP(nparl tenetv1beta2.NetworkPolicyAdmissionRuleList, cnp *unstructured.Unstructured, ls map[string]string) admission.Response {
8985
egressPolicies, ingressPolicies, err := v.gatherIPPolicies(cnp)
9086
if err != nil {
9187
return admission.Errored(http.StatusBadRequest, err)
9288
}
9389

94-
egressFilters, ingressFilters, err := v.gatherIPFilters(&nparl)
90+
egressFilters, ingressFilters, err := v.gatherIPFilters(&nparl, ls)
9591
if err != nil {
9692
return admission.Errored(http.StatusInternalServerError, err)
9793
}
@@ -112,12 +108,12 @@ func (v *ciliumNetworkPolicyValidator) validateIP(nparl tenetv1beta2.NetworkPoli
112108
return admission.Allowed("")
113109
}
114110

115-
func (v *ciliumNetworkPolicyValidator) validateEntity(nparl tenetv1beta2.NetworkPolicyAdmissionRuleList, cnp *unstructured.Unstructured) admission.Response {
111+
func (v *ciliumNetworkPolicyValidator) validateEntity(nparl tenetv1beta2.NetworkPolicyAdmissionRuleList, cnp *unstructured.Unstructured, ls map[string]string) admission.Response {
116112
egressPolicies, ingressPolicies, err := v.gatherEntityPolicies(cnp)
117113
if err != nil {
118114
return admission.Errored(http.StatusBadRequest, err)
119115
}
120-
egressFilters, ingressFilters := v.gatherEntityFilters(&nparl)
116+
egressFilters, ingressFilters := v.gatherEntityFilters(&nparl, ls)
121117
for _, egressPolicy := range egressPolicies {
122118
for _, egressFilter := range egressFilters {
123119
if egressPolicy == egressFilter {
@@ -135,12 +131,10 @@ func (v *ciliumNetworkPolicyValidator) validateEntity(nparl tenetv1beta2.Network
135131
return admission.Allowed("")
136132
}
137133

138-
func (v *ciliumNetworkPolicyValidator) shouldValidate(ns *corev1.Namespace, nparl *tenetv1beta2.NetworkPolicyAdmissionRuleList) bool {
139-
for _, npar := range nparl.Items {
140-
for k, v := range npar.Spec.NamespaceSelector.ExcludeLabels {
141-
if ns.Labels[k] == v {
142-
return false
143-
}
134+
func (v *ciliumNetworkPolicyValidator) shouldValidate(npar *tenetv1beta2.NetworkPolicyAdmissionRule, ls map[string]string) bool {
135+
for k, v := range npar.Spec.NamespaceSelector.ExcludeLabels {
136+
if ls[k] == v {
137+
return false
144138
}
145139
}
146140
return true

hooks/ciliumnetworkpolicy_util.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,9 +54,13 @@ func (v *ciliumNetworkPolicyValidator) toIPNetSlice(raw []string) ([]*net.IPNet,
5454
return res, nil
5555
}
5656

57-
func (v *ciliumNetworkPolicyValidator) gatherIPFilters(nparl *tenetv1beta2.NetworkPolicyAdmissionRuleList) ([]*net.IPNet, []*net.IPNet, error) {
57+
func (v *ciliumNetworkPolicyValidator) gatherIPFilters(nparl *tenetv1beta2.NetworkPolicyAdmissionRuleList, ls map[string]string) ([]*net.IPNet, []*net.IPNet, error) {
5858
var egressFilters, ingressFilters []*net.IPNet
5959
for _, npar := range nparl.Items {
60+
if !v.shouldValidate(&npar, ls) {
61+
continue
62+
}
63+
6064
for _, ipRange := range npar.Spec.ForbiddenIPRanges {
6165
_, cidr, err := net.ParseCIDR(ipRange.CIDR)
6266
if err != nil {
@@ -80,9 +84,13 @@ func (v *ciliumNetworkPolicyValidator) gatherEntityPolicies(cnp *unstructured.Un
8084
return v.gatherPolicies(cnp, cilium.EntityRuleKey, v.gatherPoliciesFromStringRule)
8185
}
8286

83-
func (v *ciliumNetworkPolicyValidator) gatherEntityFilters(nparl *tenetv1beta2.NetworkPolicyAdmissionRuleList) ([]string, []string) {
87+
func (v *ciliumNetworkPolicyValidator) gatherEntityFilters(nparl *tenetv1beta2.NetworkPolicyAdmissionRuleList, ls map[string]string) ([]string, []string) {
8488
var egressFilters, ingressFilters []string
8589
for _, npar := range nparl.Items {
90+
if !v.shouldValidate(&npar, ls) {
91+
continue
92+
}
93+
8694
for _, entity := range npar.Spec.ForbiddenEntities {
8795
switch entity.Type {
8896
case tenetv1beta2.NetworkPolicyAdmissionRuleTypeAll:

0 commit comments

Comments
 (0)