Skip to content

Commit e8cc234

Browse files
akbarknakbarkn
committed
networkpolicy: provider-scoped policies for multi-network pods
- update messages for logging - update `parsePolicyFor()` to not return error - update `network_policy_test.go` for `parsePolicyFor()` Signed-off-by: akbarkn <akbarkusumanegaralth@gmail.com>
1 parent a36265f commit e8cc234

File tree

2 files changed

+11
-32
lines changed

2 files changed

+11
-32
lines changed

pkg/controller/network_policy.go

Lines changed: 10 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -121,10 +121,7 @@ func (c *Controller) handleUpdateNp(key string) error {
121121
}
122122
logRate := parseACLLogRate(np.Annotations)
123123

124-
providers, err := parsePolicyFor(np)
125-
if err != nil {
126-
return err
127-
}
124+
providers := parsePolicyFor(np)
128125

129126
npName := np.Name
130127
nameArray := []rune(np.Name)
@@ -536,14 +533,14 @@ func (c *Controller) handleDeleteNp(key string) error {
536533
return nil
537534
}
538535

539-
func parsePolicyFor(np *netv1.NetworkPolicy) (set.Set[string], error) {
536+
func parsePolicyFor(np *netv1.NetworkPolicy) set.Set[string] {
540537
raw := strings.TrimSpace(np.Annotations[util.NetworkPolicyForAnnotation])
541538
if raw == "" {
542-
return nil, nil
539+
return nil
543540
}
544541

545542
providers := set.New[string]()
546-
invalidMsg := `ignore invalid network_policy_for entry %q, expect "ovn" or "<namespace>/<net-attach-def>"`
543+
invalidMsg := `ignore invalid network_policy_for annotation %q for netpol %s/%s, expect "ovn" or "<namespace>/<net-attach-def>"`
547544

548545
for _, token := range strings.Split(raw, ",") {
549546
t := strings.TrimSpace(token)
@@ -558,21 +555,21 @@ func parsePolicyFor(np *netv1.NetworkPolicy) (set.Set[string], error) {
558555
if strings.Contains(t, "/") {
559556
parts := strings.SplitN(t, "/", 2)
560557
if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
561-
klog.Warningf(invalidMsg, t)
558+
klog.Warningf(invalidMsg, t, np.Namespace, np.Name)
562559
continue
563560
}
564561
provider := fmt.Sprintf("%s.%s.%s", parts[1], parts[0], util.OvnProvider)
565562
providers.Insert(provider)
566563
continue
567564
}
568-
klog.Warningf(invalidMsg, t)
565+
klog.Warningf(invalidMsg, t, np.Namespace, np.Name)
569566
}
570567

571568
if len(providers) == 0 {
572-
klog.Warning("network_policy_for annotation has no valid entries; policy selects no pods")
573-
return providers, nil
569+
klog.Warningf("network_policy_for annotation has no valid entries; policy %s/%s selects no pods", np.Namespace, np.Name)
570+
return providers
574571
}
575-
return providers, nil
572+
return providers
576573
}
577574

578575
func netpolAppliesToProvider(provider string, providers set.Set[string]) bool {
@@ -609,8 +606,7 @@ func (c *Controller) fetchSelectedPorts(namespace string, selector *metav1.Label
609606
if !isOvnSubnet(podNet.Subnet) {
610607
continue
611608
}
612-
provider := podNet.ProviderName
613-
if !netpolAppliesToProvider(provider, providers) {
609+
if !netpolAppliesToProvider(podNet.ProviderName, providers) {
614610
continue
615611
}
616612
matchedProvider = true

pkg/controller/network_policy_test.go

Lines changed: 1 addition & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -20,37 +20,32 @@ func TestParsePolicyFor(t *testing.T) {
2020
name string
2121
annotation *string
2222
wantProviders set.Set[string]
23-
wantErr bool
2423
}{
2524
{
2625
name: "annotation omitted",
2726
annotation: nil,
2827
wantProviders: nil,
29-
wantErr: false,
3028
},
3129
{
3230
name: "ovn only",
3331
annotation: ptrString("ovn"),
3432
wantProviders: set.New(
3533
util.OvnProvider,
3634
),
37-
wantErr: false,
3835
},
3936
{
4037
name: "duplicate ovn",
4138
annotation: ptrString("ovn, ovn"),
4239
wantProviders: set.New(
4340
util.OvnProvider,
4441
),
45-
wantErr: false,
4642
},
4743
{
4844
name: "secondary only",
4945
annotation: ptrString("ns1/net1"),
5046
wantProviders: set.New(
5147
"net1.ns1." + util.OvnProvider,
5248
),
53-
wantErr: false,
5449
},
5550
{
5651
name: "ovn and secondary",
@@ -59,39 +54,33 @@ func TestParsePolicyFor(t *testing.T) {
5954
util.OvnProvider,
6055
"net1.ns1."+util.OvnProvider,
6156
),
62-
wantErr: false,
6357
},
6458
{
6559
name: "ovn and invalid",
6660
annotation: ptrString("ovn, foo"),
6761
wantProviders: set.New(
6862
util.OvnProvider,
6963
),
70-
wantErr: false,
7164
},
7265
{
7366
name: "invalid all",
7467
annotation: ptrString("all"),
7568
wantProviders: set.New[string](),
76-
wantErr: false,
7769
},
7870
{
7971
name: "invalid default",
8072
annotation: ptrString("default"),
8173
wantProviders: set.New[string](),
82-
wantErr: false,
8374
},
8475
{
8576
name: "invalid no entries",
8677
annotation: ptrString(","),
8778
wantProviders: set.New[string](),
88-
wantErr: false,
8979
},
9080
{
9181
name: "invalid token",
9282
annotation: ptrString("foo"),
9383
wantProviders: set.New[string](),
94-
wantErr: false,
9584
},
9685
}
9786

@@ -109,13 +98,7 @@ func TestParsePolicyFor(t *testing.T) {
10998
}
11099
}
111100

112-
providers, err := parsePolicyFor(np)
113-
if tt.wantErr {
114-
require.Error(t, err)
115-
return
116-
}
117-
118-
require.NoError(t, err)
101+
providers := parsePolicyFor(np)
119102
if tt.wantProviders == nil {
120103
require.Nil(t, providers)
121104
return

0 commit comments

Comments
 (0)