Change trans SA position

Signed-off-by: wgrayson <wgrayson@vmware.com>
antrea-io · Jan 6, 2022 · af508b0 · af508b0
1 parent 0f46cc4
commit af508b0
Show file tree

Hide file tree

Showing 9 changed files with 351 additions and 301 deletions.
diff --git a/pkg/controller/grouping/group_entity_index.go b/pkg/controller/grouping/group_entity_index.go
@@ -359,8 +359,12 @@ func (i *GroupEntityIndex) deleteEntityFromLabelItem(label, entity string) *labe
 // createLabelItem creates a labelItem based on the provided entityItem.
 // It's called when there is no existing labelItem for a label set.
 func (i *GroupEntityIndex) createLabelItem(entityType entityType, eItem *entityItem) *labelItem {
+	newLabelsDC := map[string]string{}
+	for k,v := range eItem.entity.GetLabels() {
+		newLabelsDC[k] = v
+	}
 	lItem := &labelItem{
-		labels:           eItem.entity.GetLabels(),
+		labels:           newLabelsDC,
 		namespace:        eItem.entity.GetNamespace(),
 		entityType:       entityType,
 		entityItemKeys:   sets.NewString(),

diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go
diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go
@@ -41,7 +41,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 	nsA := v1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   "nsA",
-			Labels: map[string]string{"foo1": "bar1"},
+			Labels: map[string]string{"foo1": "bar1", "kubernetes.io/metadata.name": "nsA"},
 		},
 	}
 	nsB := v1.Namespace{
@@ -86,6 +86,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 
 	labelSelectorA, _ := metav1.LabelSelectorAsSelector(&selectorA)
 	labelSelectorB, _ := metav1.LabelSelectorAsSelector(&selectorB)
+	labelSelectorE, _ := metav1.LabelSelectorAsSelector(&selectorE)
 	cgA := crdv1alpha3.ClusterGroup{
 		ObjectMeta: metav1.ObjectMeta{Name: "cgA", UID: "uidA"},
 		Spec: crdv1alpha3.GroupSpec{
@@ -1155,7 +1156,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 							},
 						},
 						{
-							PodSelector:       &selectorA,
+							PodSelector: &selectorA,
 						},
 					},
 					Priority: p10,
@@ -1209,7 +1210,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 				Spec: crdv1alpha1.ClusterNetworkPolicySpec{
 					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
 						{
-							PodSelector:       &selectorA,
+							PodSelector: &selectorA,
 						},
 					},
 					Priority: p10,
@@ -1219,7 +1220,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 								{
 									ServiceAccounts: []crdv1alpha1.ServiceAccount{
 										{
-											Name:     saA.Name,
+											Name:      saA.Name,
 											Namespace: saA.Namespace,
 										},
 									},
@@ -1265,15 +1266,15 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 						{
 							To: []crdv1alpha1.NetworkPolicyPeer{
 								{
-									PodSelector:       &selectorA,
+									PodSelector: &selectorA,
 								},
 							},
 							Action: &dropAction,
 							AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
 								{
 									ServiceAccounts: []crdv1alpha1.ServiceAccount{
 										{
-											Name:     saA.Name,
+											Name:      saA.Name,
 											Namespace: saA.Namespace,
 										},
 									},
@@ -1299,17 +1300,95 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 						To: controlplane.NetworkPolicyPeer{
 							AddressGroups: []string{getNormalizedUID(toGroupSelector("", &selectorA, nil, nil).NormalizedName)},
 						},
-						Priority: 0,
-						Action:   &dropAction,
+						Priority:        0,
+						Action:          &dropAction,
 						AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorD, &selectorE, nil).NormalizedName)},
 					},
 				},
-				AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorD, &selectorE, nil).NormalizedName)},
+				AppliedToGroups:  []string{getNormalizedUID(toGroupSelector("", &selectorD, &selectorE, nil).NormalizedName)},
 				AppliedToPerRule: true,
 			},
 			expectedAppliedToGroups: 1,
 			expectedAddressGroups:   1,
 		},
+		{
+			name: "service-account-per-namespace-rule",
+			inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{Name: "cnpR", UID: "uidR"},
+				Spec: crdv1alpha1.ClusterNetworkPolicySpec{
+					AppliedTo: []crdv1alpha1.NetworkPolicyPeer{
+						{
+							ServiceAccounts: []crdv1alpha1.ServiceAccount{
+								{
+									Name:      saA.Name,
+									Namespace: saA.Namespace,
+								},
+							},
+						},
+					},
+					Priority: p10,
+					Egress: []crdv1alpha1.Rule{
+						{
+							To: []crdv1alpha1.NetworkPolicyPeer{
+								{
+									Namespaces: &crdv1alpha1.PeerNamespaces{
+										Match: crdv1alpha1.NamespaceMatchSelf,
+									},
+								},
+							},
+							Action: &dropAction,
+						},
+						{
+							To: []crdv1alpha1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &selectorB,
+								},
+							},
+							Action: &allowAction,
+						},
+					},
+				},
+			},
+			expectedPolicy: &antreatypes.NetworkPolicy{
+				UID:  "uidR",
+				Name: "uidR",
+				SourceRef: &controlplane.NetworkPolicyReference{
+					Type: controlplane.AntreaClusterNetworkPolicy,
+					Name: "cnpR",
+					UID:  "uidR",
+				},
+				Priority:     &p10,
+				TierPriority: &DefaultTierPriority,
+				Rules: []controlplane.NetworkPolicyRule{
+					{
+						Direction: controlplane.DirectionOut,
+						To: controlplane.NetworkPolicyPeer{
+							AddressGroups: []string{getNormalizedUID(toGroupSelector("nsA", nil, nil, nil).NormalizedName)},
+						},
+						Priority:        0,
+						Action:          &dropAction,
+						AppliedToGroups: []string{getNormalizedUID(toGroupSelector("nsA", &selectorD, nil, nil).NormalizedName)},
+					},
+					{
+						Direction: controlplane.DirectionOut,
+						To: controlplane.NetworkPolicyPeer{
+							AddressGroups: []string{getNormalizedUID(toGroupSelector("", nil, &selectorB, nil).NormalizedName)},
+						},
+						Priority:        1,
+						Action:          &allowAction,
+						AppliedToGroups: []string{getNormalizedUID(toGroupSelector("", &selectorD, &selectorE, nil).NormalizedName)},
+					},
+				},
+				AppliedToGroups: []string{
+					getNormalizedUID(toGroupSelector("nsA", &selectorD, nil, nil).NormalizedName),
+					getNormalizedUID(toGroupSelector("", &selectorD, &selectorE, nil).NormalizedName),
+				},
+				AppliedToPerRule:      true,
+				PerNamespaceSelectors: []labels.Selector{labelSelectorE},
+			},
+			expectedAppliedToGroups: 2,
+			expectedAddressGroups:   2,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1324,6 +1403,7 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 				c.tierStore.Add(&tierA)
 			}
 			actualPolicy := c.processClusterNetworkPolicy(tt.inputPolicy)
+			t.Logf("JB： %v", actualPolicy)
 			assert.Equal(t, tt.expectedPolicy.UID, actualPolicy.UID)
 			assert.Equal(t, tt.expectedPolicy.Name, actualPolicy.Name)
 			assert.Equal(t, tt.expectedPolicy.SourceRef, actualPolicy.SourceRef)

diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go
@@ -114,6 +114,12 @@ func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPol
 			}
 		} else if peer.FQDN != "" {
 			fqdns = append(fqdns, peer.FQDN)
+		} else if len(peer.ServiceAccounts) > 0 {
+			newPeers := n.transServiceAccounts(peer.ServiceAccounts)
+			for _, newPeer := range newPeers {
+				normalizedUID := n.createAddressGroup(np.GetNamespace(), newPeer.PodSelector, newPeer.NamespaceSelector, nil)
+				addressGroups = append(addressGroups, normalizedUID)
+			}
 		} else {
 			normalizedUID := n.createAddressGroup(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, peer.ExternalEntitySelector)
 			addressGroups = append(addressGroups, normalizedUID)

diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -299,9 +299,15 @@ var cnpIndexers = cache.Indexers{
 			if peerHasServiceAccounts(ingressRule.From) {
 				return []string{HasServiceAccountsPeer}, nil
 			}
+			if peerHasServiceAccounts(ingressRule.AppliedTo) {
+				return []string{HasServiceAccountsPeer}, nil
+			}
 		}
 		for _, egressRule := range cnp.Spec.Egress {
-			if peerHasServiceAccounts(egressRule.From) {
+			if peerHasServiceAccounts(egressRule.To) {
+				return []string{HasServiceAccountsPeer}, nil
+			}
+			if peerHasServiceAccounts(egressRule.AppliedTo) {
 				return []string{HasServiceAccountsPeer}, nil
 			}
 		}
@@ -479,10 +485,7 @@ func (n *NetworkPolicyController) GetConnectedAgentNum() int {
 func toGroupSelector(namespace string, podSelector, nsSelector, extEntitySelector *metav1.LabelSelector) *antreatypes.GroupSelector {
 	groupSelector := antreatypes.GroupSelector{}
 	if podSelector != nil {
-		pSelector, err := metav1.LabelSelectorAsSelector(podSelector)
-		if err != nil {
-			klog.Info(err.Error())
-		}
+		pSelector, _ := metav1.LabelSelectorAsSelector(podSelector)
 		groupSelector.PodSelector = pSelector
 	}
 	if extEntitySelector != nil {

diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go
@@ -546,6 +546,9 @@ func validateServiceAccounts(serviceAccounts []crdv1alpha1.ServiceAccount) (stri
 		if (sa.Name == "") != (sa.Namespace == "") {
 			return "inside serviceAccounts name and namespace must be used together", false
 		}
+		if sa.Name != "" && sa.LabelSelector != nil {
+			return "inside serviceAccounts name and labelSelector can't be used together", false
+		}
 		if sa.LabelSelector == nil && sa.NamespaceSelector != nil {
 			return "inside serviceAccounts namespaceSelector can't be used without labelSelector", false
 		}