diff --git a/npm/pkg/controlplane/translation/parseSelector.go b/npm/pkg/controlplane/translation/parseSelector.go index 0e464b16ff..1d54d39757 100644 --- a/npm/pkg/controlplane/translation/parseSelector.go +++ b/npm/pkg/controlplane/translation/parseSelector.go @@ -7,61 +7,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// ParseLabel takes a Azure-NPM processed label then returns if it's referring to complement set, -// and if so, returns the original set as well. -func ParseLabel(label string) (string, bool) { - // The input label is guaranteed to have a non-zero length validated by k8s. - // For label definition, see below parseSelector() function. - if label[0:1] == util.IptablesNotFlag { - return label[1:], true - } - return label, false -} - -// GetOperatorAndLabel returns the operator associated with the label and the label without operator. -func GetOperatorAndLabel(labelWithOp string) (op, label string) { - // TODO(jungukcho): check whether this is possible - if labelWithOp == "" { - return op, label - } - - // in case "!"" Operaror do not exist - if string(labelWithOp[0]) != util.IptablesNotFlag { - label = labelWithOp - return op, label - } - - // in case "!"" Operaror exists - op, label = util.IptablesNotFlag, labelWithOp[1:] - return op, label -} - -// GetOperatorsAndLabels returns the operators along with the associated labels. -func GetOperatorsAndLabels(labelsWithOps []string) (ops, labelsWithoutOps []string) { - ops = make([]string, len(labelsWithOps)) - labelsWithoutOps = make([]string, len(labelsWithOps)) - - for i, labelWithOp := range labelsWithOps { - op, labelWithoutOp := GetOperatorAndLabel(labelWithOp) - ops[i] = op - labelsWithoutOps[i] = labelWithoutOp - } - return ops, labelsWithoutOps -} - -// getSetNameForMultiValueSelector takes in label with multiple values without operator -// and returns a new 2nd level ipset name -func getSetNameForMultiValueSelector(key string, vals []string) string { - newIPSet := key - for _, val := range vals { - newIPSet = util.GetIpSetFromLabelKV(newIPSet, val) - } - return newIPSet -} - -// FlattenNameSpaceSelector will help flatten multiple nameSpace selector match Expressions values +// flattenNameSpaceSelector will help flatten multiple nameSpace selector match Expressions values // into multiple label selectors helping with the OR condition. -func FlattenNameSpaceSelector(nsSelector *metav1.LabelSelector) []metav1.LabelSelector { +func flattenNameSpaceSelector(nsSelector *metav1.LabelSelector) []metav1.LabelSelector { /* This function helps to create multiple labelSelectors when given a single multivalue nsSelector Take below example: this nsSelector has 2 values in a matchSelector. @@ -179,66 +127,6 @@ func zipMatchExprs(baseSelectors []metav1.LabelSelector, matchExpr metav1.LabelS return zippedLabelSelectors } -// parseSelector takes a LabelSelector and returns a slice of processed labels, Lists with members as values. -// this function returns a slice of all the label ipsets excluding multivalue matchExprs -// and a map of labelKeys and labelIpsetname for multivalue match exprs -// higher level functions will need to compute what sets or ipsets should be -// used from this map -func parseSelector(selector *metav1.LabelSelector) (labels []string, vals map[string][]string) { - // TODO(jungukcho): check return values - // labels []string and []string{} - if selector == nil { - return labels, vals - } - - labels = []string{} - vals = make(map[string][]string) - if len(selector.MatchLabels) == 0 && len(selector.MatchExpressions) == 0 { - labels = append(labels, "") - return labels, vals - } - - sortedKeys, sortedVals := util.SortMap(&selector.MatchLabels) - for i := range sortedKeys { - labels = append(labels, sortedKeys[i]+":"+sortedVals[i]) - } - - for _, req := range selector.MatchExpressions { - var k string - switch op := req.Operator; op { - case metav1.LabelSelectorOpIn: - k = req.Key - if len(req.Values) == 1 { - labels = append(labels, k+":"+req.Values[0]) - } else { - // We are not adding the k:v to labels for multiple values, because, labels are used - // to construct partial IptEntries and if these below labels are added then we are inducing - // AND condition on values of a match expression instead of OR - vals[k] = append(vals[k], req.Values...) - } - case metav1.LabelSelectorOpNotIn: - k = util.IptablesNotFlag + req.Key - if len(req.Values) == 1 { - labels = append(labels, k+":"+req.Values[0]) - } else { - vals[k] = append(vals[k], req.Values...) - } - // Exists matches pods with req.Key as key - case metav1.LabelSelectorOpExists: - k = req.Key - labels = append(labels, k) - // DoesNotExist matches pods without req.Key as key - case metav1.LabelSelectorOpDoesNotExist: - k = util.IptablesNotFlag + req.Key - labels = append(labels, k) - default: - log.Errorf("Invalid operator [%s] for selector [%v] requirement", op, *selector) - } - } - - return labels, vals -} - // labelSelector has parsed matchLabels and MatchExpressions information. type labelSelector struct { // include is a flag to indicate whether Op exists or not. @@ -297,7 +185,7 @@ func (ps *parsedSelectors) addSelector(include bool, setType ipsets.SetType, set // parseNSSelector parses namespaceSelector and returns slice of labelSelector object // which includes operator, setType, ipset name and always nil members slice. // Member slices is always nil since parseNSSelector function is called -// after FlattenNameSpaceSelector function is called, which guarantees +// after flattenNameSpaceSelector function is called, which guarantees // there is no matchExpression with multiple values. // TODO: good to remove this dependency later if possible. func parseNSSelector(selector *metav1.LabelSelector) []labelSelector { diff --git a/npm/pkg/controlplane/translation/parseSelector_test.go b/npm/pkg/controlplane/translation/parseSelector_test.go index e88ef1507f..6285051e6c 100644 --- a/npm/pkg/controlplane/translation/parseSelector_test.go +++ b/npm/pkg/controlplane/translation/parseSelector_test.go @@ -4,310 +4,20 @@ import ( "reflect" "testing" - "github.com/Azure/azure-container-networking/npm/util" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func TestParseLabel(t *testing.T) { - label, isComplementSet := ParseLabel("test:frontend") - expectedLabel := "test:frontend" - if isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } - - label, isComplementSet = ParseLabel("!test:frontend") - expectedLabel = "test:frontend" - if !isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } - - label, isComplementSet = ParseLabel("test") - expectedLabel = "test" - if isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } - - label, isComplementSet = ParseLabel("!test") - expectedLabel = "test" - if !isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } - - label, isComplementSet = ParseLabel("!!test") - expectedLabel = "!test" - if !isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } - - label, isComplementSet = ParseLabel("test:!frontend") - expectedLabel = "test:!frontend" - if isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } - - label, isComplementSet = ParseLabel("!test:!frontend") - expectedLabel = "test:!frontend" - if !isComplementSet || label != expectedLabel { - t.Errorf("TestParseLabel failed @ label %s", label) - } -} - -func TestGetOperatorAndLabel(t *testing.T) { - testLabels := []string{ - "a", - "k:v", - "", - "!a:b", - "!a", - } - - resultOperators, resultLabels := []string{}, []string{} - for _, testLabel := range testLabels { - resultOperator, resultLabel := GetOperatorAndLabel(testLabel) - resultOperators = append(resultOperators, resultOperator) - resultLabels = append(resultLabels, resultLabel) - } - - expectedOperators := []string{ - "", - "", - "", - util.IptablesNotFlag, - util.IptablesNotFlag, - } - - expectedLabels := []string{ - "a", - "k:v", - "", - "a:b", - "a", - } - - if !reflect.DeepEqual(resultOperators, expectedOperators) { - t.Errorf("TestGetOperatorAndLabel failed @ operator comparison") - } - - if !reflect.DeepEqual(resultLabels, expectedLabels) { - t.Errorf("TestGetOperatorAndLabel failed @ label comparison") - } -} - -func TestGetOperatorsAndLabels(t *testing.T) { - testLabels := []string{ - "k:v", - "", - "!a:b", - } - - resultOps, resultLabels := GetOperatorsAndLabels(testLabels) - expectedOps := []string{ - "", - "", - "!", - } - expectedLabels := []string{ - "k:v", - "", - "a:b", - } - - if !reflect.DeepEqual(resultOps, expectedOps) { - t.Errorf("TestGetOperatorsAndLabels failed @ op comparison") - } - - if !reflect.DeepEqual(resultLabels, expectedLabels) { - t.Errorf("TestGetOperatorsAndLabels failed @ label comparison") - } -} - -// TODO(jungukcho): check UT results. -func TestParseSelector(t *testing.T) { - var selector, expectedSelector *metav1.LabelSelector - selector, expectedSelector = nil, nil - labels, vals := parseSelector(selector) - expectedLabels, expectedVals := []string{}, make(map[string][]string) - - if len(labels) != len(expectedLabels) { - t.Errorf("TestparseSelector failed @ labels length comparison") - } - - if len(vals) != len(expectedVals) { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - if selector != expectedSelector { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - selector = &metav1.LabelSelector{} - labels, vals = parseSelector(selector) - expectedLabels = []string{""} - if len(labels) != len(expectedLabels) { - t.Errorf("TestparseSelector failed @ labels length comparison") - } - - if len(vals) != len(expectedVals) { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - selector = &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "testIn", - Operator: metav1.LabelSelectorOpIn, - Values: []string{ - "frontend", - "backend", - }, - }, - }, - } - - labels, vals = parseSelector(selector) - expectedLabels = []string{} - expectedVals = map[string][]string{ - "testIn": { - "frontend", - "backend", - }, - } - - if len(labels) != len(expectedLabels) { - t.Errorf("TestparseSelector failed @ labels length comparison") - } - - if len(vals) != len(expectedVals) { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - if len(labels) != 0 { - t.Errorf("TestparseSelector failed @ label comparison") - } - if !reflect.DeepEqual(vals, expectedVals) { - t.Errorf("TestparseSelector failed @ value comparison") - } - - notIn := metav1.LabelSelectorRequirement{ - Key: "testNotIn", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{ - "frontend", - "backend", - }, - } - - me := &selector.MatchExpressions - *me = append(*me, notIn) - - labels, vals = parseSelector(selector) - addedLabels := []string{} - addedVals := map[string][]string{ - "!testNotIn": { - "frontend", - "backend", - }, - } - - expectedLabels = append(expectedLabels, addedLabels...) - for k, v := range addedVals { - expectedVals[k] = append(expectedVals[k], v...) - } - - if len(labels) != len(expectedLabels) { - t.Errorf("TestparseSelector failed @ labels length comparison") - } - - if len(vals) != len(expectedVals) { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - if len(labels) != 0 { - t.Errorf("TestparseSelector failed @ label comparison") - } - if !reflect.DeepEqual(vals, expectedVals) { - t.Errorf("TestparseSelector failed @ value comparison") - } - - exists := metav1.LabelSelectorRequirement{ - Key: "testExists", - Operator: metav1.LabelSelectorOpExists, - Values: []string{}, - } - - *me = append(*me, exists) - - labels, vals = parseSelector(selector) - addedLabels = []string{ - "testExists", - } - addedVals = map[string][]string{} - expectedLabels = append(expectedLabels, addedLabels...) - for k, v := range addedVals { - expectedVals[k] = append(expectedVals[k], v...) - } - - if len(labels) != len(expectedLabels) { - t.Errorf("TestparseSelector failed @ labels length comparison") - } - - if len(vals) != len(expectedVals) { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - if !reflect.DeepEqual(labels, expectedLabels) { - t.Errorf("TestparseSelector failed @ label comparison") - } - if !reflect.DeepEqual(vals, expectedVals) { - t.Errorf("TestparseSelector failed @ value comparison") - } - - doesNotExist := metav1.LabelSelectorRequirement{ - Key: "testDoesNotExist", - Operator: metav1.LabelSelectorOpDoesNotExist, - Values: []string{}, - } - - *me = append(*me, doesNotExist) - - labels, vals = parseSelector(selector) - addedLabels = []string{ - "!testDoesNotExist", - } - addedVals = map[string][]string{} - expectedLabels = append(expectedLabels, addedLabels...) - for k, v := range addedVals { - expectedVals[k] = append(expectedVals[k], v...) - } - - if len(labels) != len(expectedLabels) { - t.Errorf("TestparseSelector failed @ labels length comparison") - } - - if len(vals) != len(expectedVals) { - t.Errorf("TestparseSelector failed @ vals length comparison") - } - - if !reflect.DeepEqual(labels, expectedLabels) { - t.Errorf("TestparseSelector failed @ label comparison") - } - - if !reflect.DeepEqual(vals, expectedVals) { - t.Errorf("TestparseSelector failed @ value comparison") - } -} - func TestFlattenNameSpaceSelectorCases(t *testing.T) { firstSelector := &metav1.LabelSelector{} - testSelectors := FlattenNameSpaceSelector(firstSelector) + testSelectors := flattenNameSpaceSelector(firstSelector) if len(testSelectors) != 1 { t.Errorf("TestFlattenNameSpaceSelectorCases failed @ 1st selector length check %+v", testSelectors) } var secondSelector *metav1.LabelSelector - testSelectors = FlattenNameSpaceSelector(secondSelector) + testSelectors = flattenNameSpaceSelector(secondSelector) if len(testSelectors) > 0 { t.Errorf("TestFlattenNameSpaceSelectorCases failed @ 1st selector length check %+v", testSelectors) } @@ -351,7 +61,7 @@ func TestFlattenNameSpaceSelector(t *testing.T) { MatchLabels: commonMatchLabel, } - testSelectors := FlattenNameSpaceSelector(firstSelector) + testSelectors := flattenNameSpaceSelector(firstSelector) if len(testSelectors) != 1 { t.Errorf("TestFlattenNameSpaceSelector failed @ 1st selector length check %+v", testSelectors) } @@ -395,7 +105,7 @@ func TestFlattenNameSpaceSelector(t *testing.T) { MatchLabels: commonMatchLabel, } - testSelectors = FlattenNameSpaceSelector(secondSelector) + testSelectors = flattenNameSpaceSelector(secondSelector) if len(testSelectors) != 8 { t.Errorf("TestFlattenNameSpaceSelector failed @ 2nd selector length check %+v", testSelectors) } @@ -689,7 +399,7 @@ func TestFlattenNameSpaceSelectorWoMatchLabels(t *testing.T) { }, } - testSelectors := FlattenNameSpaceSelector(firstSelector) + testSelectors := flattenNameSpaceSelector(firstSelector) if len(testSelectors) != 2 { t.Errorf("TestFlattenNameSpaceSelector failed @ 1st selector length check %+v", testSelectors) } diff --git a/npm/pkg/controlplane/translation/translatePolicy.go b/npm/pkg/controlplane/translation/translatePolicy.go index d0e3636922..d64828de66 100644 --- a/npm/pkg/controlplane/translation/translatePolicy.go +++ b/npm/pkg/controlplane/translation/translatePolicy.go @@ -3,7 +3,6 @@ package translation import ( "errors" "fmt" - "strings" "github.com/Azure/azure-container-networking/npm/pkg/dataplane/ipsets" "github.com/Azure/azure-container-networking/npm/pkg/dataplane/policies" @@ -86,7 +85,7 @@ func namedPortRuleInfo(portRule *networkingv1.NetworkPolicyPort) (namedPortIPSet return nil, protocol } - namedPortIPSet = ipsets.NewTranslatedIPSet(util.NamedPortIPSetPrefix+portRule.Port.String(), ipsets.NamedPorts, []string{}) + namedPortIPSet = ipsets.NewTranslatedIPSet(util.NamedPortIPSetPrefix+portRule.Port.String(), ipsets.NamedPorts) return namedPortIPSet, protocol } @@ -141,7 +140,7 @@ func ipBlockIPSet(policyName, ns string, direction policies.Direction, ipBlockSe } ipBlockIPSetName := ipBlockSetName(policyName, ns, direction, ipBlockSetIndex) - ipBlockIPSet := ipsets.NewTranslatedIPSet(ipBlockIPSetName, ipsets.CIDRBlocks, members) + ipBlockIPSet := ipsets.NewTranslatedIPSet(ipBlockIPSetName, ipsets.CIDRBlocks, members...) return ipBlockIPSet } @@ -155,110 +154,6 @@ func ipBlockRule(policyName, ns string, direction policies.Direction, ipBlockSet return ipBlockIPSet, setInfo } -func podLabelType(label string) ipsets.SetType { - // TODO(jungukcho): this is unnecessary function which has extra computation - // will be removed after optimizing parseSelector function - labels := strings.Split(label, ":") - switch LenOfLabels := len(labels); LenOfLabels { - case onlyKeyLabel: - return ipsets.KeyLabelOfPod - case keyValueLabel: - return ipsets.KeyValueLabelOfPod - default: // in case of nested value (i.e., len(labels) >= 3 - return ipsets.NestedLabelOfPod - } -} - -// podSelectorRule returns srcList for ACL by using ops and labelsForSpec -func podSelectorRule(matchType policies.MatchType, ops, ipSetForACL []string) []policies.SetInfo { - podSelectorList := []policies.SetInfo{} - for i := 0; i < len(ipSetForACL); i++ { - noOp := ops[i] == "" - labelType := podLabelType(ipSetForACL[i]) - setInfo := policies.NewSetInfo(ipSetForACL[i], labelType, noOp, matchType) - podSelectorList = append(podSelectorList, setInfo) - } - return podSelectorList -} - -func podSelectorIPSets(ipSetForSingleVal []string, ipSetNameForMultiVal map[string][]string) []*ipsets.TranslatedIPSet { - podSelectorIPSets := []*ipsets.TranslatedIPSet{} - for _, hashSetName := range ipSetForSingleVal { - labelType := podLabelType(hashSetName) - ipset := ipsets.NewTranslatedIPSet(hashSetName, labelType, []string{}) - podSelectorIPSets = append(podSelectorIPSets, ipset) - } - - for listSetName, hashIPSetList := range ipSetNameForMultiVal { - ipset := ipsets.NewTranslatedIPSet(listSetName, ipsets.NestedLabelOfPod, hashIPSetList) - podSelectorIPSets = append(podSelectorIPSets, ipset) - } - - return podSelectorIPSets -} - -// targetPodSelectorInfo converts podSelector information to operators and corresponding label information. -// The label information has various types based on type of labels (e.g., single value or multiple value in labels). -func targetPodSelectorInfo(selector *metav1.LabelSelector) (ops, ipSetForACL, ipSetForSingleVal []string, ipSetNameForMultiVal map[string][]string) { - // TODO(jungukcho) : need to revise parseSelector function to reduce computations and enhance readability - // 1. use better variables to indicate included instead of "". - // 2. Classify type of set in parseSelector to avoid multiple computations - // 3. Resolve makezero lint errors (nozero) - singleValueLabelsWithOps, multiValuesLabelsWithOps := parseSelector(selector) - ops, ipSetForSingleVal = GetOperatorsAndLabels(singleValueLabelsWithOps) - - ipSetNameForMultiVal = make(map[string][]string) - LenOfIPSetForACL := len(ipSetForSingleVal) + len(multiValuesLabelsWithOps) - ipSetForACL = make([]string, LenOfIPSetForACL) - IndexOfIPSetForACL := copy(ipSetForACL, ipSetForSingleVal) - - for multiValueLabelKeyWithOps, multiValueLabelList := range multiValuesLabelsWithOps { - op, multiValueLabelKey := GetOperatorAndLabel(multiValueLabelKeyWithOps) - ops = append(ops, op) // nozero - - ipSetNameForMultiValueLabel := getSetNameForMultiValueSelector(multiValueLabelKey, multiValueLabelList) - ipSetForACL[IndexOfIPSetForACL] = ipSetNameForMultiValueLabel - IndexOfIPSetForACL++ - - for _, labelValue := range multiValueLabelList { - ipsetName := util.GetIpSetFromLabelKV(multiValueLabelKey, labelValue) - ipSetForSingleVal = append(ipSetForSingleVal, ipsetName) // nozero - ipSetNameForMultiVal[ipSetNameForMultiValueLabel] = append(ipSetNameForMultiVal[ipSetNameForMultiValueLabel], ipsetName) - } - } - return ops, ipSetForACL, ipSetForSingleVal, ipSetNameForMultiVal -} - -// allPodsSelectorInNs returns translatedIPSet and SetInfo -// in case podSelector field has {} which means all pods in the ns namespace. -func allPodsSelectorInNs(ns string, matchType policies.MatchType) ([]*ipsets.TranslatedIPSet, []policies.SetInfo) { - // TODO(jungukcho): important this is common component - double-check whether it has duplicated one or not - ipset := ipsets.NewTranslatedIPSet(ns, ipsets.Namespace, []string{}) - podSelectorIPSets := []*ipsets.TranslatedIPSet{ipset} - - setInfo := policies.NewSetInfo(ns, ipsets.Namespace, included, matchType) - podSelectorList := []policies.SetInfo{setInfo} - return podSelectorIPSets, podSelectorList -} - -// PodSelector translates podSelector of spec field and NetworkPolicyPeer in networkpolicy object to translatedIPSet and SetInfo. -// TODO(jungukcho): change name of function to podSelector since it uses both podSelector of spec field and NetworkPolicyPeer in networkpolicy object. -func targetPodSelector(ns string, matchType policies.MatchType, selector *metav1.LabelSelector) ([]*ipsets.TranslatedIPSet, []policies.SetInfo) { - // (TODO): some data in singleValueLabels and multiValuesLabels are duplicated - ops, ipSetForACL, ipSetForSingleVal, ipSetNameForMultiVal := targetPodSelectorInfo(selector) - // select all pods in a namespace - if len(ops) == 1 && len(ipSetForSingleVal) == 1 && ops[0] == "" && ipSetForSingleVal[0] == "" { - podSelectorIPSets, podSelectorList := allPodsSelectorInNs(ns, matchType) - return podSelectorIPSets, podSelectorList - } - - // TODO(jungukcho): may need to check ordering hashset and listset if ipSetNameForMultiVal exists. - // refer to last test set in TestPodSelectorIPSets - podSelectorIPSets := podSelectorIPSets(ipSetForSingleVal, ipSetNameForMultiVal) - podSelectorList := podSelectorRule(matchType, ops, ipSetForACL) - return podSelectorIPSets, podSelectorList -} - // PodSelector translates podSelector of NetworkPolicyPeer field in networkpolicy object to translatedIPSet and SetInfo. // This function is called only when the NetworkPolicyPeer has namespaceSelector field. func podSelector(matchType policies.MatchType, selector *metav1.LabelSelector) ([]*ipsets.TranslatedIPSet, []policies.SetInfo) { @@ -269,11 +164,10 @@ func podSelector(matchType policies.MatchType, selector *metav1.LabelSelector) ( for i := 0; i < LenOfPodSelectors; i++ { ps := podSelectors[i] - podSelectorIPSets = append(podSelectorIPSets, ipsets.NewTranslatedIPSet(ps.setName, ps.setType, ps.members)) + podSelectorIPSets = append(podSelectorIPSets, ipsets.NewTranslatedIPSet(ps.setName, ps.setType, ps.members...)) // if value is nested value, create translatedIPSet with the nested value for j := 0; j < len(ps.members); j++ { - var nilSlices []string - podSelectorIPSets = append(podSelectorIPSets, ipsets.NewTranslatedIPSet(ps.members[j], ipsets.KeyValueLabelOfPod, nilSlices)) + podSelectorIPSets = append(podSelectorIPSets, ipsets.NewTranslatedIPSet(ps.members[j], ipsets.KeyValueLabelOfPod)) } podSelectorList[i] = policies.NewSetInfo(ps.setName, ps.setType, ps.include, matchType) @@ -288,68 +182,11 @@ func podSelectorWithNS(ns string, matchType policies.MatchType, selector *metav1 podSelectorIPSets, podSelectorList := podSelector(matchType, selector) // Add translatedIPSet and SetInfo based on namespace - // TODO(jungukcho) this nilSlices will be removed. - var nilSlices []string - podSelectorIPSets = append(podSelectorIPSets, ipsets.NewTranslatedIPSet(ns, ipsets.Namespace, nilSlices)) + podSelectorIPSets = append(podSelectorIPSets, ipsets.NewTranslatedIPSet(ns, ipsets.Namespace)) podSelectorList = append(podSelectorList, policies.NewSetInfo(ns, ipsets.Namespace, included, matchType)) return podSelectorIPSets, podSelectorList } -func nsLabelType(label string) ipsets.SetType { - // TODO(jungukcho): this is unnecessary function which has extra computation - // will be removed after optimizing parseSelector function - labels := strings.Split(label, ":") - if len(labels) == onlyKeyLabel { - return ipsets.KeyLabelOfNamespace - } else if len(labels) == keyValueLabel { - return ipsets.KeyValueLabelOfNamespace - } - - // (TODO): check whether this is possible - return ipsets.UnknownType -} - -func nameSpaceSelectorRule(matchType policies.MatchType, ops, nsSelectorInfo []string) []policies.SetInfo { - nsSelectorList := []policies.SetInfo{} - for i := 0; i < len(nsSelectorInfo); i++ { - noOp := ops[i] == "" - labelType := nsLabelType(nsSelectorInfo[i]) - setInfo := policies.NewSetInfo(nsSelectorInfo[i], labelType, noOp, matchType) - nsSelectorList = append(nsSelectorList, setInfo) - } - return nsSelectorList -} - -func nameSpaceSelectorIPSets(singleValueLabels []string) []*ipsets.TranslatedIPSet { - nsSelectorIPSets := []*ipsets.TranslatedIPSet{} - for _, listSet := range singleValueLabels { - labelType := nsLabelType(listSet) - translatedIPSet := ipsets.NewTranslatedIPSet(listSet, labelType, []string{}) - nsSelectorIPSets = append(nsSelectorIPSets, translatedIPSet) - } - return nsSelectorIPSets -} - -func nameSpaceSelectorInfo(selector *metav1.LabelSelector) (ops, singleValueLabels []string) { - // parse namespace label selector. - // Ignore multiple values from parseSelector since Namespace selector does not have multiple values. - // TODO(jungukcho): will revise parseSelector for easy understanding between podSelector and namespaceSelector - singleValueLabelsWithOps, _ := parseSelector(selector) - ops, singleValueLabels = GetOperatorsAndLabels(singleValueLabelsWithOps) - return ops, singleValueLabels -} - -// allNameSpaceRule returns translatedIPSet and SetInfo -// in case namespaceSelector field has {} which means all namespaces. -func allNameSpaceRule(matchType policies.MatchType) ([]*ipsets.TranslatedIPSet, []policies.SetInfo) { - translatedIPSet := ipsets.NewTranslatedIPSet(util.KubeAllNamespacesFlag, ipsets.Namespace, []string{}) - nsSelectorIPSets := []*ipsets.TranslatedIPSet{translatedIPSet} - - setInfo := policies.NewSetInfo(util.KubeAllNamespacesFlag, ipsets.Namespace, included, matchType) - nsSelectorList := []policies.SetInfo{setInfo} - return nsSelectorIPSets, nsSelectorList -} - // nameSpaceSelector translates namespaceSelector of NetworkPolicyPeer in networkpolicy object to translatedIPSet and SetInfo. func nameSpaceSelector(matchType policies.MatchType, selector *metav1.LabelSelector) ([]*ipsets.TranslatedIPSet, []policies.SetInfo) { nsSelectors := parseNSSelector(selector) @@ -359,7 +196,7 @@ func nameSpaceSelector(matchType policies.MatchType, selector *metav1.LabelSelec for i := 0; i < LenOfnsSelectors; i++ { nsc := nsSelectors[i] - nsSelectorIPSets[i] = ipsets.NewTranslatedIPSet(nsc.setName, nsc.setType, []string{}) + nsSelectorIPSets[i] = ipsets.NewTranslatedIPSet(nsc.setName, nsc.setType) nsSelectorList[i] = policies.NewSetInfo(nsc.setName, nsc.setType, nsc.include, matchType) } @@ -368,8 +205,8 @@ func nameSpaceSelector(matchType policies.MatchType, selector *metav1.LabelSelec // allowAllTraffic returns translatedIPSet and SetInfo in case of allow all internal traffic. func allowAllTraffic(matchType policies.MatchType) (*ipsets.TranslatedIPSet, policies.SetInfo) { - allowAllIPSets := ipsets.NewTranslatedIPSet(util.KubeAllNamespacesFlag, ipsets.Namespace, []string{}) - setInfo := policies.NewSetInfo(util.KubeAllNamespacesFlag, ipsets.Namespace, included, matchType) + allowAllIPSets := ipsets.NewTranslatedIPSet(util.KubeAllNamespacesFlag, ipsets.KeyLabelOfNamespace) + setInfo := policies.NewSetInfo(util.KubeAllNamespacesFlag, ipsets.KeyLabelOfNamespace, included, matchType) return allowAllIPSets, setInfo } @@ -487,7 +324,7 @@ func translateIngress(npmNetPol *policies.NPMNetworkPolicy, targetSelector *meta // #2.2 handle nameSpaceSelector and port if exist if fromRule.PodSelector == nil && fromRule.NamespaceSelector != nil { - flattenNSSelctor := FlattenNameSpaceSelector(fromRule.NamespaceSelector) + flattenNSSelctor := flattenNameSpaceSelector(fromRule.NamespaceSelector) for i := range flattenNSSelctor { nsSelectorIPSets, nsSrcList := nameSpaceSelector(policies.SrcMatch, &flattenNSSelctor[i]) npmNetPol.RuleIPSets = append(npmNetPol.RuleIPSets, nsSelectorIPSets...) @@ -517,7 +354,7 @@ func translateIngress(npmNetPol *policies.NPMNetworkPolicy, targetSelector *meta podSelectorIPSets, podSelectorSrcList := podSelector(policies.SrcMatch, fromRule.PodSelector) npmNetPol.RuleIPSets = append(npmNetPol.RuleIPSets, podSelectorIPSets...) - flattenNSSelctor := FlattenNameSpaceSelector(fromRule.NamespaceSelector) + flattenNSSelctor := flattenNameSpaceSelector(fromRule.NamespaceSelector) for i := range flattenNSSelctor { nsSelectorIPSets, nsSrcList := nameSpaceSelector(policies.SrcMatch, &flattenNSSelctor[i]) npmNetPol.RuleIPSets = append(npmNetPol.RuleIPSets, nsSelectorIPSets...) diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go index 1c1eeab5e7..a0899e44ba 100644 --- a/npm/pkg/controlplane/translation/translatePolicy_test.go +++ b/npm/pkg/controlplane/translation/translatePolicy_test.go @@ -199,7 +199,6 @@ func TestNamedPortRuleInfo(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, protocol: "TCP", }, @@ -215,7 +214,6 @@ func TestNamedPortRuleInfo(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, protocol: "TCP", }, @@ -272,7 +270,6 @@ func TestNamedPortRule(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, setInfo: policies.SetInfo{ IPSet: &ipsets.IPSetMetadata{ @@ -296,7 +293,6 @@ func TestNamedPortRule(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, setInfo: policies.SetInfo{ IPSet: &ipsets.IPSetMetadata{ @@ -580,470 +576,8 @@ func TestIPBlockRule(t *testing.T) { } } -func TestTargetPodSelectorInfo(t *testing.T) { - tests := []struct { - name string - labelSelector *metav1.LabelSelector - ops []string - ipSetForACL []string - ipSetForSingleVal []string - ipSetNameForMultiVal map[string][]string - }{ - { - name: "all pods match", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{}, - }, - ops: []string{""}, - ipSetForACL: []string{""}, - ipSetForSingleVal: []string{""}, - ipSetNameForMultiVal: map[string][]string{}, - }, - { - name: "only match labels", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - }, - ops: []string{""}, - ipSetForACL: []string{"label:src"}, - ipSetForSingleVal: []string{"label:src"}, - ipSetNameForMultiVal: map[string][]string{}, - }, - { - name: "match labels and match expression with with Exists OP", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "label", - Operator: metav1.LabelSelectorOpExists, - }, - }, - }, - ops: []string{"", ""}, - ipSetForACL: []string{"label:src", "label"}, - ipSetForSingleVal: []string{"label:src", "label"}, - ipSetNameForMultiVal: map[string][]string{}, - }, - { - name: "match labels and match expression with single value and In OP", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "labelIn", - Operator: metav1.LabelSelectorOpIn, - Values: []string{ - "src", - }, - }, - }, - }, - ops: []string{"", ""}, - ipSetForACL: []string{"label:src", "labelIn:src"}, - ipSetForSingleVal: []string{"label:src", "labelIn:src"}, - ipSetNameForMultiVal: map[string][]string{}, - }, - { - name: "match labels and match expression with single value and NotIn OP", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "labelNotIn", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{ - "src", - }, - }, - }, - }, - ops: []string{"", "!"}, - ipSetForACL: []string{"label:src", "labelNotIn:src"}, - ipSetForSingleVal: []string{"label:src", "labelNotIn:src"}, - ipSetNameForMultiVal: map[string][]string{}, - }, - { - name: "match labels and match expression with multiple values and In and NotExist", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k0": "v0", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "k1", - Operator: metav1.LabelSelectorOpIn, - Values: []string{ - "v10", - "v11", - }, - }, - { - Key: "k2", - Operator: metav1.LabelSelectorOpDoesNotExist, - Values: []string{}, - }, - }, - }, - ops: []string{"", "!", ""}, - ipSetForACL: []string{"k0:v0", "k2", "k1:v10:v11"}, - ipSetForSingleVal: []string{"k0:v0", "k2", "k1:v10", "k1:v11"}, - ipSetNameForMultiVal: map[string][]string{ - "k1:v10:v11": {"k1:v10", "k1:v11"}, - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - ops, ipSetForACL, ipSetForSingleVal, ipSetNameForMultiVal := targetPodSelectorInfo(tt.labelSelector) - require.Equal(t, tt.ops, ops) - require.Equal(t, tt.ipSetForACL, ipSetForACL) - require.Equal(t, tt.ipSetForSingleVal, ipSetForSingleVal) - require.Equal(t, tt.ipSetNameForMultiVal, ipSetNameForMultiVal) - }) - } -} - -func TestAllPodsSelectorInNs(t *testing.T) { - matchType := policies.DstMatch - tests := []struct { - name string - namespace string - matchType policies.MatchType - podSelectorIPSets []*ipsets.TranslatedIPSet - podSelectorList []policies.SetInfo - }{ - { - name: "all pods selector in default namespace in ingress", - namespace: "default", - matchType: matchType, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "default", - Type: ipsets.Namespace, - }, - Members: []string{}, - }, - }, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "default", - Type: ipsets.Namespace, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "all pods selector in test namespace in ingress", - namespace: "test", - matchType: matchType, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "test", - Type: ipsets.Namespace, - }, - Members: []string{}, - }, - }, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "test", - Type: ipsets.Namespace, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - podSelectorIPSets, podSelectorList := allPodsSelectorInNs(tt.namespace, tt.matchType) - require.Equal(t, tt.podSelectorIPSets, podSelectorIPSets) - require.Equal(t, tt.podSelectorList, podSelectorList) - }) - } -} - -func TestPodSelectorIPSets(t *testing.T) { - tests := []struct { - name string - ipSetForSingleVal []string - ipSetNameForMultiVal map[string][]string - podSelectorIPSets []*ipsets.TranslatedIPSet - }{ - { - name: "one single value ipset (keyValueLabel)", - ipSetForSingleVal: []string{"label:src"}, - ipSetNameForMultiVal: map[string][]string{}, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - }, - }, - { - name: "two single value ipsets (KeyValueLabel and keyLable) ", - ipSetForSingleVal: []string{"label:src", "label"}, - ipSetNameForMultiVal: map[string][]string{}, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label", - Type: ipsets.KeyLabelOfPod, - }, - Members: []string{}, - }, - }, - }, - { - name: "two single value ipsets (two KeyValueLabel)", - ipSetForSingleVal: []string{"label:src", "labelIn:src"}, - ipSetNameForMultiVal: map[string][]string{}, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "labelIn:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - }, - }, - { - name: "four single value ipsets and one multiple value ipset (four KeyValueLabel, one KeyLabel, and one nestedKeyValueLabel)", - ipSetForSingleVal: []string{"k0:v0", "k2", "k1:v10", "k1:v11"}, - ipSetNameForMultiVal: map[string][]string{ - "k1:v10:v11": {"k1:v10", "k1:v11"}, - }, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k0:v0", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k2", - Type: ipsets.KeyLabelOfPod, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k1:v10", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k1:v11", - Type: ipsets.KeyValueLabelOfPod, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k1:v10:v11", - Type: ipsets.NestedLabelOfPod, - }, - Members: []string{"k1:v10", "k1:v11"}, - }, - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - podSelectorIPSets := podSelectorIPSets(tt.ipSetForSingleVal, tt.ipSetNameForMultiVal) - require.Equal(t, tt.podSelectorIPSets, podSelectorIPSets) - }) - } -} - -func TestPodSelectorRule(t *testing.T) { - matchType := policies.DstMatch - tests := []struct { - name string - matchType policies.MatchType - ops []string - ipSetForACL []string - podSelectorList []policies.SetInfo - }{ - { - name: "one ipset of podSelector for acl in ingress", - matchType: matchType, - ops: []string{""}, - ipSetForACL: []string{"label:src"}, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "two ipsets of podSelector (one keyvalue and one only key) for acl in ingress", - matchType: policies.DstMatch, - ops: []string{"", ""}, - ipSetForACL: []string{"label:src", "label"}, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label", - Type: ipsets.KeyLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "two ipsets of podSelector (two keyvalue) for acl in ingress", - matchType: matchType, - ops: []string{"", ""}, - ipSetForACL: []string{"label:src", "labelIn:src"}, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "labelIn:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "two ipsets of podSelector (one included and one non-included ipset) for acl in ingress", - matchType: matchType, - ops: []string{"", "!"}, - ipSetForACL: []string{"label:src", "labelNotIn:src"}, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "labelNotIn:src", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: nonIncluded, - MatchType: matchType, - }, - }, - }, - { - name: "three ipsets of podSelector (one included value, one non-included value, and one included netest value) for acl in ingress", - matchType: matchType, - ops: []string{"", "!", ""}, - ipSetForACL: []string{"k0:v0", "k2", "k1:v10:v11"}, - podSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "k0:v0", - Type: ipsets.KeyValueLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "k2", - Type: ipsets.KeyLabelOfPod, - }, - Included: nonIncluded, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "k1:v10:v11", - Type: ipsets.NestedLabelOfPod, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - podSelectorList := podSelectorRule(tt.matchType, tt.ops, tt.ipSetForACL) - require.Equal(t, tt.podSelectorList, podSelectorList) - }) - } -} - -func TestTargetPodSelector(t *testing.T) { +func TestPodSelector(t *testing.T) { matchType := policies.DstMatch - var nilSlices []string tests := []struct { name string namespace string @@ -1060,7 +594,7 @@ func TestTargetPodSelector(t *testing.T) { MatchLabels: map[string]string{}, }, podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("default", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), }, podSelectorList: []policies.SetInfo{ policies.NewSetInfo("default", ipsets.Namespace, included, matchType), @@ -1074,7 +608,7 @@ func TestTargetPodSelector(t *testing.T) { MatchLabels: map[string]string{}, }, podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("test", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("test", ipsets.Namespace), }, podSelectorList: []policies.SetInfo{ policies.NewSetInfo("test", ipsets.Namespace, included, matchType), @@ -1089,7 +623,7 @@ func TestTargetPodSelector(t *testing.T) { }, }, podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), }, podSelectorList: []policies.SetInfo{ policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, matchType), @@ -1110,8 +644,8 @@ func TestTargetPodSelector(t *testing.T) { }, }, podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("label", ipsets.KeyLabelOfPod, nilSlices), + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("label", ipsets.KeyLabelOfPod), }, podSelectorList: []policies.SetInfo{ policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, matchType), @@ -1135,158 +669,18 @@ func TestTargetPodSelector(t *testing.T) { }, }, }, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("labelIn:src", ipsets.KeyValueLabelOfPod, nilSlices), - }, - podSelectorList: []policies.SetInfo{ - policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, matchType), - policies.NewSetInfo("labelIn:src", ipsets.KeyValueLabelOfPod, included, matchType), - }, - }, - { - name: "target pod Selector with two labels (one included and one non-included ipset) for acl in ingress", - matchType: matchType, - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "labelNotIn", - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{ - "src", - }, - }, - }, - }, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("labelNotIn:src", ipsets.KeyValueLabelOfPod, nilSlices), - }, - podSelectorList: []policies.SetInfo{ - policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, matchType), - policies.NewSetInfo("labelNotIn:src", ipsets.KeyValueLabelOfPod, nonIncluded, matchType), - }, - }, - { - name: "target pod Selector with three labels (one included value, one non-included value, and one included netest value) for acl in ingress", - matchType: matchType, - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "k0": "v0", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "k1", - Operator: metav1.LabelSelectorOpIn, - Values: []string{ - "v10", - "v11", - }, - }, - { - Key: "k2", - Operator: metav1.LabelSelectorOpDoesNotExist, - Values: []string{}, - }, - }, - }, - podSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("k0:v0", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("k1:v10:v11", ipsets.NestedLabelOfPod, []string{"k1:v10", "k1:v11"}), - ipsets.NewTranslatedIPSet("k1:v10", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("k1:v11", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("k2", ipsets.KeyLabelOfPod, nilSlices), - }, - podSelectorList: []policies.SetInfo{ - policies.NewSetInfo("k0:v0", ipsets.KeyValueLabelOfPod, included, matchType), - policies.NewSetInfo("k1:v10:v11", ipsets.NestedLabelOfPod, included, matchType), - policies.NewSetInfo("k2", ipsets.KeyLabelOfPod, nonIncluded, matchType), - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - t.Parallel() - var podSelectorIPSets []*ipsets.TranslatedIPSet - var podSelectorList []policies.SetInfo - if tt.namespace == "" { - podSelectorIPSets, podSelectorList = podSelector(tt.matchType, tt.labelSelector) - } else { - podSelectorIPSets, podSelectorList = podSelectorWithNS(tt.namespace, tt.matchType, tt.labelSelector) - } - require.Equal(t, tt.podSelectorIPSets, podSelectorIPSets) - require.Equal(t, tt.podSelectorList, podSelectorList) - }) - } -} - -func TestNameSpaceSelectorInfo(t *testing.T) { - tests := []struct { - name string - labelSelector *metav1.LabelSelector - ops []string - singleValueLabels []string - }{ - { - name: "", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{}, - }, - ops: []string{""}, - singleValueLabels: []string{""}, - }, - { - name: "only match labels", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - }, - ops: []string{""}, - singleValueLabels: []string{"label:src"}, - }, - { - name: "match labels and match expression with with Exists OP", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "label", - Operator: metav1.LabelSelectorOpExists, - }, - }, - }, - ops: []string{"", ""}, - singleValueLabels: []string{"label:src", "label"}, - }, - { - name: "match labels and match expression with single value and In OP", - labelSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "label": "src", - }, - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "labelIn", - Operator: metav1.LabelSelectorOpIn, - Values: []string{ - "src", - }, - }, - }, + podSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("labelIn:src", ipsets.KeyValueLabelOfPod), + }, + podSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, matchType), + policies.NewSetInfo("labelIn:src", ipsets.KeyValueLabelOfPod, included, matchType), }, - ops: []string{"", ""}, - singleValueLabels: []string{"label:src", "labelIn:src"}, }, { - name: "match labels and match expression with single value and NotIn OP", + name: "target pod Selector with two labels (one included and one non-included ipset) for acl in ingress", + matchType: matchType, labelSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "label": "src", @@ -1301,17 +695,22 @@ func TestNameSpaceSelectorInfo(t *testing.T) { }, }, }, - ops: []string{"", "!"}, - singleValueLabels: []string{"label:src", "labelNotIn:src"}, + podSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("labelNotIn:src", ipsets.KeyValueLabelOfPod), + }, + podSelectorList: []policies.SetInfo{ + policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, matchType), + policies.NewSetInfo("labelNotIn:src", ipsets.KeyValueLabelOfPod, nonIncluded, matchType), + }, }, { - name: "match labels and match expression with multiple values and In and NotExist", + name: "target pod Selector with three labels (one included value, one non-included value, and one included netest value) for acl in ingress", + matchType: matchType, labelSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "k0": "v0", }, - // Multiple values are ignored in namespace case - // Refer to FlattenNameSpaceSelector function in parseSelector.go MatchExpressions: []metav1.LabelSelectorRequirement{ { Key: "k1", @@ -1328,287 +727,17 @@ func TestNameSpaceSelectorInfo(t *testing.T) { }, }, }, - ops: []string{"", "!"}, - singleValueLabels: []string{"k0:v0", "k2"}, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - ops, singleValueLabels := nameSpaceSelectorInfo(tt.labelSelector) - require.Equal(t, tt.ops, ops) - require.Equal(t, tt.singleValueLabels, singleValueLabels) - }) - } -} - -func TestAllNameSpaceRule(t *testing.T) { - matchType := policies.SrcMatch - tests := []struct { - name string - matchType policies.MatchType - nsSelectorIPSets []*ipsets.TranslatedIPSet - nsSelectorList []policies.SetInfo - }{ - { - name: "pods from all namespaces in ingress", - matchType: matchType, - nsSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: util.KubeAllNamespacesFlag, - Type: ipsets.Namespace, - }, - Members: []string{}, - }, - }, - nsSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: util.KubeAllNamespacesFlag, - Type: ipsets.Namespace, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - nsSelectorIPSets, nsSelectorList := allNameSpaceRule(tt.matchType) - require.Equal(t, tt.nsSelectorIPSets, nsSelectorIPSets) - require.Equal(t, tt.nsSelectorList, nsSelectorList) - }) - } -} - -func TestNameSpaceSelectorIPSets(t *testing.T) { - tests := []struct { - name string - singleValueLabels []string - nsSelectorIPSets []*ipsets.TranslatedIPSet - }{ - { - name: "one single value ipset (keyValueLabel)", - singleValueLabels: []string{"label:src"}, - nsSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - }, - }, - { - name: "two single value ipsets (KeyValueLabel and keyLable) ", - singleValueLabels: []string{"label:src", "label"}, - nsSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label", - Type: ipsets.KeyLabelOfNamespace, - }, - Members: []string{}, - }, - }, - }, - { - name: "two single value ipsets (two KeyValueLabel)", - singleValueLabels: []string{"label:src", "labelIn:src"}, - nsSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "labelIn:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - }, - }, - { - name: "four single value ipsets (three KeyValueLabel, and one KeyLabel)", - singleValueLabels: []string{"k0:v0", "k2", "k1:v10", "k1:v11"}, - nsSelectorIPSets: []*ipsets.TranslatedIPSet{ - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k0:v0", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k2", - Type: ipsets.KeyLabelOfNamespace, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k1:v10", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - { - Metadata: &ipsets.IPSetMetadata{ - Name: "k1:v11", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Members: []string{}, - }, - }, - }, - } - - for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { - nsSelectorIPSets := nameSpaceSelectorIPSets(tt.singleValueLabels) - require.Equal(t, tt.nsSelectorIPSets, nsSelectorIPSets) - }) - } -} - -func TestNameSpaceSelectorRule(t *testing.T) { - matchType := policies.SrcMatch - tests := []struct { - name string - matchType policies.MatchType - ops []string - singleValueLabels []string - nsSelectorList []policies.SetInfo - }{ - { - name: "one ipset of namespaceSelector for acl in ingress", - matchType: matchType, - ops: []string{""}, - singleValueLabels: []string{"label:src"}, - nsSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "two ipsets of namespaceSelector (one keyvalue and one only key) for acl in ingress", - matchType: matchType, - ops: []string{"", ""}, - singleValueLabels: []string{"label:src", "label"}, - nsSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label", - Type: ipsets.KeyLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "two ipsets of namespaceSelector (two keyvalue) for acl in ingress", - matchType: matchType, - ops: []string{"", ""}, - singleValueLabels: []string{"label:src", "labelIn:src"}, - nsSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "labelIn:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - }, - }, - { - name: "two ipsets of namespaceSelector (one included and one non-included ipset) for acl in ingress", - matchType: matchType, - ops: []string{"", "!"}, - singleValueLabels: []string{"label:src", "labelNotIn:src"}, - nsSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "label:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "labelNotIn:src", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: nonIncluded, - MatchType: matchType, - }, + podSelectorIPSets: []*ipsets.TranslatedIPSet{ + ipsets.NewTranslatedIPSet("k0:v0", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("k1:v10:v11", ipsets.NestedLabelOfPod, []string{"k1:v10", "k1:v11"}...), + ipsets.NewTranslatedIPSet("k1:v10", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("k1:v11", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("k2", ipsets.KeyLabelOfPod), }, - }, - { - name: "two ipsets of namespaceSelector (one included keyValue and one non-included key) for acl in ingress", - matchType: matchType, - ops: []string{"", "!"}, - singleValueLabels: []string{"k0:v0", "k2"}, - nsSelectorList: []policies.SetInfo{ - { - IPSet: &ipsets.IPSetMetadata{ - Name: "k0:v0", - Type: ipsets.KeyValueLabelOfNamespace, - }, - Included: included, - MatchType: matchType, - }, - { - IPSet: &ipsets.IPSetMetadata{ - Name: "k2", - Type: ipsets.KeyLabelOfNamespace, - }, - Included: nonIncluded, - MatchType: matchType, - }, + podSelectorList: []policies.SetInfo{ + policies.NewSetInfo("k0:v0", ipsets.KeyValueLabelOfPod, included, matchType), + policies.NewSetInfo("k1:v10:v11", ipsets.NestedLabelOfPod, included, matchType), + policies.NewSetInfo("k2", ipsets.KeyLabelOfPod, nonIncluded, matchType), }, }, } @@ -1616,8 +745,16 @@ func TestNameSpaceSelectorRule(t *testing.T) { for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { - nsSelectorList := nameSpaceSelectorRule(tt.matchType, tt.ops, tt.singleValueLabels) - require.Equal(t, tt.nsSelectorList, nsSelectorList) + t.Parallel() + var podSelectorIPSets []*ipsets.TranslatedIPSet + var podSelectorList []policies.SetInfo + if tt.namespace == "" { + podSelectorIPSets, podSelectorList = podSelector(tt.matchType, tt.labelSelector) + } else { + podSelectorIPSets, podSelectorList = podSelectorWithNS(tt.namespace, tt.matchType, tt.labelSelector) + } + require.Equal(t, tt.podSelectorIPSets, podSelectorIPSets) + require.Equal(t, tt.podSelectorList, podSelectorList) }) } } @@ -1643,7 +780,6 @@ func TestNameSpaceSelector(t *testing.T) { Name: util.KubeAllNamespacesFlag, Type: ipsets.KeyLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1661,7 +797,6 @@ func TestNameSpaceSelector(t *testing.T) { name: "namespaceSelector with one label in ingress", matchType: matchType, labelSelector: &metav1.LabelSelector{ - // TODO(jungukcho): check this one MatchLabels: map[string]string{ "test": "", }, @@ -1672,7 +807,6 @@ func TestNameSpaceSelector(t *testing.T) { Name: "test:", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1700,7 +834,6 @@ func TestNameSpaceSelector(t *testing.T) { Name: "label:src", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1734,14 +867,12 @@ func TestNameSpaceSelector(t *testing.T) { Name: "label:src", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, { Metadata: &ipsets.IPSetMetadata{ Name: "label", Type: ipsets.KeyLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1786,14 +917,12 @@ func TestNameSpaceSelector(t *testing.T) { Name: "label:src", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, { Metadata: &ipsets.IPSetMetadata{ Name: "labelIn:src", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1838,14 +967,12 @@ func TestNameSpaceSelector(t *testing.T) { Name: "label:src", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, { Metadata: &ipsets.IPSetMetadata{ Name: "labelNotIn:src", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1895,21 +1022,18 @@ func TestNameSpaceSelector(t *testing.T) { Name: "k0:v0", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, { Metadata: &ipsets.IPSetMetadata{ Name: "k1:v10", Type: ipsets.KeyValueLabelOfNamespace, }, - Members: []string{}, }, { Metadata: &ipsets.IPSetMetadata{ Name: "k2", Type: ipsets.KeyLabelOfNamespace, }, - Members: []string{}, }, }, nsSelectorList: []policies.SetInfo{ @@ -1965,14 +1089,13 @@ func TestAllowAllTraffic(t *testing.T) { nsSelectorIPSets: &ipsets.TranslatedIPSet{ Metadata: &ipsets.IPSetMetadata{ Name: util.KubeAllNamespacesFlag, - Type: ipsets.Namespace, + Type: ipsets.KeyLabelOfNamespace, }, - Members: []string{}, }, nsSelectorList: policies.SetInfo{ IPSet: &ipsets.IPSetMetadata{ Name: util.KubeAllNamespacesFlag, - Type: ipsets.Namespace, + Type: ipsets.KeyLabelOfNamespace, }, Included: included, MatchType: matchType, @@ -2054,7 +1177,6 @@ func TestPortRuleWithNamedPort(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, }, acl: &policies.ACLPolicy{ @@ -2082,7 +1204,6 @@ func TestPortRuleWithNamedPort(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, }, acl: &policies.ACLPolicy{ @@ -2309,7 +1430,6 @@ func TestPeerAndPortRule(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, }, ACLs: []*policies.ACLPolicy{ @@ -2350,7 +1470,6 @@ func TestPeerAndPortRule(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, }, ACLs: []*policies.ACLPolicy{ @@ -2400,7 +1519,6 @@ func TestPeerAndPortRule(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, }, ACLs: []*policies.ACLPolicy{ @@ -2441,7 +1559,6 @@ func TestPeerAndPortRule(t *testing.T) { Name: util.NamedPortIPSetPrefix + "serve-tcp", Type: ipsets.NamedPorts, }, - Members: []string{}, }, }, ACLs: []*policies.ACLPolicy{ @@ -2488,8 +1605,6 @@ func TestTranslateIngress(t *testing.T) { tcp := v1.ProtocolTCP targetPodMatchType := policies.DstMatch peerMatchType := policies.SrcMatch - // TODO(jungukcho): this nilSlices will be removed. - var nilSlices []string // TODO(jungukcho): add test cases with more complex rules tests := []struct { name string @@ -2517,8 +1632,8 @@ func TestTranslateIngress(t *testing.T) { Name: "serve-tcp", NameSpace: "default", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("default", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), }, PodSelectorList: []policies.SetInfo{ policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), @@ -2561,15 +1676,15 @@ func TestTranslateIngress(t *testing.T) { Name: "only-ipblock", NameSpace: "default", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("default", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), }, PodSelectorList: []policies.SetInfo{ policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), }, RuleIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("only-ipblock-in-ns-default-0IN", ipsets.CIDRBlocks, []string{"172.17.0.0/16", "172.17.1.0/24nomatch"}), + ipsets.NewTranslatedIPSet("only-ipblock-in-ns-default-0IN", ipsets.CIDRBlocks, []string{"172.17.0.0/16", "172.17.1.0/24nomatch"}...), }, ACLs: []*policies.ACLPolicy{ { @@ -2607,16 +1722,16 @@ func TestTranslateIngress(t *testing.T) { Name: "only-peer-podSelector", NameSpace: "default", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("default", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), }, PodSelectorList: []policies.SetInfo{ policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), }, RuleIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("peer-podselector-kay:peer-podselector-value", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("default", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("peer-podselector-kay:peer-podselector-value", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), }, ACLs: []*policies.ACLPolicy{ { @@ -2655,15 +1770,15 @@ func TestTranslateIngress(t *testing.T) { Name: "only-peer-nsSelector", NameSpace: "default", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod, nilSlices), - ipsets.NewTranslatedIPSet("default", ipsets.Namespace, nilSlices), + ipsets.NewTranslatedIPSet("label:src", ipsets.KeyValueLabelOfPod), + ipsets.NewTranslatedIPSet("default", ipsets.Namespace), }, PodSelectorList: []policies.SetInfo{ policies.NewSetInfo("label:src", ipsets.KeyValueLabelOfPod, included, targetPodMatchType), policies.NewSetInfo("default", ipsets.Namespace, included, targetPodMatchType), }, RuleIPSets: []*ipsets.TranslatedIPSet{ - ipsets.NewTranslatedIPSet("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace, []string{}), + ipsets.NewTranslatedIPSet("peer-nsselector-kay:peer-nsselector-value", ipsets.KeyValueLabelOfNamespace), }, ACLs: []*policies.ACLPolicy{ { diff --git a/npm/pkg/dataplane/ipsets/ipset.go b/npm/pkg/dataplane/ipsets/ipset.go index f1f509b0a3..df1b5594c5 100644 --- a/npm/pkg/dataplane/ipsets/ipset.go +++ b/npm/pkg/dataplane/ipsets/ipset.go @@ -108,7 +108,8 @@ type TranslatedIPSet struct { } // NewTranslatedIPSet creates TranslatedIPSet. -func NewTranslatedIPSet(name string, setType SetType, members []string) *TranslatedIPSet { +// Only nested labels from podSelector and IPBlock has members and others has nil slice. +func NewTranslatedIPSet(name string, setType SetType, members ...string) *TranslatedIPSet { translatedIPSet := &TranslatedIPSet{ Metadata: NewIPSetMetadata(name, setType), Members: members,