fix/refactor: [NPM] eliminate struct fields to prevent errors & reduce memory

npm/pkg/controlplane/goalstateprocessor/goalstateprocessor.go

@@ -374,12 +374,12 @@ func (gsp *GoalStateProcessor) processPolicyApplyEvent(goalState *protos.GoalSta
 			klog.Warningf("Empty Policy apply event")
 			continue
 		}
-		klog.Infof("Processing %s Policy ADD event", netpol.Name)
+		klog.Infof("Processing %s Policy ADD event", netpol.PolicyKey)
 		klog.Infof("Netpol: %v", netpol)
 
 		err = gsp.dp.UpdatePolicy(netpol)
 		if err != nil {
-			klog.Errorf("Error applying policy %s to dataplane with error: %s", netpol.Name, err.Error())
+			klog.Errorf("Error applying policy %s to dataplane with error: %s", netpol.PolicyKey, err.Error())
 			return nil, npmerrors.SimpleErrorWrapper("failed update policy event", err)
 		}
 		appendedPolicies[netpol.PolicyKey] = struct{}{}

npm/pkg/controlplane/goalstateprocessor/goalstateprocessor_test.go

@@ -28,9 +28,9 @@ var (
 	testNestedKeyPodSet   = ipsets.NewIPSetMetadata("test-nestedkeyPod-set", ipsets.NestedLabelOfPod)
 	testNestedKeyPodCPSet = controlplane.NewControllerIPSets(testNestedKeyPodSet)
 	testNetPol            = &policies.NPMNetworkPolicy{
-		Name:      "test-netpol",
-		NameSpace: "x",
-		PolicyKey: "x/test-netpol",
+		Namespace:   "x",
+		PolicyKey:   "x/test-netpol",
+		ACLPolicyID: "azure-acl-x-test-netpol",
 		PodSelectorIPSets: []*ipsets.TranslatedIPSet{
 			{
 				Metadata: testNSSet,
@@ -49,12 +49,10 @@ var (
 		},
 		ACLs: []*policies.ACLPolicy{
 			{
-				PolicyID:  "azure-acl-123",
 				Target:    policies.Dropped,
 				Direction: policies.Ingress,
 			},
 			{
-				PolicyID:  "azure-acl-234",
 				Target:    policies.Allowed,
 				Direction: policies.Ingress,
 				SrcList: []policies.SetInfo{

npm/pkg/controlplane/translation/translatePolicy.go

@@ -304,7 +304,7 @@ func ruleExists(ports []networkingv1.NetworkPolicyPort, peer []networkingv1.Netw
 // (e.g., IPBlock, podSelector, namespaceSelector, or both podSelector and namespaceSelector).
 func peerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Direction, ports []networkingv1.NetworkPolicyPort, setInfo []policies.SetInfo) error {
 	if len(ports) == 0 {
-		acl := policies.NewACLPolicy(npmNetPol.NameSpace, npmNetPol.Name, policies.Allowed, direction)
+		acl := policies.NewACLPolicy(policies.Allowed, direction)
 		acl.AddSetInfo(setInfo)
 		npmNetPol.ACLs = append(npmNetPol.ACLs, acl)
 		return nil
@@ -316,7 +316,7 @@ func peerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Di
 			return err
 		}
 
-		acl := policies.NewACLPolicy(npmNetPol.NameSpace, npmNetPol.Name, policies.Allowed, direction)
+		acl := policies.NewACLPolicy(policies.Allowed, direction)
 		acl.AddSetInfo(setInfo)
 		npmNetPol.RuleIPSets = portRule(npmNetPol.RuleIPSets, acl, &ports[i], portKind)
 		npmNetPol.ACLs = append(npmNetPol.ACLs, acl)
@@ -325,7 +325,7 @@ func peerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Di
 }
 
 // translateRule translates ingress or egress rules and update npmNetPol object.
-func translateRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Direction, matchType policies.MatchType, ruleIndex int,
+func translateRule(npmNetPol *policies.NPMNetworkPolicy, netPolName string, direction policies.Direction, matchType policies.MatchType, ruleIndex int,
 	ports []networkingv1.NetworkPolicyPort, peers []networkingv1.NetworkPolicyPeer) error {
 	// TODO(jungukcho): need to clean up it.
 	// Leave allowExternal variable now while the condition is checked before calling this function.
@@ -335,7 +335,7 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Dire
 	// The code inside if condition is to handle allowing all internal traffic, but the case is handled in #2.4.
 	// So, this code may not execute. After confirming this, need to delete it.
 	if !portRuleExists && !peerRuleExists && !allowExternal {
-		acl := policies.NewACLPolicy(npmNetPol.NameSpace, npmNetPol.Name, policies.Allowed, direction)
+		acl := policies.NewACLPolicy(policies.Allowed, direction)
 		ruleIPSets, allowAllInternalSetInfo := allowAllInternal(matchType)
 		npmNetPol.RuleIPSets = append(npmNetPol.RuleIPSets, ruleIPSets)
 		acl.AddSetInfo([]policies.SetInfo{allowAllInternalSetInfo})
@@ -351,7 +351,7 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Dire
 				return err
 			}
 
-			portACL := policies.NewACLPolicy(npmNetPol.NameSpace, npmNetPol.Name, policies.Allowed, direction)
+			portACL := policies.NewACLPolicy(policies.Allowed, direction)
 			npmNetPol.RuleIPSets = portRule(npmNetPol.RuleIPSets, portACL, &ports[i], portKind)
 			npmNetPol.ACLs = append(npmNetPol.ACLs, portACL)
 		}
@@ -362,7 +362,7 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Dire
 		// #2.1 Handle IPBlock and port if exist
 		if peer.IPBlock != nil {
 			if len(peer.IPBlock.CIDR) > 0 {
-				ipBlockIPSet, ipBlockSetInfo := ipBlockRule(npmNetPol.Name, npmNetPol.NameSpace, direction, matchType, ruleIndex, peerIdx, peer.IPBlock)
+				ipBlockIPSet, ipBlockSetInfo := ipBlockRule(netPolName, npmNetPol.Namespace, direction, matchType, ruleIndex, peerIdx, peer.IPBlock)
 				npmNetPol.RuleIPSets = append(npmNetPol.RuleIPSets, ipBlockIPSet)
 				err := peerAndPortRule(npmNetPol, direction, ports, []policies.SetInfo{ipBlockSetInfo})
 				if err != nil {
@@ -397,7 +397,7 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Dire
 
 		// #2.3 handle podSelector and port if exist
 		if peer.PodSelector != nil && peer.NamespaceSelector == nil {
-			podSelectorIPSets, podSelectorList, err := podSelectorWithNS(npmNetPol.NameSpace, matchType, peer.PodSelector)
+			podSelectorIPSets, podSelectorList, err := podSelectorWithNS(npmNetPol.Namespace, matchType, peer.PodSelector)
 			if err != nil {
 				return err
 			}
@@ -441,14 +441,14 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Dire
 }
 
 // defaultDropACL returns ACLPolicy to drop traffic which is not allowed.
-func defaultDropACL(policyNS, policyName string, direction policies.Direction) *policies.ACLPolicy {
-	dropACL := policies.NewACLPolicy(policyNS, policyName, policies.Dropped, direction)
+func defaultDropACL(direction policies.Direction) *policies.ACLPolicy {
+	dropACL := policies.NewACLPolicy(policies.Dropped, direction)
 	return dropACL
 }
 
 // allowAllPolicy adds acl to allow all traffic including internal (i.e,. K8s cluster) and external (i.e., internet)
 func allowAllPolicy(npmNetPol *policies.NPMNetworkPolicy, direction policies.Direction) {
-	allowAllACL := policies.NewACLPolicy(npmNetPol.NameSpace, npmNetPol.Name, policies.Allowed, direction)
+	allowAllACL := policies.NewACLPolicy(policies.Allowed, direction)
 	npmNetPol.ACLs = append(npmNetPol.ACLs, allowAllACL)
 }
 
@@ -462,7 +462,7 @@ func isAllowAllToIngress(ingress []networkingv1.NetworkPolicyIngressRule) bool {
 
 // ingressPolicy traslates NetworkPolicyIngressRule in NetworkPolicy object
 // to NPMNetworkPolicy object.
-func ingressPolicy(npmNetPol *policies.NPMNetworkPolicy, ingress []networkingv1.NetworkPolicyIngressRule) error {
+func ingressPolicy(npmNetPol *policies.NPMNetworkPolicy, netPolName string, ingress []networkingv1.NetworkPolicyIngressRule) error {
 	// #1. Allow all traffic from both internal and external.
 	// In yaml file, it is specified with '{}'.
 	if isAllowAllToIngress(ingress) {
@@ -473,20 +473,20 @@ func ingressPolicy(npmNetPol *policies.NPMNetworkPolicy, ingress []networkingv1.
 	// #2. If ingress is nil (in yaml file, it is specified with '[]'), it means "Deny all" - it does not allow receiving any traffic from others.
 	if ingress == nil {
 		// Except for allow all traffic case in #1, the rest of them should have default drop rules.
-		dropACL := defaultDropACL(npmNetPol.NameSpace, npmNetPol.Name, policies.Ingress)
+		dropACL := defaultDropACL(policies.Ingress)
 		npmNetPol.ACLs = append(npmNetPol.ACLs, dropACL)
 		return nil
 	}
 
 	// #3. Ingress rule is not AllowAll (including internal and external) and DenyAll policy.
 	// So, start translating ingress policy.
 	for i, rule := range ingress {
-		if err := translateRule(npmNetPol, policies.Ingress, policies.SrcMatch, i, rule.Ports, rule.From); err != nil {
+		if err := translateRule(npmNetPol, netPolName, policies.Ingress, policies.SrcMatch, i, rule.Ports, rule.From); err != nil {
 			return err
 		}
 	}
 	// Except for allow all traffic case in #1, the rest of them should have default drop rules.
-	dropACL := defaultDropACL(npmNetPol.NameSpace, npmNetPol.Name, policies.Ingress)
+	dropACL := defaultDropACL(policies.Ingress)
 	npmNetPol.ACLs = append(npmNetPol.ACLs, dropACL)
 	return nil
 }
@@ -501,7 +501,7 @@ func isAllowAllToEgress(egress []networkingv1.NetworkPolicyEgressRule) bool {
 
 // egressPolicy traslates NetworkPolicyEgressRule in networkpolicy object
 // to NPMNetworkPolicy object.
-func egressPolicy(npmNetPol *policies.NPMNetworkPolicy, egress []networkingv1.NetworkPolicyEgressRule) error {
+func egressPolicy(npmNetPol *policies.NPMNetworkPolicy, netPolName string, egress []networkingv1.NetworkPolicyEgressRule) error {
 	// #1. Allow all traffic to both internal and external.
 	// In yaml file, it is specified with '{}'.
 	if isAllowAllToEgress(egress) {
@@ -512,36 +512,37 @@ func egressPolicy(npmNetPol *policies.NPMNetworkPolicy, egress []networkingv1.Ne
 	// #2. If egress is nil (in yaml file, it is specified with '[]'), it means "Deny all" - it does not allow sending traffic to others.
 	if egress == nil {
 		// Except for allow all traffic case in #1, the rest of them should have default drop rules.
-		dropACL := defaultDropACL(npmNetPol.NameSpace, npmNetPol.Name, policies.Egress)
+		dropACL := defaultDropACL(policies.Egress)
 		npmNetPol.ACLs = append(npmNetPol.ACLs, dropACL)
 		return nil
 	}
 
 	// #3. Egress rule is not AllowAll (including internal and external) and DenyAll.
 	// So, start translating egress policy.
 	for i, rule := range egress {
-		err := translateRule(npmNetPol, policies.Egress, policies.DstMatch, i, rule.Ports, rule.To)
+		err := translateRule(npmNetPol, netPolName, policies.Egress, policies.DstMatch, i, rule.Ports, rule.To)
 		if err != nil {
 			return err
 		}
 	}
 
 	// #3. Except for allow all traffic case in #1, the rest of them should have default drop rules.
 	// Add drop ACL to drop the rest of traffic which is not specified in Egress Spec.
-	dropACL := defaultDropACL(npmNetPol.NameSpace, npmNetPol.Name, policies.Egress)
+	dropACL := defaultDropACL(policies.Egress)
 	npmNetPol.ACLs = append(npmNetPol.ACLs, dropACL)
 	return nil
 }
 
 // TranslatePolicy traslates networkpolicy object to NPMNetworkPolicy object
 // and return the NPMNetworkPolicy object.
 func TranslatePolicy(npObj *networkingv1.NetworkPolicy) (*policies.NPMNetworkPolicy, error) {
-	npmNetPol := policies.NewNPMNetworkPolicy(npObj.Name, npObj.Namespace)
+	netPolName := npObj.Name
+	npmNetPol := policies.NewNPMNetworkPolicy(netPolName, npObj.Namespace)
 
 	// podSelector in spec.PodSelector is common for ingress and egress.
 	// Process this podSelector first.
 	var err error
-	npmNetPol.PodSelectorIPSets, npmNetPol.PodSelectorList, err = podSelectorWithNS(npmNetPol.NameSpace, policies.EitherMatch, &npObj.Spec.PodSelector)
+	npmNetPol.PodSelectorIPSets, npmNetPol.PodSelectorList, err = podSelectorWithNS(npmNetPol.Namespace, policies.EitherMatch, &npObj.Spec.PodSelector)
 	if err != nil {
 		return nil, err
 	}
@@ -551,12 +552,12 @@ func TranslatePolicy(npObj *networkingv1.NetworkPolicy) (*policies.NPMNetworkPol
 	// and Egress will be set if the NetworkPolicy has any egress rules.
 	for _, ptype := range npObj.Spec.PolicyTypes {
 		if ptype == networkingv1.PolicyTypeIngress {
-			err := ingressPolicy(npmNetPol, npObj.Spec.Ingress)
+			err := ingressPolicy(npmNetPol, netPolName, npObj.Spec.Ingress)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			err := egressPolicy(npmNetPol, npObj.Spec.Egress)
+			err := egressPolicy(npmNetPol, netPolName, npObj.Spec.Egress)
 			if err != nil {
 				return nil, err
 			}