Add MultiNetworkPolicy resource #1573
Conversation
|
Report bugs in Issues The following are automatically added:
Available user actions:
Supported /retest check runs
Supported labels
|
Anatw
force-pushed
the
add_multi_network_policy_resource
branch
from
2f9d662 to
7a4b48b
Compare
| nad_name_for_policy (str): The name of the NetworkAttachmentDefinition to which the resources connected | ||
| the created policy will impact. | ||
| client (DynamicClient): Dynamic client for connecting to a remote cluster. | ||
| policy_types (list): one or both of the valid ip policies - "Ingress" and "Egress". |
There was a problem hiding this comment.
do not include api-supported values
| self.res["metadata"]["annotations"] = { | ||
| f"{MultiNetworkPolicy.api_group}/policy-for": f"{self.namespace}" f"/{self.nad_name_for_policy}" | ||
| } | ||
| updated_data = { |
There was a problem hiding this comment.
set directly in self.res["spec"]
There was a problem hiding this comment.
I don't understand. This is part of the metadata, not the spec.
There was a problem hiding this comment.
updated_data is set as spec
please see other resources to see how we set data under spec
| for policy in self.policy_types: | ||
| if policy == "Ingress": | ||
| ingress = "ingress" | ||
| if not self.ingress: |
There was a problem hiding this comment.
this can be an empty list - see Deny ingress from all pods in all namespaces section
| } | ||
| } | ||
| self.res["spec"] = {} | ||
| for policy in self.policy_types: |
There was a problem hiding this comment.
if a user sends self.ingress or self.egress; add it to the spec
| self.res["metadata"]["annotations"] = { | ||
| f"{MultiNetworkPolicy.api_group}/policy-for": f"{self.namespace}" f"/{self.nad_name_for_policy}" | ||
| } | ||
| updated_data = { |
There was a problem hiding this comment.
updated_data is set as spec
please see other resources to see how we set data under spec
|
@Anatw Please do not resolve comments without pushing new code. |
Anatw
force-pushed
the
add_multi_network_policy_resource
branch
from
7a4b48b to
31576cb
Compare
myakove
left a comment
myakove
left a comment
There was a problem hiding this comment.
None of the comments was addressed.
Anatw
force-pushed
the
add_multi_network_policy_resource
branch
from
31576cb to
46b27f0
Compare
| policy_types (list): One or both of the valid ip policies - "Ingress" and "Egress". | ||
| ingress (list): list containing a dictionary specifying the allowed "from" parameters. | ||
| egress (list): list containing a dictionary specifying the allowed "to" parameters. | ||
| pod_selector (dict): Map a label to match. |
There was a problem hiding this comment.
please add optional to those that are not mandatory
| raise ValueError("network_name is required") | ||
|
|
||
| self.res["metadata"]["annotations"] = { | ||
| f"{self.api_group}/policy-for": f"{self.namespace} /{self.network_name}" |
There was a problem hiding this comment.
| f"{self.api_group}/policy-for": f"{self.namespace} /{self.network_name}" | |
| f"{self.api_group}/policy-for": f"{self.namespace}/{self.network_name}" |
redundant space?
| f"{self.api_group}/policy-for": f"{self.namespace} /{self.network_name}" | ||
| } | ||
| self.res["spec"] = {} | ||
| self.res["spec"].update({ |
There was a problem hiding this comment.
assign directly in self.res["spec"]
| } | ||
| self.res["spec"] = {} | ||
| self.res["spec"].update({ | ||
| "podSelector": {"matchLabels": self.pod_selector} if self.pod_selector else {}, |
There was a problem hiding this comment.
user should send the whole dict; empty dict will block all
this is mandatory
| "podSelector": {"matchLabels": self.pod_selector} if self.pod_selector else {}, | ||
| "policyTypes": self.policy_types, | ||
| }) | ||
| if self.ingress: |
There was a problem hiding this comment.
can be empty list (deny all) - this condition will not apply what is requested by the user
There was a problem hiding this comment.
if the user want to deny all he should send an empty list.
There was a problem hiding this comment.
If you tested it, and it's working, then I guess t is OK.
Did you test it?
There was a problem hiding this comment.
Yes, the user can send an empty list
There was a problem hiding this comment.
I'm not sure about it.
In [1]: ingress = []
In [2]: if ingress:
...: print("ingress")
...:
In [3]:
How your code going to set [] if it will never get in here if the user send []?
What do I miss?
| }) | ||
| if self.ingress: | ||
| self.res["spec"].update({"ingress": self.ingress}) | ||
| else: # self.egress |
There was a problem hiding this comment.
- please remove the inline comment
- see comment on empty list above
- if one of them is mandatory, please add a check. if not, please add a separate condition - according to the doc, one of them must exist
There was a problem hiding this comment.
It is possible to create a policy without self.ingress or self.egress:
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
annotations:
k8s.cni.cncf.io/policy-for: flat-overlay-ns/flat-l2-nad
name: flat-overlay-mnp
namespace: flat-overlay-ns
spec:
podSelector:
matchLabels:
kubevirt.io/vm: vma
policyTypes:
- Egress
Can you please refer me to where in the documentation you saw that including at least one of them is mandatory?
I added a condition instead of the 'else'.
There was a problem hiding this comment.
If you tested it, and it's working, then I guess t is OK.
Did you test it?
I can't respond to your original message so I'm responding here - I did test it and the policy is created successfully. If the documentation is specifically claiming otherwise I want to make sure this is not a bug.
|
|
/verified |
|
/cherry-pick v4.15 |
Signed-off-by: Anat Wax <awax@redhat.com>
|
Cherry-picked PR Add MultiNetworkPolicy resource into v4.15 |
Signed-off-by: Anat Wax <awax@redhat.com>
7 participants
Short description:
More details:
What this PR does / why we need it:
Which issue(s) this PR fixes:
Special notes for reviewer:
Bug: