Respect label selector (#1481)

This patch makes all Antrea APIs respect label selector to fix the problem that some K8s clients get unexpected resources when labelSelector is specified.
antrea-io · Nov 5, 2020 · 714af4d · 714af4d
1 parent 7c123db
commit 714af4d
Show file tree

Hide file tree

Showing 14 changed files with 532 additions and 15 deletions.
diff --git a/pkg/apiserver/registry/networkpolicy/addressgroup/rest.go b/pkg/apiserver/registry/networkpolicy/addressgroup/rest.go
@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -71,12 +72,20 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 }
 
 func (r *REST) List(ctx context.Context, options *internalversion.ListOptions) (runtime.Object, error) {
+	labelSelector := labels.Everything()
+	if options != nil && options.LabelSelector != nil {
+		labelSelector = options.LabelSelector
+	}
 	addressGroups := r.addressGroupStore.List()
-	list := new(controlplane.AddressGroupList)
-	list.Items = make([]controlplane.AddressGroup, len(addressGroups))
+	items := make([]controlplane.AddressGroup, 0, len(addressGroups))
 	for i := range addressGroups {
-		store.ToAddressGroupMsg(addressGroups[i].(*types.AddressGroup), &list.Items[i], true)
+		var item controlplane.AddressGroup
+		store.ToAddressGroupMsg(addressGroups[i].(*types.AddressGroup), &item, true)
+		if labelSelector.Matches(labels.Set(item.Labels)) {
+			items = append(items, item)
+		}
 	}
+	list := &controlplane.AddressGroupList{Items: items}
 	return list, nil
 }
 

diff --git a/pkg/apiserver/registry/networkpolicy/addressgroup/rest_test.go b/pkg/apiserver/registry/networkpolicy/addressgroup/rest_test.go
@@ -0,0 +1,80 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package addressgroup
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/vmware-tanzu/antrea/pkg/apis/controlplane"
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/vmware-tanzu/antrea/pkg/controller/networkpolicy/store"
+	"github.com/vmware-tanzu/antrea/pkg/controller/types"
+)
+
+func TestRESTList(t *testing.T) {
+	tests := []struct {
+		name          string
+		addressGroups []*types.AddressGroup
+		labelSelector labels.Selector
+		expectedObj   runtime.Object
+	}{
+		{
+			name: "label selector selecting nothing",
+			addressGroups: []*types.AddressGroup{
+				{
+					Name: "foo",
+				},
+			},
+			labelSelector: labels.Nothing(),
+			expectedObj:   &controlplane.AddressGroupList{},
+		},
+		{
+			name: "label selector selecting everything",
+			addressGroups: []*types.AddressGroup{
+				{
+					Name: "foo",
+				},
+			},
+			labelSelector: labels.Everything(),
+			expectedObj: &controlplane.AddressGroupList{
+				Items: []controlplane.AddressGroup{
+					{
+						ObjectMeta: v1.ObjectMeta{
+							Name: "foo",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			storage := store.NewAddressGroupStore()
+			for _, obj := range tt.addressGroups {
+				storage.Create(obj)
+			}
+			r := NewREST(storage)
+			actualObj, err := r.List(context.TODO(), &internalversion.ListOptions{LabelSelector: tt.labelSelector})
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, tt.expectedObj.(*controlplane.AddressGroupList).Items, actualObj.(*controlplane.AddressGroupList).Items)
+		})
+	}
+}
diff --git a/pkg/apiserver/registry/networkpolicy/appliedtogroup/rest.go b/pkg/apiserver/registry/networkpolicy/appliedtogroup/rest.go
@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -71,12 +72,20 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 }
 
 func (r *REST) List(ctx context.Context, options *internalversion.ListOptions) (runtime.Object, error) {
+	labelSelector := labels.Everything()
+	if options != nil && options.LabelSelector != nil {
+		labelSelector = options.LabelSelector
+	}
 	appliedToGroups := r.appliedToGroupStore.List()
-	list := new(controlplane.AppliedToGroupList)
-	list.Items = make([]controlplane.AppliedToGroup, len(appliedToGroups))
+	items := make([]controlplane.AppliedToGroup, 0, len(appliedToGroups))
 	for i := range appliedToGroups {
-		store.ToAppliedToGroupMsg(appliedToGroups[i].(*types.AppliedToGroup), &list.Items[i], true, nil)
+		var item controlplane.AppliedToGroup
+		store.ToAppliedToGroupMsg(appliedToGroups[i].(*types.AppliedToGroup), &item, true, nil)
+		if labelSelector.Matches(labels.Set(item.Labels)) {
+			items = append(items, item)
+		}
 	}
+	list := &controlplane.AppliedToGroupList{Items: items}
 	return list, nil
 }
 

diff --git a/pkg/apiserver/registry/networkpolicy/appliedtogroup/rest_test.go b/pkg/apiserver/registry/networkpolicy/appliedtogroup/rest_test.go
@@ -0,0 +1,80 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package appliedtogroup
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/vmware-tanzu/antrea/pkg/apis/controlplane"
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/vmware-tanzu/antrea/pkg/controller/networkpolicy/store"
+	"github.com/vmware-tanzu/antrea/pkg/controller/types"
+)
+
+func TestRESTList(t *testing.T) {
+	tests := []struct {
+		name            string
+		appliedToGroups []*types.AppliedToGroup
+		labelSelector   labels.Selector
+		expectedObj     runtime.Object
+	}{
+		{
+			name: "label selector selecting nothing",
+			appliedToGroups: []*types.AppliedToGroup{
+				{
+					Name: "foo",
+				},
+			},
+			labelSelector: labels.Nothing(),
+			expectedObj:   &controlplane.AppliedToGroupList{},
+		},
+		{
+			name: "label selector selecting everything",
+			appliedToGroups: []*types.AppliedToGroup{
+				{
+					Name: "foo",
+				},
+			},
+			labelSelector: labels.Everything(),
+			expectedObj: &controlplane.AppliedToGroupList{
+				Items: []controlplane.AppliedToGroup{
+					{
+						ObjectMeta: v1.ObjectMeta{
+							Name: "foo",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			storage := store.NewAppliedToGroupStore()
+			for _, obj := range tt.appliedToGroups {
+				storage.Create(obj)
+			}
+			r := NewREST(storage)
+			actualObj, err := r.List(context.TODO(), &internalversion.ListOptions{LabelSelector: tt.labelSelector})
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, tt.expectedObj.(*controlplane.AppliedToGroupList).Items, actualObj.(*controlplane.AppliedToGroupList).Items)
+		})
+	}
+}
diff --git a/pkg/apiserver/registry/networkpolicy/networkpolicy/rest.go b/pkg/apiserver/registry/networkpolicy/networkpolicy/rest.go
@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/apiserver/pkg/registry/rest"
@@ -71,10 +72,18 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 }
 
 func (r *REST) List(ctx context.Context, options *internalversion.ListOptions) (runtime.Object, error) {
+	labelSelector := labels.Everything()
+	if options != nil && options.LabelSelector != nil {
+		labelSelector = options.LabelSelector
+	}
 	networkPolicies := r.networkPolicyStore.List()
-	items := make([]controlplane.NetworkPolicy, len(networkPolicies))
+	items := make([]controlplane.NetworkPolicy, 0, len(networkPolicies))
 	for i := range networkPolicies {
-		store.ToNetworkPolicyMsg(networkPolicies[i].(*types.NetworkPolicy), &items[i], true)
+		var item controlplane.NetworkPolicy
+		store.ToNetworkPolicyMsg(networkPolicies[i].(*types.NetworkPolicy), &item, true)
+		if labelSelector.Matches(labels.Set(item.Labels)) {
+			items = append(items, item)
+		}
 	}
 	list := &controlplane.NetworkPolicyList{Items: items}
 	return list, nil

diff --git a/pkg/apiserver/registry/networkpolicy/networkpolicy/rest_test.go b/pkg/apiserver/registry/networkpolicy/networkpolicy/rest_test.go
@@ -0,0 +1,80 @@
+// Copyright 2020 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package networkpolicy
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/vmware-tanzu/antrea/pkg/apis/controlplane"
+	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/vmware-tanzu/antrea/pkg/controller/networkpolicy/store"
+	"github.com/vmware-tanzu/antrea/pkg/controller/types"
+)
+
+func TestRESTList(t *testing.T) {
+	tests := []struct {
+		name            string
+		networkPolicies []*types.NetworkPolicy
+		labelSelector   labels.Selector
+		expectedObj     runtime.Object
+	}{
+		{
+			name: "label selector selecting nothing",
+			networkPolicies: []*types.NetworkPolicy{
+				{
+					Name: "foo",
+				},
+			},
+			labelSelector: labels.Nothing(),
+			expectedObj:   &controlplane.NetworkPolicyList{},
+		},
+		{
+			name: "label selector selecting everything",
+			networkPolicies: []*types.NetworkPolicy{
+				{
+					Name: "foo",
+				},
+			},
+			labelSelector: labels.Everything(),
+			expectedObj: &controlplane.NetworkPolicyList{
+				Items: []controlplane.NetworkPolicy{
+					{
+						ObjectMeta: v1.ObjectMeta{
+							Name: "foo",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			storage := store.NewNetworkPolicyStore()
+			for _, obj := range tt.networkPolicies {
+				storage.Create(obj)
+			}
+			r := NewREST(storage)
+			actualObj, err := r.List(context.TODO(), &internalversion.ListOptions{LabelSelector: tt.labelSelector})
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, tt.expectedObj.(*controlplane.NetworkPolicyList).Items, actualObj.(*controlplane.NetworkPolicyList).Items)
+		})
+	}
+}
diff --git a/pkg/apiserver/registry/stats/antreaclusternetworkpolicystats/rest.go b/pkg/apiserver/registry/stats/antreaclusternetworkpolicystats/rest.go
@@ -23,6 +23,7 @@ import (
 	metatable "k8s.io/apimachinery/pkg/api/meta/table"
 	"k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/registry/rest"
 
@@ -67,7 +68,17 @@ func (r *REST) List(ctx context.Context, options *internalversion.ListOptions) (
 	if !features.DefaultFeatureGate.Enabled(features.AntreaPolicy) {
 		return nil, errors.NewBadRequest("feature AntreaPolicy disabled")
 	}
-	items := r.statsProvider.ListAntreaClusterNetworkPolicyStats()
+	labelSelector := labels.Everything()
+	if options != nil && options.LabelSelector != nil {
+		labelSelector = options.LabelSelector
+	}
+	stats := r.statsProvider.ListAntreaClusterNetworkPolicyStats()
+	items := make([]statsv1alpha1.AntreaClusterNetworkPolicyStats, 0, len(stats))
+	for i := range stats {
+		if labelSelector.Matches(labels.Set(stats[i].Labels)) {
+			items = append(items, stats[i])
+		}
+	}
 	metricList := &statsv1alpha1.AntreaClusterNetworkPolicyStatsList{
 		Items: items,
 	}