-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/k8s: handle nil PodSelector and NamespaceSelector within ingress rules #2699
Conversation
test-me-please |
pkg/k8s/network_policy.go
Outdated
endpointSelector := parseNetworkPolicyPeer(namespace, &rule) | ||
|
||
// Case where no label-based selectors were in rule. | ||
if endpointSelector != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a debug message that we are skipping to import a rule here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add a log saying that the rule has no PodSelector / NamespaceSelector in ParseNetworkPolicyPeer
. We aren't skipping to import a rule because the rule could also have IPBlock
restrictions in it which are parsed following this line. Is that OK?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, the comment is incorrect, I'll move it accordingly as well.
pkg/k8s/network_policy_test.go
Outdated
|
||
rules, err := ParseNetworkPolicy(&np) | ||
c.Assert(err, IsNil) | ||
c.Assert(rules, NotNil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a golang struct with your expectations of what will be the result of ParseNetworkPolicy
and assert for deep equalness between your expectations and the result of ParseNetworkPolicy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
// Ingress with neither pod nor namespace selector set. | ||
ex1 := []byte(`{ | ||
"kind": "NetworkPolicy", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nitpick - since it's json you can indent this string, but it's nothing of great importance.
68d39cb
to
d3a99ca
Compare
test-me-please |
1 similar comment
test-me-please |
d3a99ca
to
6b563f8
Compare
test-me-please |
pkg/k8s/network_policy_test.go
Outdated
} | ||
|
||
rules, err := ParseNetworkPolicy(&np) | ||
fmt.Printf("parsedRule: %v", rules[0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leftovers fmt.Printfs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
6b563f8
to
bfcf076
Compare
test-me-please |
test-me-please |
Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional. Gracefully handle when these objects are nil when we are parsing NetworkPolicy. Signed-off by: Ian Vernon <ian@cilium.io>
Signed-off by: Ian Vernon <ian@cilium.io>
Signed-off by: Ian Vernon <ian@cilium.io>
bfcf076
to
4d28106
Compare
test-me-please |
test-me-please |
Keep hitting issues that were fixed by #2686 :
This is in no way related to my changes, so I tried again. I notice that the node used is |
Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional.
Gracefully handle when these objects are nil when we are parsing NetworkPolicy.
Signed-off by: Ian Vernon ian@cilium.io
Fixes: #2698
How to test:
K8S=1 ./contrib/vagrant/start.sh
kubectl create -f <policy file>
3. Cilium doesn't crash and the policy is present in
cilium policy get