Add support for namespace label selectors in K8s policies#566
Merged
jmedved merged 3 commits intocontiv:masterfrom Feb 2, 2018
Merged
Add support for namespace label selectors in K8s policies#566jmedved merged 3 commits intocontiv:masterfrom
jmedved merged 3 commits intocontiv:masterfrom
Conversation
jmedved
changed the title
jmedved
reviewed
Feb 2, 2018
| namespaceLabelSelector *policymodel.Policy_LabelSelector) (pods []podmodel.ID) { | ||
| // An empty namespace selector matches all namespaces. | ||
| if len(namespaceLabelSelector.MatchExpression) == 0 && len(namespaceLabelSelector.MatchLabel) == 0 { | ||
| allPods := pc.configuredPods.ListAll() |
Member
There was a problem hiding this comment.
check that namespaceLabelSelector is not nil first; if it is (possible if no label selectors are present in the policy), the check for MatchExpression will panic.
…go & plugins/policy/processor/processor.go
Member
Author
|
Commit 8ad1e7e |
jmedved
approved these changes
Feb 2, 2018
tiewei
reviewed
Feb 2, 2018
| namespaceLabelSelector *policymodel.Policy_LabelSelector) (pods []podmodel.ID) { | ||
| // An empty namespace selector matches all namespaces. | ||
| if len(namespaceLabelSelector.MatchExpression) == 0 && len(namespaceLabelSelector.MatchLabel) == 0 { | ||
| allPods := pc.configuredPods.ListAll() |
| matchLabels := namespaceLabelSelector.MatchLabel | ||
|
|
||
| found, namespaceSelectorPods := pc.getPodsByLabelSelector(matchLabels) | ||
| if !found { |
Contributor
There was a problem hiding this comment.
I think this is not required, if not found it namespaceSelectorPods is empty slice anyway
|
|
||
| // GetPodsByNSLabelSelector returns the pods that match a collection of Label Selectors in the same namespace | ||
| func (pc *PolicyCache) getPodsByNSLabelSelector(namespace string, labels []*policymodel.Policy_Label) (bool, []string) { | ||
| newPodSet := []string{} |
Contributor
There was a problem hiding this comment.
this change doesn't look necessary, but it's fine
| tmp := utils.Intersect(prevPodSet, newPodSet) | ||
| tmp := utils.Intersect(prevNamespaceSet, newNamespaceSet) | ||
| if len(tmp) == 0 { | ||
| return false, nil |
Contributor
There was a problem hiding this comment.
Here i would return empty string slice instead
| if len(pods) == 0 { | ||
| return false, []string{} | ||
| } | ||
| return true, pods |
Contributor
There was a problem hiding this comment.
I noticed this file having a lot return Bool, Slice usage, is it really necessary ? an empty slice should be enough for later range operations, the only usage difference when return false is the 2nd return value is a clear empty slice, while at that time the pods is already ensured to be a empty slice, so whats the point of doing it here ?
| prevPodSet = newPodSet | ||
| newPodSet = tmp | ||
| prevNamespaceSet = newNamespaceSet | ||
| newNamespaceSet = tmp |
Contributor
There was a problem hiding this comment.
this for loop is trying to get the intersect of all labels selector's result, it's a little hard to understand
current = pre = setA
for i := 1; i < len(labels); i++ {
pre = current
setB = query()
current = utils.Intersect(pre, setB)
}
for _, ns : = range current
pods = append(pods, xxx)
}
In this way you don't have to treat the 1 label case separately
| // Get all namespaces that match namespace label selector | ||
| namespaces := pp.Cache.LookupNamespacesByLabelSelector(label) | ||
| if len(namespaces) == 0 { | ||
| return isMatch |
| // Check if matched namespaces include pod's namespace | ||
| for _, namespace := range namespaces { | ||
| if namespace == podNamespace { | ||
| namespaceExists = true |
brecode
added a commit
to brecode/contiv-vpp
that referenced
this pull request
Feb 3, 2018
This PR addresses comment suggestions of contiv#566. - Refactor code for match expression and match label files to return only []string - Simplified getPodsByNSLabelSelector & getPodsByLabelSelector in match_label.go to be easily readable - Added missing comments for function description and more robust comments in code - Fixed two bugs in processor.go (missing "!" and worng function call)
brecode
added a commit
to brecode/contiv-vpp
that referenced
this pull request
Feb 3, 2018
This PR addresses comment suggestions of contiv#566. - Refactor code for match expression and match label files to return only []string - Simplified getPodsByNSLabelSelector & getPodsByLabelSelector in match_label.go to be easily readable - Added missing comments for function description and more robust comments in code - Fixed two bugs in processor.go (missing "!" and worng function call)
brecode
added a commit
to brecode/contiv-vpp
that referenced
this pull request
Feb 3, 2018
This PR addresses comment suggestions of contiv#566. - Refactor code for match expression and match label files to return only []string - Simplified getPodsByNSLabelSelector & getPodsByLabelSelector in match_label.go to be easily readable - Added missing comments for function description and more robust comments in code - Fixed two bugs in processor.go (missing "!" and worng function call)
brecode
added a commit
to brecode/contiv-vpp
that referenced
this pull request
Feb 3, 2018
This PR addresses comment suggestions of contiv#566. - Refactor code for match expression and match label files to return only []string - Simplified getPodsByNSLabelSelector & getPodsByLabelSelector in match_label.go to be easily readable - Added missing comments for function description and more robust comments in code - Fixed two bugs in processor.go (missing "!" and worng function call)
brecode
added a commit
to brecode/contiv-vpp
that referenced
this pull request
Feb 3, 2018
- Changed Interesct function to calculate more than two slices. Added an additional check for empty slices. - Added an additional check for empty labels in getPodsByNSLabelSelector and getMatchExpressionPods on file match_label.on. If empty labels empty slice is returned - Simplified cache_implementation code by removing if cases when no labels provided. The if cases are now handled in getPodsByNSLabelSelector and getMatchExpressionPods.
brecode
added a commit
to brecode/contiv-vpp
that referenced
this pull request
Feb 3, 2018
- Changed Interesct function to calculate more than two slices. Added an additional check for empty slices. - Added an additional check for empty labels in getPodsByNSLabelSelector and getMatchExpressionPods on file match_label.on. If empty labels empty slice is returned - Simplified cache_implementation code by removing if cases when no labels provided. The if cases are now handled in getPodsByNSLabelSelector and getMatchExpressionPods. - Removed unecessary function call on duplicates to slices on match_expression.go The duplicate removal is handled by Intersect function
milanlenco
pushed a commit
that referenced
this pull request
Feb 5, 2018
Policy Cache & Policy Processor fixes for #566
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR makes a few changes in the policy plugin, adding support for namespace label selectors, both for Ingress and Egress Rules. Also fixes bugs related to empty podSelectors and empty namespaceLabelSelectors. Fixes should be also part of #560 and #565