policy: fix clusterwide policy status update issue for k8s<1.13

Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
jessfraz · Nov 11, 2019 · 47ce275 · 47ce275
1 parent e253f0f
commit 47ce275
Show file tree

Hide file tree

Showing 10 changed files with 66 additions and 21 deletions.
diff --git a/pkg/k8s/apis/cilium.io/utils/utils.go b/pkg/k8s/apis/cilium.io/utils/utils.go
@@ -63,13 +63,14 @@ func GetPolicyLabels(ns, name string, uid types.UID, derivedFrom string) labels.
 		labels.NewLabel(k8sConst.PolicyLabelName, name, labels.LabelSourceK8s),
 	}
 
+	// For clusterwide policy namespace will be empty.
 	if ns != "" {
-		labelsArr = append(labelsArr, labels.NewLabel(k8sConst.PolicyLabelNamespace, ns, labels.LabelSourceK8s))
+		nsLabel := labels.NewLabel(k8sConst.PolicyLabelNamespace, ns, labels.LabelSourceK8s)
+		labelsArr = append(labelsArr, nsLabel)
 	}
 
-	labelsArr = append(labelsArr, labels.NewLabel(k8sConst.PolicyLabelUID, string(uid), labels.LabelSourceK8s))
-
-	return labelsArr
+	srcLabel := labels.NewLabel(k8sConst.PolicyLabelUID, string(uid), labels.LabelSourceK8s)
+	return append(labelsArr, srcLabel)
 }
 
 // getEndpointSelector converts the provided labelSelector into an EndpointSelector,

diff --git a/pkg/k8s/apis/cilium.io/v2/types.go b/pkg/k8s/apis/cilium.io/v2/types.go
@@ -295,7 +295,14 @@ type CiliumNetworkPolicyList struct {
 // CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource with an modified version
 // of CiliumNetworkPolicy which is cluster scoped rather than namespace scoped.
 type CiliumClusterwideNetworkPolicy struct {
-	CiliumNetworkPolicy
+	*CiliumNetworkPolicy
+
+	// Status is the status of the Cilium policy rule
+	// +optional
+	// The reason this field exists in this structure is due a bug in the k8s code-generator
+	// that doesn't create a `UpdateStatus` method because the field does not exist in
+	// the structure.
+	Status CiliumNetworkPolicyStatus `json:"status"`
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

diff --git a/pkg/k8s/apis/cilium.io/v2/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v2/zz_generated.deepcopy.go
diff --git a/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/ciliumclusterwidenetworkpolicy.go b/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2/ciliumclusterwidenetworkpolicy.go
diff --git a/...client/clientset/versioned/typed/cilium.io/v2/fake/fake_ciliumclusterwidenetworkpolicy.go b/...client/clientset/versioned/typed/cilium.io/v2/fake/fake_ciliumclusterwidenetworkpolicy.go
diff --git a/pkg/k8s/cnp.go b/pkg/k8s/cnp.go
@@ -552,10 +552,10 @@ func updateStatusesByCapabilities(client clientset.Interface, capabilities k8sve
 		}
 
 		if ns == "" {
-			cwp := &cilium_v2.CiliumClusterwideNetworkPolicy{
-				CiliumNetworkPolicy: *cnp.CiliumNetworkPolicy,
+			ccnp := &cilium_v2.CiliumClusterwideNetworkPolicy{
+				CiliumNetworkPolicy: cnp.CiliumNetworkPolicy,
 			}
-			_, err = client.CiliumV2().CiliumClusterwideNetworkPolicies().Update(cwp)
+			_, err = client.CiliumV2().CiliumClusterwideNetworkPolicies().UpdateStatus(ccnp)
 		} else {
 			_, err = client.CiliumV2().CiliumNetworkPolicies(ns).UpdateStatus(cnp.CiliumNetworkPolicy)
 		}
@@ -571,12 +571,12 @@ func updateStatusesByCapabilities(client clientset.Interface, capabilities k8sve
 		}
 
 		if ns == "" {
-			cwp := &cilium_v2.CiliumClusterwideNetworkPolicy{
-				CiliumNetworkPolicy: *cnp.CiliumNetworkPolicy,
+			ccnp := &cilium_v2.CiliumClusterwideNetworkPolicy{
+				CiliumNetworkPolicy: cnp.CiliumNetworkPolicy,
 			}
-			_, err = client.CiliumV2().CiliumClusterwideNetworkPolicies().Update(cwp)
+			_, err = client.CiliumV2().CiliumClusterwideNetworkPolicies().Update(ccnp)
 		} else {
-			_, err = client.CiliumV2().CiliumNetworkPolicies(ns).UpdateStatus(cnp.CiliumNetworkPolicy)
+			_, err = client.CiliumV2().CiliumNetworkPolicies(ns).Update(cnp.CiliumNetworkPolicy)
 		}
 	}
 	if err != nil {

diff --git a/pkg/k8s/factory_functions.go b/pkg/k8s/factory_functions.go
@@ -383,19 +383,24 @@ func ConvertToIngress(obj interface{}) interface{} {
 func ConvertToCCNPWithStatus(obj interface{}) interface{} {
 	switch concreteObj := obj.(type) {
 	case *cilium_v2.CiliumClusterwideNetworkPolicy:
-		return &types.SlimCNP{
-			CiliumNetworkPolicy: &concreteObj.CiliumNetworkPolicy,
+		t := &types.SlimCNP{
+			CiliumNetworkPolicy: concreteObj.CiliumNetworkPolicy,
 		}
+		t.Status = concreteObj.Status
+		return t
+
 	case cache.DeletedFinalStateUnknown:
 		cnp, ok := concreteObj.Obj.(*cilium_v2.CiliumClusterwideNetworkPolicy)
 		if !ok {
 			return obj
 		}
+		t := &types.SlimCNP{
+			CiliumNetworkPolicy: cnp.CiliumNetworkPolicy,
+		}
+		t.Status = cnp.Status
 		return cache.DeletedFinalStateUnknown{
 			Key: concreteObj.Key,
-			Obj: &types.SlimCNP{
-				CiliumNetworkPolicy: &cnp.CiliumNetworkPolicy,
-			},
+			Obj: t,
 		}
 
 	default:

diff --git a/test/k8sT/manifests/ccnp-default-deny-egress.yaml b/test/k8sT/manifests/ccnp-default-deny-egress.yaml
@@ -5,4 +5,4 @@ metadata:
 spec:
   endpointSelector: {}
   egress:
-  - {}
+  - {}
diff --git a/test/k8sT/manifests/ccnp-update-allow-all.yaml b/test/k8sT/manifests/ccnp-update-allow-all.yaml
@@ -10,4 +10,4 @@ spec:
     - {}
   egress:
   - toEndpoints:
-    - {}
+    - {}
diff --git a/test/k8sT/manifests/ccnp-update-allow-ingress.yaml b/test/k8sT/manifests/ccnp-update-allow-ingress.yaml
@@ -14,4 +14,4 @@ spec:
     toPorts:
     - ports:
       - port: "80"
-        protocol: TCP
+        protocol: TCP