Added support of Namespace and Pod selector for networkpolicy #21196
Conversation
openshift-ci-robot
added
the
size/M
JacobTanenbaum
force-pushed
the
podNamespaceSelector
branch
from
969ba53
to
7762948
Compare
|
/test e2e-gcp |
|
@danwinship PTAL |
pkg/network/node/networkpolicy.go
Outdated
| for _, pod := range np.pods { | ||
| vnid, exists := namespaces[pod.Namespace] | ||
| if exists && podSel.Matches(labels.Set(pod.Labels)) { | ||
| vnidsIPs[vnid] = pod.Status.PodIP |
There was a problem hiding this comment.
This will only work for a single matching pod per namespace. I think you need to return an array of {vnid, podIP}. (Or else just do the fmt.Sprintf here and return an array of strings; in that case you should probably change selectPods and selectNamespaces to match, for consistency.)
|
|
||
| testCannotConnect(f, nsA, "client-a", service, 80) | ||
| testCannotConnect(f, nsB, "client-b1", service, 80) | ||
| testCanConnect(f, nsB, "client-b2", service, 80) |
There was a problem hiding this comment.
That's missing one of the 4 possible cases (matching podSelector, non-matching namespaceSelector):
testCannotConnect(f, nsA, "client-b2", service, 80)
7762948
to
ffe4e76
Compare
openshift-ci-robot
added
size/L
|
/test integration |
JacobTanenbaum
force-pushed
the
podNamespaceSelector
branch
from
ffe4e76
to
da1e6a5
Compare
| Expect(err).NotTo(HaveOccurred()) | ||
|
|
||
| // Create Policy for that service that allows traffic only via namespace B | ||
| By("Creating a network policy for the server which allows traffic from namespace-b.") |
There was a problem hiding this comment.
sorry, didn't notice this before, but a bunch of the comments / log messages / object names here seem to have been copied from the namespace-only test, and need to be updated to clarify that this is testing combined namespaceSelector+podSelector
pkg/network/node/networkpolicy.go
Outdated
| for _, pod := range np.pods { | ||
| vnid, exists := namespaces[pod.Namespace] | ||
| if exists && podSel.Matches(labels.Set(pod.Labels)) { | ||
| //vnidsIPs[vnid] = pod.Status.PodIP |
JacobTanenbaum
force-pushed
the
podNamespaceSelector
branch
from
da1e6a5
to
6c4f699
Compare
|
/retest |
|
/test e2e-gcp |
…d peer.NamespaceSelector currently openshift networkpolicy only allows for using either peer.PodSelector or peer.NamespaceSelector. This brings the operation of Openshift's networkpolicy support closer to that of upstream. Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
Signed-off-by: Jacob Tanenbaum <jtanenba@redhat.com>
JacobTanenbaum
force-pushed
the
podNamespaceSelector
branch
from
6c4f699
to
ebca3b6
Compare
|
/retest |
|
What happened to the change to selectPods()? Oh, had you accidentally dropped the " |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, JacobTanenbaum The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test extended_clusterup |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test extended_clusterup |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@JacobTanenbaum: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
currently Openshift networkpolicy only allows for using either peer.PodSelector or peer.NamespaceSelector. This brings the operation of Openshift's networkpolicy support closer to that of upstream by allowing the use of both.