run default deny reconciler when service change

otterize · May 22, 2024 · e27bed3 · e27bed3
1 parent 9abbf3c
commit e27bed3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/src/operator/controllers/intents_reconcilers/port_network_policy/svc_reconcilers.go b/src/operator/controllers/intents_reconcilers/port_network_policy/svc_reconcilers.go
@@ -2,11 +2,13 @@ package port_network_policy
 
 import (
 	"context"
+	"github.com/otterize/intents-operator/src/operator/controllers/protected_service_reconcilers"
 	"github.com/otterize/intents-operator/src/operator/effectivepolicy"
 	"github.com/otterize/intents-operator/src/shared/errors"
 	"github.com/otterize/intents-operator/src/shared/injectablerecorder"
 	"github.com/samber/lo"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -19,23 +21,35 @@ type ServiceWatcher struct {
 	client.Client
 	injectablerecorder.InjectableRecorder
 	serviceEffectivePolicyReconciler *effectivepolicy.GroupReconciler
+	defaultDenyReconciler            *protected_service_reconcilers.DefaultDenyReconciler
 }
 
-func NewServiceWatcher(c client.Client, eventRecorder record.EventRecorder, serviceEffectivePolicyReconciler *effectivepolicy.GroupReconciler) *ServiceWatcher {
+func NewServiceWatcher(c client.Client, eventRecorder record.EventRecorder, serviceEffectivePolicyReconciler *effectivepolicy.GroupReconciler, netpolEnabled bool, externalHandler protected_service_reconcilers.ExternalNepolHandler) *ServiceWatcher {
 	recorder := injectablerecorder.InjectableRecorder{Recorder: eventRecorder}
-	return &ServiceWatcher{
+	sw := &ServiceWatcher{
 		Client:                           c,
 		InjectableRecorder:               recorder,
 		serviceEffectivePolicyReconciler: serviceEffectivePolicyReconciler,
 	}
+	if netpolEnabled {
+		sw.defaultDenyReconciler = protected_service_reconcilers.NewDefaultDenyReconciler(c, externalHandler, netpolEnabled)
+	}
+	return sw
 }
 
-func (r *ServiceWatcher) Reconcile(ctx context.Context, _ reconcile.Request) (ctrl.Result, error) {
+func (r *ServiceWatcher) Reconcile(ctx context.Context, req reconcile.Request) (ctrl.Result, error) {
 	err := r.serviceEffectivePolicyReconciler.Reconcile(ctx)
 	if err != nil {
 		return ctrl.Result{}, errors.Wrap(err)
 	}
 
+	if r.defaultDenyReconciler != nil {
+		res, err := r.defaultDenyReconciler.Reconcile(ctx, ctrl.Request{NamespacedName: types.NamespacedName{Namespace: req.Namespace}})
+		if err != nil || res.Requeue {
+			return res, errors.Wrap(err)
+		}
+	}
+
 	return ctrl.Result{}, nil
 }
 

diff --git a/src/operator/main.go b/src/operator/main.go
@@ -463,7 +463,7 @@ func main() {
 
 	podWatcher := pod_reconcilers.NewPodWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), watchedNamespaces, enforcementConfig.EnforcementDefaultState, enforcementConfig.EnableIstioPolicy, enforcementConfig.EnforcedNamespaces, intentsReconciler)
 	nsWatcher := pod_reconcilers.NewNamespaceWatcher(mgr.GetClient())
-	svcWatcher := port_network_policy.NewServiceWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), epGroupReconciler)
+	svcWatcher := port_network_policy.NewServiceWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), epGroupReconciler, enforcementConfig.EnableNetworkPolicy, extNetpolHandler)
 
 	err = svcWatcher.SetupWithManager(mgr)
 	if err != nil {