diff --git a/src/operator/controllers/intents_reconcilers/port_network_policy/svc_reconcilers.go b/src/operator/controllers/intents_reconcilers/port_network_policy/svc_reconcilers.go index b31f8ffe7..a790934a5 100644 --- a/src/operator/controllers/intents_reconcilers/port_network_policy/svc_reconcilers.go +++ b/src/operator/controllers/intents_reconcilers/port_network_policy/svc_reconcilers.go @@ -2,11 +2,13 @@ package port_network_policy import ( "context" + "github.com/otterize/intents-operator/src/operator/controllers/protected_service_reconcilers" "github.com/otterize/intents-operator/src/operator/effectivepolicy" "github.com/otterize/intents-operator/src/shared/errors" "github.com/otterize/intents-operator/src/shared/injectablerecorder" "github.com/samber/lo" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/tools/record" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" @@ -19,23 +21,35 @@ type ServiceWatcher struct { client.Client injectablerecorder.InjectableRecorder serviceEffectivePolicyReconciler *effectivepolicy.GroupReconciler + defaultDenyReconciler *protected_service_reconcilers.DefaultDenyReconciler } -func NewServiceWatcher(c client.Client, eventRecorder record.EventRecorder, serviceEffectivePolicyReconciler *effectivepolicy.GroupReconciler) *ServiceWatcher { +func NewServiceWatcher(c client.Client, eventRecorder record.EventRecorder, serviceEffectivePolicyReconciler *effectivepolicy.GroupReconciler, netpolEnabled bool, externalHandler protected_service_reconcilers.ExternalNepolHandler) *ServiceWatcher { recorder := injectablerecorder.InjectableRecorder{Recorder: eventRecorder} - return &ServiceWatcher{ + sw := &ServiceWatcher{ Client: c, InjectableRecorder: recorder, serviceEffectivePolicyReconciler: serviceEffectivePolicyReconciler, } + if netpolEnabled { + sw.defaultDenyReconciler = protected_service_reconcilers.NewDefaultDenyReconciler(c, externalHandler, netpolEnabled) + } + return sw } -func (r *ServiceWatcher) Reconcile(ctx context.Context, _ reconcile.Request) (ctrl.Result, error) { +func (r *ServiceWatcher) Reconcile(ctx context.Context, req reconcile.Request) (ctrl.Result, error) { err := r.serviceEffectivePolicyReconciler.Reconcile(ctx) if err != nil { return ctrl.Result{}, errors.Wrap(err) } + if r.defaultDenyReconciler != nil { + res, err := r.defaultDenyReconciler.Reconcile(ctx, ctrl.Request{NamespacedName: types.NamespacedName{Namespace: req.Namespace}}) + if err != nil || res.Requeue { + return res, errors.Wrap(err) + } + } + return ctrl.Result{}, nil } diff --git a/src/operator/main.go b/src/operator/main.go index 3e5af0639..255600098 100644 --- a/src/operator/main.go +++ b/src/operator/main.go @@ -463,7 +463,7 @@ func main() { podWatcher := pod_reconcilers.NewPodWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), watchedNamespaces, enforcementConfig.EnforcementDefaultState, enforcementConfig.EnableIstioPolicy, enforcementConfig.EnforcedNamespaces, intentsReconciler) nsWatcher := pod_reconcilers.NewNamespaceWatcher(mgr.GetClient()) - svcWatcher := port_network_policy.NewServiceWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), epGroupReconciler) + svcWatcher := port_network_policy.NewServiceWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), epGroupReconciler, enforcementConfig.EnableNetworkPolicy, extNetpolHandler) err = svcWatcher.SetupWithManager(mgr) if err != nil {