Support both podSelector and namespaceSelector in NetworkPolicy

Fixes #3312
weaveworks · Oct 16, 2018 · 97ad7d2 · 97ad7d2
1 parent 078b76f
commit 97ad7d2
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 30 deletions.
diff --git a/npc/analyser.go b/npc/analyser.go
@@ -69,38 +69,53 @@ func (ns *ns) analysePolicy(policy *networkingv1.NetworkPolicy) (
 			} else {
 				for _, peer := range ingressRule.From {
 					var srcSelector *selectorSpec
-					var srcRuleHost ruleHost
+					var srcRuleHosts []ruleHost
 
 					// NetworkPolicyPeer describes a peer to allow traffic from.
-					// Exactly one of its fields must be specified.
-					if peer.PodSelector != nil {
+					if peer.PodSelector != nil && peer.NamespaceSelector != nil {
+						matchedNamespaces, err := ns.getMatchingNamespeces(peer.NamespaceSelector)
+						if err != nil {
+							return nil, nil, nil, nil, err
+						}
+						for _, matchedNs := range matchedNamespaces.Items {
+							srcSelector, err = newSelectorSpec(peer.PodSelector, nil, matchedNs.ObjectMeta.Name, ipset.HashIP)
+							if err != nil {
+								return nil, nil, nil, nil, err
+							}
+							addIfNotExist(srcSelector, podSelectors)
+							srcRuleHosts = append(srcRuleHosts, srcSelector)
+						}
+					} else if peer.PodSelector != nil {
 						srcSelector, err = newSelectorSpec(peer.PodSelector, nil, ns.name, ipset.HashIP)
 						if err != nil {
 							return nil, nil, nil, nil, err
 						}
 						addIfNotExist(srcSelector, podSelectors)
-						srcRuleHost = srcSelector
+						srcRuleHosts = append(srcRuleHosts, srcSelector)
 					} else if peer.NamespaceSelector != nil {
 						srcSelector, err = newSelectorSpec(peer.NamespaceSelector, nil, "", ipset.ListSet)
 						if err != nil {
 							return nil, nil, nil, nil, err
 						}
 						nsSelectors[srcSelector.key] = srcSelector
-						srcRuleHost = srcSelector
+						srcRuleHosts = append(srcRuleHosts, srcSelector)
+
 					} else if peer.IPBlock != nil {
 						ipBlock := newIPBlockSpec(peer.IPBlock, ns.name)
 						ipBlocks[ipBlock.key] = ipBlock
-						srcRuleHost = ipBlock
+						srcRuleHosts = append(srcRuleHosts, ipBlock)
 					}
 
-					if allPorts {
-						rule := newRuleSpec(policyTypeIngress, nil, srcRuleHost, targetSelector, nil)
-						rules[rule.key] = rule
-					} else {
-						withNormalisedProtoAndPort(ingressRule.Ports, func(proto, port string) {
-							rule := newRuleSpec(policyTypeIngress, &proto, srcSelector, targetSelector, &port)
+					for _, srcRuleHost := range srcRuleHosts {
+						if allPorts {
+							rule := newRuleSpec(policyTypeIngress, nil, srcRuleHost, targetSelector, nil)
 							rules[rule.key] = rule
-						})
+						} else {
+							withNormalisedProtoAndPort(ingressRule.Ports, func(proto, port string) {
+								rule := newRuleSpec(policyTypeIngress, &proto, srcRuleHost, targetSelector, &port)
+								rules[rule.key] = rule
+							})
+						}
 					}
 				}
 			}
@@ -134,39 +149,53 @@ func (ns *ns) analysePolicy(policy *networkingv1.NetworkPolicy) (
 			} else {
 				for _, peer := range egressRule.To {
 					var dstSelector *selectorSpec
-					var dstRuleHost ruleHost
+					var dstRuleHosts []ruleHost
 
 					// NetworkPolicyPeer describes a peer to allow traffic to.
-					// Exactly one of its fields must be specified.
-					if peer.PodSelector != nil {
+					if peer.PodSelector != nil && peer.NamespaceSelector != nil {
+						matchedNamespaces, err := ns.getMatchingNamespeces(peer.NamespaceSelector)
+						if err != nil {
+							return nil, nil, nil, nil, err
+						}
+						for _, matchedNs := range matchedNamespaces.Items {
+							dstSelector, err = newSelectorSpec(peer.PodSelector, nil, matchedNs.ObjectMeta.Name, ipset.HashIP)
+							if err != nil {
+								return nil, nil, nil, nil, err
+							}
+							addIfNotExist(dstSelector, podSelectors)
+							dstRuleHosts = append(dstRuleHosts, dstSelector)
+						}
+					} else if peer.PodSelector != nil {
 						dstSelector, err = newSelectorSpec(peer.PodSelector, nil, ns.name, ipset.HashIP)
 						if err != nil {
 							return nil, nil, nil, nil, err
 						}
 						addIfNotExist(dstSelector, podSelectors)
-						dstRuleHost = dstSelector
+						dstRuleHosts = append(dstRuleHosts, dstSelector)
 
 					} else if peer.NamespaceSelector != nil {
 						dstSelector, err = newSelectorSpec(peer.NamespaceSelector, nil, "", ipset.ListSet)
 						if err != nil {
 							return nil, nil, nil, nil, err
 						}
 						nsSelectors[dstSelector.key] = dstSelector
-						dstRuleHost = dstSelector
+						dstRuleHosts = append(dstRuleHosts, dstSelector)
 					} else if peer.IPBlock != nil {
 						ipBlock := newIPBlockSpec(peer.IPBlock, ns.name)
 						ipBlocks[ipBlock.key] = ipBlock
-						dstRuleHost = ipBlock
+						dstRuleHosts = append(dstRuleHosts, ipBlock)
 					}
 
-					if allPorts {
-						rule := newRuleSpec(policyTypeEgress, nil, targetSelector, dstRuleHost, nil)
-						rules[rule.key] = rule
-					} else {
-						withNormalisedProtoAndPort(egressRule.Ports, func(proto, port string) {
-							rule := newRuleSpec(policyTypeEgress, &proto, targetSelector, dstRuleHost, &port)
+					for _, dstRuleHost := range dstRuleHosts {
+						if allPorts {
+							rule := newRuleSpec(policyTypeEgress, nil, targetSelector, dstRuleHost, nil)
 							rules[rule.key] = rule
-						})
+						} else {
+							withNormalisedProtoAndPort(egressRule.Ports, func(proto, port string) {
+								rule := newRuleSpec(policyTypeEgress, &proto, targetSelector, dstRuleHost, &port)
+								rules[rule.key] = rule
+							})
+						}
 					}
 				}
 			}

diff --git a/npc/namespace.go b/npc/namespace.go
@@ -4,16 +4,17 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/weaveworks/weave/common"
+	"github.com/weaveworks/weave/net/ipset"
+	"github.com/weaveworks/weave/npc/iptables"
 	coreapi "k8s.io/api/core/v1"
 	extnapi "k8s.io/api/extensions/v1beta1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/uuid"
-
-	"github.com/weaveworks/weave/common"
-	"github.com/weaveworks/weave/net/ipset"
-	"github.com/weaveworks/weave/npc/iptables"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 var errInvalidNetworkPolicyObjType = errors.New("invalid NetworkPolicy object type")
@@ -584,3 +585,23 @@ func (ns *ns) analyse(obj interface{}) (
 
 	return
 }
+
+func (ns *ns) getMatchingNamespeces(ls *metav1.LabelSelector) (*coreapi.NamespaceList, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	nsSelector, err := metav1.LabelSelectorAsSelector(ls)
+	if err != nil {
+		return nil, err
+	}
+	matchedNamespaces, err := clientset.CoreV1().Namespaces().List(metav1.ListOptions{LabelSelector: nsSelector.String()})
+	if err != nil {
+		return nil, err
+	}
+	return matchedNamespaces, nil
+}