add support for combination of podSelector and namespaceSelector in network policies

[murali-reddy]

• enhance selectorSpec to accommodate both pod and namespace selectors
• enhance analysePolicy to handle policies with both selectors

Fixes #3312

[bboreham]

These six lines seem identical to the next else clause, apart from substituting nil for peer.NamespaceSelector.

[bboreham]

Is it correct to pass ns.name here? Don't we want a pod+namespace selector to work the same from any namespace?

[bboreham]

I've noted some superficial issues, but I got stuck trying to figure out the bigger picture.
Why do we end up with nsSelectors and podSelectors when the latter can also have a namespace?

[bboreham]

These six lines seem identical to the next else clause, apart from substituting nil for peer.NamespaceSelector.

[bboreham]

Is it correct to pass ns.name here? Don't we want a pod+namespace selector to work the same from any namespace?

[murali-reddy]

I've noted some superficial issues, but I got stuck trying to figure out the bigger picture.
Why do we end up with nsSelectors and podSelectors when the latter can also have a namespace?

thanks for the review. I modified code to make it more explicit. So now there are three book keeping selector sets serving different purpose. nsSelectors and podSelectors are the existing ones with no changes to its interpretation. namespacedPodsSelectors is the new one to represent matching pods in matching namespaces

	nsSelectors             *selectorSet // reference to global selectorSet that is shared across the `ns`. Used to represent all pods in the matching namespaces
	podSelectors            *selectorSet // used to represent the matching pods in namespace respresented by this `ns`
	namespacedPodsSelectors *selectorSet // reference to global selectorSet that is shared across the `ns`. Used to represent matching pods in matching namespace

[bboreham]

I'm pretty much OK with this, but it's a big change so made some further comments.

[bboreham]

Great!

[kfox1111]

I'm a bit confused. Say I have 3 namespaces. A, B and C. only namespace B is labeled 'name=B'

I was trying to get A -> A and B -> A and not C !-> A

If I register this snippet in namespace A

  ingress:
  - from:
    - podSelector: {}

I get the first part. A -> A. B !-> A, C !-> A. Working as expected.

If I try:

  - from:
    - namespaceSelector:
        matchLabels:
          name: B
      podSelector: {}

I get A -> A, B !-> A, C !-> A. A can talk to A, but B cant. This seems backwards according to the spec?

Then I try this one:

  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: B
    - podSelector: {}

A can talk to A, B can talk to A, and C can not talk to A. This also seems wrong. Either it should be just a rule for B -> A, or it should be the equiv of the first two snippets together?

[murali-reddy]

@kfox1111 What image did you use for testing? This feature is right now only in master. I just rechecked the scenarios I see its working as expected.

[kfox1111]

Oh. Didn't realize this was an unreleased feature. That would explain it. Thanks.