Fix: ingress rule lost podsrchost when neither pod and namespace selector is nil #3159
Conversation
…lector are not nil
when we have ingress rule like this, this means traffict from pods of either condition
will be accepted:
1. pods in the default namespace swith label "role=frontend"
2. pods in the namespace with label "project=myproject"
metadata:
name: test-network-policy
namespace: default
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
But, weave-npc now only accepts #2 , and misses #1.
ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
mainred
changed the title
|
Thanks for the contribution! Let me see if I understand: the code will currently work for either a pod selector or a namespace selector, and you've fixed it to work in the case the policy has both. I pushed this branch to the main repo so the full test suite will run. Would probably put this on the 2.0 branch since it's a small change and a real bug. |
|
Yes, you got the point, bboreham. |
|
@mainred Thanks for the contribution, but I don't see why the change is necessary. The current code does iterate over peers (in your given policy there are two peers), and for the policy creates two rules: Just noting, that if you omit the dash before the second |
|
@brb ,you are right, and thank you very much for your correcting my mistake. Maybe more testing should be made before I open another pr :) I'll close this pr. |
when we have ingress rule like this, this means traffict from pods of either condition
will be accepted:
But, weave-npc now only accepts NO.2 , and misses NO.1.
ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/