bugfix: fix handling of empty namespaceSelector when using Kubernetes datastore driver

gunjan5 · gunjan5 · commit d9205cc55f81 · 2017-08-05T11:31:35.000-07:00
diff --git a/lib/backend/k8s/conversion.go b/lib/backend/k8s/conversion.go
@@ -269,6 +269,11 @@ func (c converter) k8sSelectorToCalico(s *metav1.LabelSelector, ns *string) stri
 		}
 	}
 
+	// If namespace selector is empty then we select all namespaces.
+	if len(selectors) == 0 && ns == nil {
+		selectors = []string{"has(calico/k8s_ns)"}
+	}
+
 	return strings.Join(selectors, " && ")
 }
 
diff --git a/lib/backend/k8s/conversion_test.go b/lib/backend/k8s/conversion_test.go
@@ -471,6 +471,48 @@ var _ = Describe("Test NetworkPolicy conversion", func() {
 		Expect(pol.Value.(*model.Policy).OutboundRules[0]).To(Equal(model.Rule{Action: "allow"}))
 	})
 
+	It("should parse a NetworkPolicy with an empty namespaceSelector", func() {
+		np := extensions.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "testPolicy",
+				Namespace: "default",
+			},
+			Spec: extensions.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{"label": "value"},
+				},
+				Ingress: []extensions.NetworkPolicyIngressRule{
+					extensions.NetworkPolicyIngressRule{
+						From: []extensions.NetworkPolicyPeer{
+							extensions.NetworkPolicyPeer{
+								NamespaceSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{},
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		// Parse the policy.
+		pol, err := c.networkPolicyToPolicy(&np)
+		Expect(err).NotTo(HaveOccurred())
+
+		// Assert key fields are correct.
+		Expect(pol.Key.(model.PolicyKey).Name).To(Equal("np.projectcalico.org/default.testPolicy"))
+
+		// Assert value fields are correct.
+		Expect(int(*pol.Value.(*model.Policy).Order)).To(Equal(1000))
+		Expect(pol.Value.(*model.Policy).Selector).To(Equal("calico/k8s_ns == 'default' && label == 'value'"))
+		Expect(len(pol.Value.(*model.Policy).InboundRules)).To(Equal(1))
+		Expect(pol.Value.(*model.Policy).InboundRules[0].SrcSelector).To(Equal("has(calico/k8s_ns)"))
+
+		// OutboundRules should only have one rule and it should be allow.
+		Expect(len(pol.Value.(*model.Policy).OutboundRules)).To(Equal(1))
+		Expect(pol.Value.(*model.Policy).OutboundRules[0]).To(Equal(model.Rule{Action: "allow"}))
+	})
+
 	It("should parse a NetworkPolicy with podSelector.MatchExpressions", func() {
 		np := extensions.NetworkPolicy{
 			ObjectMeta: metav1.ObjectMeta{

Original file line number	Diff line number	Diff line change
`@@ -269,6 +269,11 @@ func (c converter) k8sSelectorToCalico(s metav1.LabelSelector, ns string) stri`
`269`	`269`	`}`
`270`	`270`	`}`
`271`	`271`
	`272`	`+ // If namespace selector is empty then we select all namespaces.`
	`273`	`+ if len(selectors) == 0 && ns == nil {`
	`274`	`+ selectors = []string{"has(calico/k8s_ns)"}`
	`275`	`+ }`
	`276`	`+`
`272`	`277`	`return strings.Join(selectors, " && ")`
`273`	`278`	`}`
`274`	`279`