[Maint] add ns info to cid

derailed · Mar 16, 2024 · f99cbd1 · f99cbd1
1 parent f43ad34
commit f99cbd1
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,4 @@ spinach.yml
 /kind
 /spinach-me
 __debug_bin*
+.act-evt
diff --git a/internal/cilium/lint/cid.go b/internal/cilium/lint/cid.go
@@ -45,13 +45,14 @@ func (s *CiliumIdentity) Lint(ctx context.Context) error {
 	for o := it.Next(); o != nil; o = it.Next() {
 		cid := o.(*v2.CiliumIdentity)
 		fqn := client.FQN(cid.Namespace, cid.Name)
-		s.InitOutcome(fqn)
-		ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, cid))
+		id := client.FQN(extractNS(cid), cid.Name)
+		s.InitOutcome(id)
+		ctx = internal.WithSpec(ctx, ilint.SpecFor(id, cid))
 		if err := s.checkStale(ctx, fqn, &refs); err != nil {
 			return err
 		}
 		s.checkNS(ctx, cid)
-		if err := s.checkSA(ctx, fqn, cid); err != nil {
+		if err := s.checkSA(ctx, cid); err != nil {
 			return err
 		}
 	}
@@ -75,6 +76,17 @@ const (
 	k8sSALabel     = "io.cilium.k8s.policy.serviceaccount"
 )
 
+func extractNS(cid *v2.CiliumIdentity) string {
+	if ns, ok := cid.Labels[k8sNSLabel]; ok {
+		return ns
+	}
+	if ns, ok := cid.SecurityLabels[k8sSecNSLabel]; ok {
+		return ns
+	}
+
+	return client.BlankNamespace
+}
+
 func (s *CiliumIdentity) checkNS(ctx context.Context, cid *v2.CiliumIdentity) {
 	ns, ok := cid.Labels[k8sNSLabel]
 	if !ok {
@@ -95,7 +107,7 @@ func (s *CiliumIdentity) checkNS(ctx context.Context, cid *v2.CiliumIdentity) {
 	}
 }
 
-func (s *CiliumIdentity) checkSA(ctx context.Context, fqn string, cid *v2.CiliumIdentity) error {
+func (s *CiliumIdentity) checkSA(ctx context.Context, cid *v2.CiliumIdentity) error {
 	ns, ok := cid.Labels[k8sNSLabel]
 	if !ok {
 		return fmt.Errorf("unable to locate cid namespace")

diff --git a/internal/cilium/lint/cid_test.go b/internal/cilium/lint/cid_test.go
@@ -31,10 +31,11 @@ func TestCiliumIdentity(t *testing.T) {
 	assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumidentities", "ciliumidentities")))
 	assert.Equal(t, 3, len(li.Outcome()))
 
-	ii := li.Outcome()["100"]
+	li.Outcome().Dump()
+	ii := li.Outcome()["default/100"]
 	assert.Equal(t, 0, len(ii))
 
-	ii = li.Outcome()["200"]
+	ii = li.Outcome()["ns1/200"]
 	assert.Equal(t, 3, len(ii))
 	assert.Equal(t, "[POP-1600] Stale? unable to locate matching Cilium Endpoint", ii[0].Message)
 	assert.Equal(t, rules.WarnLevel, ii[0].Level)
@@ -43,7 +44,7 @@ func TestCiliumIdentity(t *testing.T) {
 	assert.Equal(t, `[POP-307] CiliumIdentity references a non existing ServiceAccount: "ns1/sa1"`, ii[2].Message)
 	assert.Equal(t, rules.WarnLevel, ii[2].Level)
 
-	ii = li.Outcome()["300"]
+	ii = li.Outcome()["default/300"]
 	assert.Equal(t, 1, len(ii))
 	assert.Equal(t, `[POP-1603] Missing security namespace label: "k8s:io.kubernetes.pod.namespace"`, ii[0].Message)
 	assert.Equal(t, rules.WarnLevel, ii[0].Level)