Skip to content

Commit

Permalink
Merge pull request #268 from huntergregory/fix-translate
Browse files Browse the repository at this point in the history
fix: [Policy Assistant] translate could grab labels from other pods
  • Loading branch information
k8s-ci-robot authored Nov 11, 2024
2 parents 6030eb9 + 433557b commit 1c5a810
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 8 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/policy-assistant.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,4 +116,4 @@ jobs:
- name: Run Integration Test - Walkthrough Mode
run: |
artifacts/policy-assistant analyze --mode walkthrough --policy-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/policies/
artifacts/policy-assistant analyze --mode walkthrough --policy-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/policies/ --traffic-path cmd/policy-assistant/examples/traffic-example.json
17 changes: 10 additions & 7 deletions cmd/policy-assistant/pkg/matcher/traffic.go
Original file line number Diff line number Diff line change
Expand Up @@ -156,13 +156,6 @@ func GetInternalPeerInfo(workload string) *TrafficPeer {

func (p *TrafficPeer) Translate() TrafficPeer {
//Translates kubernetes workload types to TrafficPeers.
var podsNetworking []*PodNetworking
var podLabels map[string]string
var namespaceLabels map[string]string
var workloadOwner string
var workloadKind string
var internalPeer InternalPeer
workloadOwnerExists := false
workloadMetadata := strings.Split(strings.ToLower(p.Internal.Workload), "/")
if len(workloadMetadata) != 3 || (workloadMetadata[0] == "" || workloadMetadata[1] == "" || workloadMetadata[2] == "") || (workloadMetadata[1] != "daemonset" && workloadMetadata[1] != "statefulset" && workloadMetadata[1] != "replicaset" && workloadMetadata[1] != "deployment" && workloadMetadata[1] != "pod") {
logrus.Fatalf("Bad Workload structure: Types supported are pod, replicaset, deployment, daemonset, statefulset, and 3 fields are required with this structure, <namespace>/<workloadType>/<workloadName>")
Expand All @@ -175,7 +168,14 @@ func (p *TrafficPeer) Translate() TrafficPeer {
if err != nil {
logrus.Fatalf("unable to read pods from kube, ns '%s': %+v", workloadMetadata[0], err)
}

var podsNetworking []*PodNetworking
var podLabels map[string]string
var namespaceLabels map[string]string
workloadOwnerExists := false
for _, pod := range kubePods {
var workloadOwner string
var workloadKind string
if workloadMetadata[1] == "deployment" && pod.OwnerReferences != nil && pod.OwnerReferences[0].Kind == "ReplicaSet" {
kubeReplicaSets, err := kubeClient.GetReplicaSet(workloadMetadata[0], pod.OwnerReferences[0].Name)
if err != nil {
Expand Down Expand Up @@ -205,6 +205,7 @@ func (p *TrafficPeer) Translate() TrafficPeer {
}
}

var internalPeer InternalPeer
if !workloadOwnerExists {
logrus.Infof(workloadMetadata[0] + "/" + workloadMetadata[1] + "/" + workloadMetadata[2] + " workload not found on the cluster")
internalPeer = InternalPeer{
Expand All @@ -220,6 +221,8 @@ func (p *TrafficPeer) Translate() TrafficPeer {
}
}

logrus.Debugf("Workload: %s, PodLabels: %v, NamespaceLabels: %v, Namespace: %s", internalPeer.Workload, internalPeer.PodLabels, internalPeer.NamespaceLabels, internalPeer.Namespace)

TranslatedPeer := TrafficPeer{
Internal: &internalPeer,
}
Expand Down

0 comments on commit 1c5a810

Please sign in to comment.