Clean access policies if server is not protected (#231)

otterize · Aug 9, 2023 · 385dc07 · 385dc07
1 parent bb19970
commit 385dc07
Show file tree

Hide file tree

Showing 8 changed files with 585 additions and 3 deletions.
diff --git a/src/operator/controllers/intents_reconcilers/network_policy.go b/src/operator/controllers/intents_reconcilers/network_policy.go
@@ -303,7 +303,7 @@ func (r *NetworkPolicyReconciler) handleIntentRemoval(
 func (r *NetworkPolicyReconciler) removeOrphanNetworkPolicies(ctx context.Context) error {
 	logrus.Info("Searching for orphaned network policies")
 	networkPolicyList := &v1.NetworkPolicyList{}
-	selector, err := r.matchAccessNetworkPolicy()
+	selector, err := MatchAccessNetworkPolicy()
 	if err != nil {
 		return err
 	}
@@ -354,7 +354,7 @@ func (r *NetworkPolicyReconciler) removeNetworkPolicy(ctx context.Context, netwo
 	return nil
 }
 
-func (r *NetworkPolicyReconciler) matchAccessNetworkPolicy() (labels.Selector, error) {
+func MatchAccessNetworkPolicy() (labels.Selector, error) {
 	isOtterizeNetworkPolicy := metav1.LabelSelectorRequirement{
 		Key:      otterizev1alpha2.OtterizeNetworkPolicy,
 		Operator: metav1.LabelSelectorOpExists,

diff --git a/src/operator/controllers/protected_service_reconcilers/default_deny.go b/src/operator/controllers/protected_service_reconcilers/default_deny.go
@@ -23,6 +23,7 @@ type DefaultDenyReconciler struct {
 type ExternalNepolHandler interface {
 	HandlePodsByNamespace(ctx context.Context, namespace string) error
 	HandleAllPods(ctx context.Context) error
+	HandleBeforeAccessPolicyRemoval(ctx context.Context, accessPolicy *v1.NetworkPolicy) error
 }
 
 func NewDefaultDenyReconciler(client client.Client, extNetpolHandler ExternalNepolHandler) *DefaultDenyReconciler {

diff --git a/src/operator/controllers/protected_service_reconcilers/default_deny_test.go b/src/operator/controllers/protected_service_reconcilers/default_deny_test.go
@@ -22,6 +22,7 @@ const (
 	protectedServicesResourceName        = "staging-protected-services"
 	protectedService                     = "test-service"
 	protectedServiceFormattedName        = "test-service-test-namespace-b0207e"
+	anotherProtectedServiceResourceName  = "protect-other-services"
 	anotherProtectedService              = "other-test-service"
 	anotherProtectedServiceFormattedName = "other-test-service-test-namespace-398a04"
 	testNamespace                        = "test-namespace"

diff --git a/src/operator/controllers/protected_service_reconcilers/mocks/ext_netpol_handler_mock.go b/src/operator/controllers/protected_service_reconcilers/mocks/ext_netpol_handler_mock.go
diff --git a/src/operator/controllers/protected_service_reconcilers/policy_cleaner.go b/src/operator/controllers/protected_service_reconcilers/policy_cleaner.go
@@ -0,0 +1,80 @@
+package protected_service_reconcilers
+
+import (
+	"context"
+	otterizev1alpha2 "github.com/otterize/intents-operator/src/operator/api/v1alpha2"
+	"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers"
+	"github.com/otterize/intents-operator/src/shared/injectablerecorder"
+	v1 "k8s.io/api/networking/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// PolicyCleanerReconciler reconciles a ProtectedService object
+type PolicyCleanerReconciler struct {
+	client.Client
+	injectablerecorder.InjectableRecorder
+	extNetpolHandler ExternalNepolHandler
+}
+
+func NewPolicyCleanerReconciler(client client.Client, extNetpolHandler ExternalNepolHandler) *PolicyCleanerReconciler {
+	return &PolicyCleanerReconciler{
+		Client:           client,
+		extNetpolHandler: extNetpolHandler,
+	}
+}
+
+func (r *PolicyCleanerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	selector, err := intents_reconcilers.MatchAccessNetworkPolicy()
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	namespace := req.Namespace
+	policies := &v1.NetworkPolicyList{}
+	err = r.List(ctx, policies, &client.ListOptions{Namespace: namespace, LabelSelector: selector})
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	if len(policies.Items) == 0 {
+		return ctrl.Result{}, nil
+	}
+
+	var protectedServicesResources otterizev1alpha2.ProtectedServiceList
+	err = r.List(ctx, &protectedServicesResources, &client.ListOptions{Namespace: namespace})
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	protectedServersByNamespace := sets.Set[string]{}
+	for _, protectedService := range protectedServicesResources.Items {
+		serverName := otterizev1alpha2.GetFormattedOtterizeIdentity(protectedService.Spec.Name, namespace)
+		protectedServersByNamespace.Insert(serverName)
+	}
+
+	for _, networkPolicy := range policies.Items {
+		serverName := networkPolicy.Labels[otterizev1alpha2.OtterizeNetworkPolicy]
+		if !protectedServersByNamespace.Has(serverName) {
+			err = r.removeNetworkPolicy(ctx, networkPolicy)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+		}
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func (r *PolicyCleanerReconciler) removeNetworkPolicy(ctx context.Context, networkPolicy v1.NetworkPolicy) error {
+	err := r.extNetpolHandler.HandleBeforeAccessPolicyRemoval(ctx, &networkPolicy)
+	if err != nil {
+		return err
+	}
+	err = r.Delete(ctx, &networkPolicy)
+	if err != nil {
+		return err
+	}
+	return nil
+}