Skip to content

Commit 246965d

Browse files
rayaisaiahrayaisaiah
committed
added service selectors to the appended list instead to simplify logic
1 parent 6873113 commit 246965d

File tree

2 files changed

+28
-22
lines changed

2 files changed

+28
-22
lines changed

tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -194,11 +194,16 @@ func getUnsafeExternalTrafficPolicyClusterServices(
194194
externalTrafficPolicy := service.Spec.ExternalTrafficPolicy
195195
// If the service has externalTrafficPolicy is set to "Cluster" add it to the riskServices list (ExternalTrafficPolicy: "" defaults to Cluster)
196196
if externalTrafficPolicy != corev1.ServiceExternalTrafficPolicyTypeLocal {
197+
// Check if the service has a selector
198+
serviceSelector := "selectors"
199+
if service.Spec.Selector == nil {
200+
serviceSelector = "no selectors"
201+
}
202+
riskServices = append(riskServices, fmt.Sprintf("%s/%s/%s", namespace.Name, service.Name, serviceSelector))
197203
// Any service with externalTrafficPolicy=Cluster is at risk so need to elimate any services that are incorrectly flagged
198-
riskServices = append(riskServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
199-
// Check if are there services with selector that are allowed by a network policy that can be safely migrated
200204
if checkNoServiceRisk(service, policyListAtNamespace) {
201-
safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
205+
// Check if are there services with selector that are allowed by a network policy that can be safely migrated
206+
safeServices = append(safeServices, fmt.Sprintf("%s/%s/%s", namespace.Name, service.Name, serviceSelector))
202207
}
203208
}
204209
}
@@ -471,11 +476,12 @@ func addUnsafeServicesToTable(table *tablewriter.Table, unsafeServices []string)
471476
table.Append([]string{"Disruption for some Services with externalTrafficPolicy=Cluster", "✅", ""})
472477
} else {
473478
table.Append([]string{"Disruption for some Services with externalTrafficPolicy=Cluster", "❌", "Services affected:"})
474-
// If there are any unsafe services then print them as they could be impacted by migration
479+
// Print unsafe services as they could be impacted by migration
475480
for _, service := range unsafeServices {
476481
serviceName := strings.Split(service, "/")[1]
477482
serviceNamespace := strings.Split(service, "/")[0]
478-
table.Append([]string{"", "❌", fmt.Sprintf("Found Service: \033[31m%s\033[0m in namespace: \033[31m%s\033[0m\n", serviceName, serviceNamespace)})
483+
serviceSelector := strings.Split(service, "/")[2]
484+
table.Append([]string{"", "❌", fmt.Sprintf("Found Service: \033[31m%s\033[0m with \033[31m%s\033[0m in namespace: \033[31m%s\033[0m\n", serviceName, serviceSelector, serviceNamespace)})
479485
}
480486
table.Append([]string{"", "", "Manual investigation is required to evaluate if ingress is allowed to the service's backend Pods."})
481487
table.Append([]string{"", "", "Please evaluate if these services would be impacted by migration."})

tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator_test.go

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1266,7 +1266,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
12661266
},
12671267
},
12681268
},
1269-
expectedUnsafeServices: []string{"namespace1/service-with-no-selector"},
1269+
expectedUnsafeServices: []string{"namespace1/service-with-no-selector/no selectors"},
12701270
},
12711271
{
12721272
name: "LoadBalancer service with externalTrafficPolicy=Cluster with no selector and an allow all ingress policy with a selector",
@@ -1302,7 +1302,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
13021302
},
13031303
},
13041304
},
1305-
expectedUnsafeServices: []string{"namespace1/service-with-no-selector"},
1305+
expectedUnsafeServices: []string{"namespace1/service-with-no-selector/no selectors"},
13061306
},
13071307
{
13081308
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an deny all ingress policy with a matching selector",
@@ -1336,7 +1336,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
13361336
},
13371337
},
13381338
},
1339-
expectedUnsafeServices: []string{"namespace1/service-with-selector"},
1339+
expectedUnsafeServices: []string{"namespace1/service-with-selector/selectors"},
13401340
},
13411341
{
13421342
name: "LoadBalancer service with externalTrafficPolicy=Cluster and matching policy that is not an allow all",
@@ -1381,7 +1381,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
13811381
},
13821382
},
13831383
},
1384-
expectedUnsafeServices: []string{"namespace1/external-traffic-policy-cluster-service"},
1384+
expectedUnsafeServices: []string{"namespace1/external-traffic-policy-cluster-service/selectors"},
13851385
},
13861386
{
13871387
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a selector that doesnt match",
@@ -1418,7 +1418,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
14181418
},
14191419
},
14201420
},
1421-
expectedUnsafeServices: []string{"namespace1/service-with-selector"},
1421+
expectedUnsafeServices: []string{"namespace1/service-with-selector/selectors"},
14221422
},
14231423
{
14241424
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a selector that has more labels",
@@ -1455,7 +1455,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
14551455
},
14561456
},
14571457
},
1458-
expectedUnsafeServices: []string{"namespace1/service-with-selector"},
1458+
expectedUnsafeServices: []string{"namespace1/service-with-selector/selectors"},
14591459
},
14601460
{
14611461
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matching selector but ports dont match",
@@ -1521,7 +1521,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
15211521
},
15221522
},
15231523
},
1524-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-named-ports"},
1524+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-named-ports/selectors"},
15251525
},
15261526
{
15271527
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matching selector but uses named ports",
@@ -1575,7 +1575,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
15751575
},
15761576
},
15771577
},
1578-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-named-ports"},
1578+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-named-ports/selectors"},
15791579
},
15801580
// Scenarios covering edge cases
15811581
{
@@ -1710,7 +1710,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
17101710
},
17111711
},
17121712
},
1713-
expectedUnsafeServices: []string{"namespace1/service-with-selector"},
1713+
expectedUnsafeServices: []string{"namespace1/service-with-selector/selectors"},
17141714
},
17151715
{
17161716
name: "LoadBalancer service with externalTrafficPolicy=Cluster with no selector and an allow all ingress policy with a matchExpressions selector",
@@ -1760,7 +1760,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
17601760
},
17611761
},
17621762
},
1763-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports"},
1763+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports/selectors"},
17641764
},
17651765
{
17661766
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matchExpressions selector",
@@ -1802,7 +1802,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
18021802
},
18031803
},
18041804
},
1805-
expectedUnsafeServices: []string{"namespace1/service-with-no-selector"},
1805+
expectedUnsafeServices: []string{"namespace1/service-with-no-selector/no selectors"},
18061806
},
18071807
{
18081808
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow all ingress policy with a matching selector and protocol with no ports",
@@ -1970,7 +1970,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
19701970
},
19711971
},
19721972
},
1973-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports"},
1973+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports/selectors"},
19741974
},
19751975
{
19761976
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and targetport=0 and an allow all ingress policy with a matching selector and ports=0",
@@ -2024,7 +2024,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
20242024
},
20252025
},
20262026
},
2027-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports"},
2027+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports/selectors"},
20282028
},
20292029
{
20302030
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow 168.63.129.18/32 ingress policy with a matching selector and no ports",
@@ -2072,7 +2072,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
20722072
},
20732073
},
20742074
},
2075-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports"},
2075+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports/selectors"},
20762076
},
20772077
{
20782078
name: "LoadBalancer service with externalTrafficPolicy=Cluster with a selector and an allow 168.63.129.16/32 ingress policy with a matching selector and ports",
@@ -2129,7 +2129,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
21292129
},
21302130
},
21312131
},
2132-
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports"},
2132+
expectedUnsafeServices: []string{"namespace1/service-with-selector-and-ports/selectors"},
21332133
},
21342134
// Scenarios where there are LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and there are multiple namespaces
21352135
{
@@ -2375,7 +2375,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
23752375
},
23762376
},
23772377
},
2378-
expectedUnsafeServices: []string{"namespace1/service-with-selector", "namespace2/service-with-selector-and-ports", "namespace3/service-with-selector-and-ports"},
2378+
expectedUnsafeServices: []string{"namespace1/service-with-selector/selectors", "namespace2/service-with-selector-and-ports/selectors", "namespace3/service-with-selector-and-ports/selectors"},
23792379
},
23802380
{
23812381
name: "LoadBalancer or NodePort services with externalTrafficPolicy=Cluster and allow all ingress policies with some matching label and ports in multiple namespaces",
@@ -2538,7 +2538,7 @@ func TestGetExternalTrafficPolicyClusterServices(t *testing.T) {
25382538
},
25392539
},
25402540
},
2541-
expectedUnsafeServices: []string{"namespace1/service-with-selector-no-match", "namespace2/service-with-selector-and-ports-no-match", "namespace3/service-with-selector-and-ports-no-match"},
2541+
expectedUnsafeServices: []string{"namespace1/service-with-selector-no-match/selectors", "namespace2/service-with-selector-and-ports-no-match/selectors", "namespace3/service-with-selector-and-ports-no-match/selectors"},
25422542
},
25432543
}
25442544

0 commit comments

Comments
 (0)