added checks for services with allow all policys with empty and label selectors

Author: rayaisaiah

tools/azure-npm-to-cilium-validator.go

@@ -111,7 +111,6 @@ func checkEndportNetworkPolicies(policiesByNamespace map[string][]networkingv1.N
 						foundEndPort = true
 						if !networkPolicyWithEndport {
 							fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with endPort", "❌")
-							fmt.Println("endPort unsupported till Cilium v1.16.")
 							fmt.Println("Policies affected:")
 							networkPolicyWithEndport = true
 						}
@@ -150,7 +149,6 @@ func checkCIDRNetworkPolicies(policiesByNamespace map[string][]networkingv1.Netw
 							// Print the network policy if it has an ingress cidr
 							if !networkPolicyWithCIDR {
 								fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with cidr", "❌")
-								fmt.Println("CIDR only works for external traffic in Cilium.")
 								fmt.Println("Policies affected:")
 								networkPolicyWithCIDR = true
 							}
@@ -175,7 +173,6 @@ func checkCIDRNetworkPolicies(policiesByNamespace map[string][]networkingv1.Netw
 							// Print the network policy if it has an egress cidr
 							if !networkPolicyWithCIDR {
 								fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with cidr", "❌")
-								fmt.Println("CIDR only works for external traffic in Cilium.")
 								fmt.Println("Policies affected:")
 								networkPolicyWithCIDR = true
 							}
@@ -211,7 +208,6 @@ func checkForEgressPolicies(policiesByNamespace map[string][]networkingv1.Networ
 					if !networkPolicyWithEgress {
 						fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with egress", "❌")
 						fmt.Printf("%-30s | %-30s \n", "(Not allow all egress)", "")
-						fmt.Println("NPM does not enforce policies on egress to local node IP. Cilium does.")
 						fmt.Println("Policies affected:")
 						networkPolicyWithEgress = true
 					}
@@ -278,7 +274,6 @@ func checkExternalTrafficPolicyServices(namespaces *corev1.NamespaceList, servic
 		fmt.Printf("%-30s | %-30s \n", "Disruption for some", "❌")
 		fmt.Printf("%-30s | %-30s \n", "Services with", "")
 		fmt.Printf("%-30s | %-30s \n", "externalTrafficPolicy=Cluster", "")
-		fmt.Println("NPM incorrectly allows traffic for services with externalTrafficPolicy=Cluster (applicable if Type=NodePort or Type=LoadBalancer)")
 		fmt.Println("Services affected:")
 		// If there are any no selector services or unsafe services then print them as they could be impacted by migration
 		if len(noSelectorServices) > 0 {
@@ -353,24 +348,26 @@ func checkServiceRisk(service v1.Service, namespace string, servicePorts []strin
 	return safeServices
 }
 
-func checkPolicyMatchServiceLabels(serviceLabels, policyPodLabels map[string]string) bool {
-	// Count the number of labels that match
-	matchLabelCount := 0
+func checkPolicyMatchServiceLabels(serviceLabels, policyLabels map[string]string) bool {
+	// Return false if the policy has more labels than the service
+	if len(policyLabels) > len(serviceLabels) {
+		return false
+	}
 
-	for policyKey, policyValue := range policyPodLabels {
+	// Check for each policy label that that label is present in the service labels
+	for policyKey, policyValue := range policyLabels {
+		matchedPolicyLabelToServiceLabel := false
 		for serviceKey, serviceValue := range serviceLabels {
-			if serviceKey == policyKey && serviceValue == policyValue {
-				matchLabelCount++
+			if policyKey == serviceKey && policyValue == serviceValue {
+				matchedPolicyLabelToServiceLabel = true
+				break
 			}
 		}
+		if !matchedPolicyLabelToServiceLabel {
+			return false
+		}
 	}
-
-	// If the number of labels that match is equal to the number of labels in the policy pod selector then return true
-	// as that means all the match labels in the policy pod selector are present in the service selector
-	if matchLabelCount != 0 && matchLabelCount == len(policyPodLabels) {
-		return true
-	}
-	return false
+	return true
 }
 
 func contains(slice []string, item string) bool {