moved checkPolicyMatchServiceLabels check to the top since every block uses it and removed excplicit check for ports

rayaisaiah · rayaisaiah · commit 809fc90908cd · 2025-02-11T18:39:26.000Z
diff --git a/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator/azure-npm-to-cilium-validator.go
@@ -226,24 +226,25 @@ func checkNoServiceRisk(service *corev1.Service, policiesListAtNamespace []*netw
 	for _, policy := range policiesListAtNamespace {
 		// Skips deny all policies as they do not have any ingress rules
 		for _, ingress := range policy.Spec.Ingress {
-			// Check if there is an allow all ingress policy that matches labels the service is safe
-			if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
-				// Check if there is an allow all ingress policy with empty selectors or matching service labels as the policy allows all services in the namespace
-				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) {
+			// Check for each policy label that that label is present in the service labels meaning the service is being targeted by the policy
+			if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) {
+				// Check if there is an allow all ingress policy as the policy allows all services in the namespace
+				if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
 					return true
 				}
-			}
-			// Check if service is a loadbalancer and policy allows 168.63.129.16 and has no ports
-			if service.Spec.Type == corev1.ServiceTypeLoadBalancer && len(ingress.Ports) == 0 {
-				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) && checkAllowsLoadBalancerIP(ingress.From) {
-					return true
+				// Check if service is a loadbalancer and policy allows 168.63.129.16 and has no ports
+				if service.Spec.Type == corev1.ServiceTypeLoadBalancer && len(ingress.Ports) == 0 {
+					if checkAllowsLoadBalancerIP(ingress.From) {
+						return true
+					}
 				}
-			}
-			// If there are no ingress from but there are ports in the policy; check if the service is safe
-			if len(ingress.From) == 0 {
-				// If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports
-				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector) && checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) {
-					return true
+				// If there are no ingress from but there are ports in the policy; check if the service is safe
+				if len(ingress.From) == 0 {
+					// If the policy targets all pods (allow all) or only pods that are in the service selector, check if traffic is allowed to all the service's target ports
+					// Note: ingress.Ports.protocol will never be nil if len(ingress.Ports) is greater than 0. It defaults to "TCP" if not set
+					if checkServiceTargetPortMatchPolicyPorts(service.Spec.Ports, ingress.Ports) {
+						return true
+					}
 				}
 			}
 		}
@@ -291,12 +292,6 @@ func checkServiceTargetPortMatchPolicyPorts(servicePorts []corev1.ServicePort, p
 		return false
 	}
 
-	// If the policy is allowing no traffic from ports then the service is at risk
-	// Note: ingress.Ports.protocol will never be nil if len(ingress.Ports) is greater than 0. It defaults to "TCP" if not set
-	if len(policyPorts) == 0 {
-		return false
-	}
-
 	for _, servicePort := range servicePorts {
 		// If the target port is a string then it is a named port and service is at risk
 		if servicePort.TargetPort.Type == intstr.String {
