fixed logic on services with allow all ingress polcies

rayaisaiah · rayaisaiah · commit cdb91b2b00e6 · 2025-01-31T00:42:18.000Z
diff --git a/tools/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator.go
@@ -233,12 +233,12 @@ func checkForEgressPolicies(policiesByNamespace map[string][]networkingv1.Networ
 func checkExternalTrafficPolicyServices(namespaces *corev1.NamespaceList, servicesByNamespace map[string][]corev1.Service, policiesByNamespace map[string][]networkingv1.NetworkPolicy) bool {
 	var servicesAtRisk, noSelectorServices, safeServices []string
 
-	for _, ns := range namespaces.Items {
+	for _, namespace := range namespaces.Items {
 		// Check if are there ingress policies in the namespace if not skip
-		if !hasIngressPolicies(policiesByNamespace[ns.Name]) {
+		if !hasIngressPolicies(policiesByNamespace[namespace.Name]) {
 			continue
 		}
-		serviceListAtNamespace := servicesByNamespace[ns.Name]
+		serviceListAtNamespace := servicesByNamespace[namespace.Name]
 
 		// Check if are there services with externalTrafficPolicy=Cluster (applicable if Type=NodePort or Type=LoadBalancer)
 		for _, service := range serviceListAtNamespace {
@@ -252,13 +252,13 @@ func checkExternalTrafficPolicyServices(namespaces *corev1.NamespaceList, servic
 				// If the service has externalTrafficPolicy is set to "Cluster" add it to the servicesAtRisk list (ExternalTrafficPolicy: "" defaults to Cluster)
 				if externalTrafficPolicy != v1.ServiceExternalTrafficPolicyTypeLocal {
 					// Any service with externalTrafficPolicy=Cluster is at risk so need to elimate any services that are incorrectly flagged
-					servicesAtRisk = append(servicesAtRisk, fmt.Sprintf("%s/%s", ns.Name, service.Name))
+					servicesAtRisk = append(servicesAtRisk, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
 					// If the service has no selector add it to the noSelectorServices list
 					if service.Spec.Selector == nil {
-						noSelectorServices = append(noSelectorServices, fmt.Sprintf("%s/%s", ns.Name, service.Name))
+						noSelectorServices = append(noSelectorServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
 					} else {
 						// Check if are there services with selector that match the network policy
-						checkServiceRisk(service, ns.Name, servicePorts, policiesByNamespace[ns.Name], safeServices)
+						safeServices = checkServiceRisk(service, namespace.Name, servicePorts, policiesByNamespace[namespace.Name], safeServices)
 					}
 				}
 			}
@@ -314,33 +314,35 @@ func hasIngressPolicies(policies []networkingv1.NetworkPolicy) bool {
 	return false
 }
 
-func checkServiceRisk(service v1.Service, namespace string, servicePorts []string, policiesListAtNamespace []networkingv1.NetworkPolicy, safeServices []string) {
+func checkServiceRisk(service v1.Service, namespace string, servicePorts []string, policiesListAtNamespace []networkingv1.NetworkPolicy, safeServices []string) []string {
 	for _, policy := range policiesListAtNamespace {
 		for _, ingress := range policy.Spec.Ingress {
-			// If there are no ingress from and ports in the policy check; check if the service is safe
+			// Check if there is an allow all policy that matches labels the service is safe
 			if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
 				if matchAllServiceSelector(&metav1.LabelSelector{MatchLabels: service.Spec.Selector}, &policy.Spec.PodSelector) {
 					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
-					return
-				}
-			}
-			// If there are no ingress from but there are ports in the policy; check if the service is safe
-			if len(ingress.From) == 0 && len(ingress.Ports) > 0 {
-				if matchAllServiceSelector(&metav1.LabelSelector{MatchLabels: service.Spec.Selector}, &policy.Spec.PodSelector) {
-					matchingPorts := []string{}
-					for _, port := range ingress.Ports {
-						matchingPorts = append(matchingPorts, fmt.Sprintf("%d/%s", port.Port.IntVal, string(*port.Protocol)))
-					}
-					for _, sevicePort := range servicePorts {
-						if contains(matchingPorts, sevicePort) {
-							safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
-							return
-						}
-					}
+					return safeServices
 				}
 			}
+			// Check if all the labels in
+			// // If there are no ingress from but there are ports in the policy; check if the service is safe
+			// if len(ingress.From) == 0 && len(ingress.Ports) > 0 {
+			// 	if matchAllServiceSelector(&metav1.LabelSelector{MatchLabels: service.Spec.Selector}, &policy.Spec.PodSelector) {
+			// 		matchingPorts := []string{}
+			// 		for _, port := range ingress.Ports {
+			// 			matchingPorts = append(matchingPorts, fmt.Sprintf("%d/%s", port.Port.IntVal, string(*port.Protocol)))
+			// 		}
+			// 		for _, sevicePort := range servicePorts {
+			// 			if contains(matchingPorts, sevicePort) {
+			// 				safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
+			// 				return
+			// 			}
+			// 		}
+			// 	}
+			// }
 		}
 	}
+	return safeServices
 }
 
 func matchAllServiceSelector(serviceSelector *metav1.LabelSelector, policyPodSelector *metav1.LabelSelector) bool {
