fix: track endport policies instead of namedport

huntergregory · huntergregory · commit e8a2832ec37c · 2025-01-09T14:03:46.000-08:00
Signed-off-by: Hunter Gregory &lt;42728408+huntergregory@users.noreply.github.com&gt;
diff --git a/npm/metrics/ai-utils.go b/npm/metrics/ai-utils.go
@@ -120,7 +120,7 @@ func SendHeartbeatWithNumPolicies() {
 	}
 
 	cidrNetPols := GetCidrNetPols()
-	namedPortNetPols := GetNamedPortNetPols()
-	message := fmt.Sprintf("info: NPM heartbeat. Total policies: %s, CIDR policies: %d, NamedPort policies: %d", numPoliciesString, cidrNetPols, namedPortNetPols)
+	endPortNetPols := GetEndPortNetPols()
+	message := fmt.Sprintf("info: NPM heartbeat. Total policies: %s, CIDR policies: %d, EndPort policies: %d", numPoliciesString, cidrNetPols, endPortNetPols)
 	SendLog(util.NpmID, message, DonotPrint)
 }
diff --git a/npm/metrics/counts.go b/npm/metrics/counts.go
@@ -7,8 +7,8 @@ var nonPrometheusCounts *counts
 // counts is a struct holding non-Prometheus counts.
 type counts struct {
 	sync.Mutex
-	cidrNetPols      int
-	namedPortNetPols int
+	cidrNetPols    int
+	endPortNetPols int
 }
 
 func IncCidrNetPols() {
@@ -38,29 +38,29 @@ func GetCidrNetPols() int {
 	return nonPrometheusCounts.cidrNetPols
 }
 
-func IncNamedPortNetPols() {
+func IncEndPortNetPols() {
 	if nonPrometheusCounts == nil {
 		return
 	}
 	nonPrometheusCounts.Lock()
 	defer nonPrometheusCounts.Unlock()
-	nonPrometheusCounts.namedPortNetPols++
+	nonPrometheusCounts.endPortNetPols++
 }
 
-func DecNamedPortNetPols() {
+func DecEndPortNetPols() {
 	if nonPrometheusCounts == nil {
 		return
 	}
 	nonPrometheusCounts.Lock()
 	defer nonPrometheusCounts.Unlock()
-	nonPrometheusCounts.namedPortNetPols--
+	nonPrometheusCounts.endPortNetPols--
 }
 
-func GetNamedPortNetPols() int {
+func GetEndPortNetPols() int {
 	if nonPrometheusCounts == nil {
 		return 0
 	}
 	nonPrometheusCounts.Lock()
 	defer nonPrometheusCounts.Unlock()
-	return nonPrometheusCounts.namedPortNetPols
+	return nonPrometheusCounts.endPortNetPols
 }
diff --git a/npm/pkg/controlplane/controllers/v2/networkPolicyController.go b/npm/pkg/controlplane/controllers/v2/networkPolicyController.go
@@ -325,8 +325,8 @@ func (c *NetworkPolicyController) syncAddAndUpdateNetPol(netPolObj *networkingv1
 			metrics.DecCidrNetPols()
 		}
 
-		if translation.HasNamedPort(oldNetPolSpec) {
-			metrics.DecNamedPortNetPols()
+		if translation.HasEndPort(oldNetPolSpec) {
+			metrics.DecEndPortNetPols()
 		}
 	} else {
 		// inc metric for NumPolicies only if it a new network policy
@@ -337,8 +337,8 @@ func (c *NetworkPolicyController) syncAddAndUpdateNetPol(netPolObj *networkingv1
 		metrics.IncCidrNetPols()
 	}
 
-	if translation.HasNamedPort(&netPolObj.Spec) {
-		metrics.IncNamedPortNetPols()
+	if translation.HasEndPort(&netPolObj.Spec) {
+		metrics.IncEndPortNetPols()
 	}
 
 	c.rawNpSpecMap[netpolKey] = &netPolObj.Spec
@@ -362,8 +362,8 @@ func (c *NetworkPolicyController) cleanUpNetworkPolicy(netPolKey string) error {
 		metrics.DecCidrNetPols()
 	}
 
-	if translation.HasNamedPort(cachedNetPolSpec) {
-		metrics.DecNamedPortNetPols()
+	if translation.HasEndPort(cachedNetPolSpec) {
+		metrics.DecEndPortNetPols()
 	}
 
 	// Success to clean up ipset and iptables operations in kernel and delete the cached network policy from RawNpMap
diff --git a/npm/pkg/controlplane/controllers/v2/networkPolicyController_test.go b/npm/pkg/controlplane/controllers/v2/networkPolicyController_test.go
@@ -22,6 +22,7 @@ import (
 	kubeinformers "k8s.io/client-go/informers"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/utils/pointer"
 )
 
 type netPolFixture struct {
@@ -633,12 +634,12 @@ func TestCountsAddAndDeleteNetPol(t *testing.T) {
 	tests := []struct {
 		name string
 		// network policy to add
-		netPolSpec     *networkingv1.NetworkPolicySpec
-		cidrCount      int
-		namedPortCount int
+		netPolSpec   *networkingv1.NetworkPolicySpec
+		cidrCount    int
+		endPortCount int
 	}{
 		{
-			name: "no-cidr-namedPort",
+			name: "no-cidr-endPort",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeIngress,
@@ -719,7 +720,7 @@ func TestCountsAddAndDeleteNetPol(t *testing.T) {
 			cidrCount: 1,
 		},
 		{
-			name: "namedPort-ingress",
+			name: "endPort-ingress",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeIngress,
@@ -728,16 +729,17 @@ func TestCountsAddAndDeleteNetPol(t *testing.T) {
 					{
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "abc"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(85),
 							},
 						},
 					},
 				},
 			},
-			namedPortCount: 1,
+			endPortCount: 1,
 		},
 		{
-			name: "namedPort-egress",
+			name: "endPort-egress",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeEgress,
@@ -746,16 +748,17 @@ func TestCountsAddAndDeleteNetPol(t *testing.T) {
 					{
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "abc"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(85),
 							},
 						},
 					},
 				},
 			},
-			namedPortCount: 1,
+			endPortCount: 1,
 		},
 		{
-			name: "cidr-and-namedPort",
+			name: "cidr-and-endPort",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeIngress,
@@ -771,14 +774,15 @@ func TestCountsAddAndDeleteNetPol(t *testing.T) {
 						},
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "abc"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(85),
 							},
 						},
 					},
 				},
 			},
-			cidrCount:      1,
-			namedPortCount: 1,
+			cidrCount:    1,
+			endPortCount: 1,
 		},
 	}
 
@@ -807,28 +811,28 @@ func TestCountsAddAndDeleteNetPol(t *testing.T) {
 			}
 			checkNetPolTestResult("TestCountsCreateNetPol", f, testCases)
 			require.Equal(t, tt.cidrCount, metrics.GetCidrNetPols())
-			require.Equal(t, tt.namedPortCount, metrics.GetNamedPortNetPols())
+			require.Equal(t, tt.endPortCount, metrics.GetEndPortNetPols())
 
 			deleteNetPol(t, f, netPolObj, DeletedFinalStateknownObject)
 			testCases = []expectedNetPolValues{
 				{0, 0, netPolPromVals{0, 1, 0, 1}},
 			}
 			checkNetPolTestResult("TestCountsDelNetPol", f, testCases)
 			require.Equal(t, 0, metrics.GetCidrNetPols())
-			require.Equal(t, 0, metrics.GetNamedPortNetPols())
+			require.Equal(t, 0, metrics.GetEndPortNetPols())
 		})
 	}
 }
 
 func TestCountsUpdateNetPol(t *testing.T) {
 	tests := []struct {
-		name                  string
-		netPolSpec            *networkingv1.NetworkPolicySpec
-		updatedNetPolSpec     *networkingv1.NetworkPolicySpec
-		cidrCount             int
-		namedPortCount        int
-		updatedCidrCount      int
-		updatedNamedPortCount int
+		name                string
+		netPolSpec          *networkingv1.NetworkPolicySpec
+		updatedNetPolSpec   *networkingv1.NetworkPolicySpec
+		cidrCount           int
+		endPortCount        int
+		updatedCidrCount    int
+		updatedEndPortCount int
 	}{
 		{
 			name: "cidr-to-no-cidr",
@@ -942,7 +946,7 @@ func TestCountsUpdateNetPol(t *testing.T) {
 			updatedCidrCount: 1,
 		},
 		{
-			name: "namedPort-to-no-namedPort",
+			name: "endPort-to-no-endPort",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeIngress,
@@ -951,7 +955,8 @@ func TestCountsUpdateNetPol(t *testing.T) {
 					{
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "abc"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(85),
 							},
 						},
 					},
@@ -971,11 +976,11 @@ func TestCountsUpdateNetPol(t *testing.T) {
 					},
 				},
 			},
-			namedPortCount:        1,
-			updatedNamedPortCount: 0,
+			endPortCount:        1,
+			updatedEndPortCount: 0,
 		},
 		{
-			name: "no-namedPort-to-namedPort",
+			name: "no-endPort-to-endPort",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeIngress,
@@ -998,17 +1003,18 @@ func TestCountsUpdateNetPol(t *testing.T) {
 					{
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "abc"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(85),
 							},
 						},
 					},
 				},
 			},
-			namedPortCount:        0,
-			updatedNamedPortCount: 1,
+			endPortCount:        0,
+			updatedEndPortCount: 1,
 		},
 		{
-			name: "namedPort-to-namedPort",
+			name: "endPort-to-endPort",
 			netPolSpec: &networkingv1.NetworkPolicySpec{
 				PolicyTypes: []networkingv1.PolicyType{
 					networkingv1.PolicyTypeIngress,
@@ -1017,7 +1023,8 @@ func TestCountsUpdateNetPol(t *testing.T) {
 					{
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "abc"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(85),
 							},
 						},
 					},
@@ -1031,14 +1038,15 @@ func TestCountsUpdateNetPol(t *testing.T) {
 					{
 						Ports: []networkingv1.NetworkPolicyPort{
 							{
-								Port: &intstr.IntOrString{StrVal: "xyz"},
+								Port:    &intstr.IntOrString{IntVal: 80},
+								EndPort: pointer.Int32(86),
 							},
 						},
 					},
 				},
 			},
-			namedPortCount:        1,
-			updatedNamedPortCount: 1,
+			endPortCount:        1,
+			updatedEndPortCount: 1,
 		},
 	}
 
@@ -1066,7 +1074,7 @@ func TestCountsUpdateNetPol(t *testing.T) {
 			}
 			checkNetPolTestResult("TestCountsAddNetPol", f, testCases)
 			require.Equal(t, tt.cidrCount, metrics.GetCidrNetPols())
-			require.Equal(t, tt.namedPortCount, metrics.GetNamedPortNetPols())
+			require.Equal(t, tt.endPortCount, metrics.GetEndPortNetPols())
 
 			newNetPolObj := createNetPol()
 			newNetPolObj.Spec = *tt.updatedNetPolSpec
@@ -1078,7 +1086,7 @@ func TestCountsUpdateNetPol(t *testing.T) {
 			}
 			checkNetPolTestResult("TestCountsUpdateNetPol", f, testCases)
 			require.Equal(t, tt.updatedCidrCount, metrics.GetCidrNetPols())
-			require.Equal(t, tt.updatedNamedPortCount, metrics.GetNamedPortNetPols())
+			require.Equal(t, tt.updatedEndPortCount, metrics.GetEndPortNetPols())
 		})
 	}
 }
diff --git a/npm/pkg/controlplane/translation/translatePolicy.go b/npm/pkg/controlplane/translation/translatePolicy.go
@@ -705,18 +705,26 @@ func HasCIDRBlock(netPolSpec *networkingv1.NetworkPolicySpec) bool {
 	return false
 }
 
-func HasNamedPort(netPolObj *networkingv1.NetworkPolicySpec) bool {
+func HasEndPort(netPolObj *networkingv1.NetworkPolicySpec) bool {
 	for _, ingress := range netPolObj.Ingress {
 		for _, port := range ingress.Ports {
-			if t, err := portType(port); err == nil && t == namedPortType {
+			if port.EndPort == nil {
+				continue
+			}
+
+			if t, err := portType(port); err == nil && t == numericPortType {
 				return true
 			}
 		}
 	}
 
 	for _, egress := range netPolObj.Egress {
 		for _, port := range egress.Ports {
-			if t, err := portType(port); err == nil && t == namedPortType {
+			if port.EndPort == nil {
+				continue
+			}
+
+			if t, err := portType(port); err == nil && t == numericPortType {
 				return true
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ func SendHeartbeatWithNumPolicies() {`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`cidrNetPols := GetCidrNetPols()`
`123`		`- namedPortNetPols := GetNamedPortNetPols()`
`124`		`- message := fmt.Sprintf("info: NPM heartbeat. Total policies: %s, CIDR policies: %d, NamedPort policies: %d", numPoliciesString, cidrNetPols, namedPortNetPols)`
	`123`	`+ endPortNetPols := GetEndPortNetPols()`
	`124`	`+ message := fmt.Sprintf("info: NPM heartbeat. Total policies: %s, CIDR policies: %d, EndPort policies: %d", numPoliciesString, cidrNetPols, endPortNetPols)`
`125`	`125`	`SendLog(util.NpmID, message, DonotPrint)`
`126`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@ var nonPrometheusCounts *counts`
`7`	`7`	`// counts is a struct holding non-Prometheus counts.`
`8`	`8`	`type counts struct {`
`9`	`9`	`sync.Mutex`
`10`		`- cidrNetPols int`
`11`		`- namedPortNetPols int`
	`10`	`+ cidrNetPols int`
	`11`	`+ endPortNetPols int`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`func IncCidrNetPols() {`
`@@ -38,29 +38,29 @@ func GetCidrNetPols() int {`
`38`	`38`	`return nonPrometheusCounts.cidrNetPols`
`39`	`39`	`}`
`40`	`40`
`41`		`-func IncNamedPortNetPols() {`
	`41`	`+func IncEndPortNetPols() {`
`42`	`42`	`if nonPrometheusCounts == nil {`
`43`	`43`	`return`
`44`	`44`	`}`
`45`	`45`	`nonPrometheusCounts.Lock()`
`46`	`46`	`defer nonPrometheusCounts.Unlock()`
`47`		`- nonPrometheusCounts.namedPortNetPols++`
	`47`	`+ nonPrometheusCounts.endPortNetPols++`
`48`	`48`	`}`
`49`	`49`
`50`		`-func DecNamedPortNetPols() {`
	`50`	`+func DecEndPortNetPols() {`
`51`	`51`	`if nonPrometheusCounts == nil {`
`52`	`52`	`return`
`53`	`53`	`}`
`54`	`54`	`nonPrometheusCounts.Lock()`
`55`	`55`	`defer nonPrometheusCounts.Unlock()`
`56`		`- nonPrometheusCounts.namedPortNetPols--`
	`56`	`+ nonPrometheusCounts.endPortNetPols--`
`57`	`57`	`}`
`58`	`58`
`59`		`-func GetNamedPortNetPols() int {`
	`59`	`+func GetEndPortNetPols() int {`
`60`	`60`	`if nonPrometheusCounts == nil {`
`61`	`61`	`return 0`
`62`	`62`	`}`
`63`	`63`	`nonPrometheusCounts.Lock()`
`64`	`64`	`defer nonPrometheusCounts.Unlock()`
`65`		`- return nonPrometheusCounts.namedPortNetPols`
	`65`	`+ return nonPrometheusCounts.endPortNetPols`
`66`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -325,8 +325,8 @@ func (c NetworkPolicyController) syncAddAndUpdateNetPol(netPolObj networkingv1`
`325`	`325`	`metrics.DecCidrNetPols()`
`326`	`326`	`}`
`327`	`327`
`328`		`- if translation.HasNamedPort(oldNetPolSpec) {`
`329`		`- metrics.DecNamedPortNetPols()`
	`328`	`+ if translation.HasEndPort(oldNetPolSpec) {`
	`329`	`+ metrics.DecEndPortNetPols()`
`330`	`330`	`}`
`331`	`331`	`} else {`
`332`	`332`	`// inc metric for NumPolicies only if it a new network policy`
`@@ -337,8 +337,8 @@ func (c NetworkPolicyController) syncAddAndUpdateNetPol(netPolObj networkingv1`
`337`	`337`	`metrics.IncCidrNetPols()`
`338`	`338`	`}`
`339`	`339`
`340`		`- if translation.HasNamedPort(&netPolObj.Spec) {`
`341`		`- metrics.IncNamedPortNetPols()`
	`340`	`+ if translation.HasEndPort(&netPolObj.Spec) {`
	`341`	`+ metrics.IncEndPortNetPols()`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`c.rawNpSpecMap[netpolKey] = &netPolObj.Spec`
`@@ -362,8 +362,8 @@ func (c *NetworkPolicyController) cleanUpNetworkPolicy(netPolKey string) error {`
`362`	`362`	`metrics.DecCidrNetPols()`
`363`	`363`	`}`
`364`	`364`
`365`		`- if translation.HasNamedPort(cachedNetPolSpec) {`
`366`		`- metrics.DecNamedPortNetPols()`
	`365`	`+ if translation.HasEndPort(cachedNetPolSpec) {`
	`366`	`+ metrics.DecEndPortNetPols()`
`367`	`367`	`}`
`368`	`368`
`369`	`369`	`// Success to clean up ipset and iptables operations in kernel and delete the cached network policy from RawNpMap`
Original file line number	Diff line number	Diff line change
`@@ -705,18 +705,26 @@ func HasCIDRBlock(netPolSpec *networkingv1.NetworkPolicySpec) bool {`
`705`	`705`	`return false`
`706`	`706`	`}`
`707`	`707`
`708`		`-func HasNamedPort(netPolObj *networkingv1.NetworkPolicySpec) bool {`
	`708`	`+func HasEndPort(netPolObj *networkingv1.NetworkPolicySpec) bool {`
`709`	`709`	`for _, ingress := range netPolObj.Ingress {`
`710`	`710`	`for _, port := range ingress.Ports {`
`711`		`- if t, err := portType(port); err == nil && t == namedPortType {`
	`711`	`+ if port.EndPort == nil {`
	`712`	`+ continue`
	`713`	`+ }`
	`714`	`+`
	`715`	`+ if t, err := portType(port); err == nil && t == numericPortType {`
`712`	`716`	`return true`
`713`	`717`	`}`
`714`	`718`	`}`
`715`	`719`	`}`
`716`	`720`
`717`	`721`	`for _, egress := range netPolObj.Egress {`
`718`	`722`	`for _, port := range egress.Ports {`
`719`		`- if t, err := portType(port); err == nil && t == namedPortType {`
	`723`	`+ if port.EndPort == nil {`
	`724`	`+ continue`
	`725`	`+ }`
	`726`	`+`
	`727`	`+ if t, err := portType(port); err == nil && t == numericPortType {`
`720`	`728`	`return true`
`721`	`729`	`}`
`722`	`730`	`}`