@@ -403,74 +403,74 @@ func (r *ReconcileWebSphereLiberty) Reconcile(ctx context.Context, request ctrl.
403403 Name : instance .Name + "-egress-apiserver-access" ,
404404 Namespace : instance .Namespace ,
405405 }}
406- apiServerNetworkPolicy .Spec .PodSelector = metav1.LabelSelector {
407- MatchLabels : map [string ]string {
408- OperatorAllowAPIServerAccessLabel : "true" ,
409- },
410- }
411- // Add OpenShift DNS NetworkPolicy (if applicable)
412- if r .IsOpenShift () {
413- dnsRule := networkingv1.NetworkPolicyEgressRule {}
414- if dnsEndpoints , err := r .getEndpoints ("dns-default" , "openshift-dns" ); err == nil {
415- if endpointPort := lutils .GetEndpointPortByName (& dnsEndpoints .Subsets [0 ].Ports , "dns" ); endpointPort != nil {
416- dnsRule .Ports = append (dnsRule .Ports , lutils .CreateNetworkPolicyPortFromEndpointPort (endpointPort ))
417- }
418- if endpointPort := lutils .GetEndpointPortByName (& dnsEndpoints .Subsets [0 ].Ports , "dns-tcp" ); endpointPort != nil {
419- dnsRule .Ports = append (dnsRule .Ports , lutils .CreateNetworkPolicyPortFromEndpointPort (endpointPort ))
420- }
421- peer := networkingv1.NetworkPolicyPeer {}
422- peer .NamespaceSelector = & metav1.LabelSelector {
423- MatchLabels : map [string ]string {
424- "kubernetes.io/metadata.name" : "openshift-dns" ,
425- },
406+ err = r .CreateOrUpdate (apiServerNetworkPolicy , instance , func () error {
407+ apiServerNetworkPolicy .Spec .PodSelector = metav1.LabelSelector {
408+ MatchLabels : map [string ]string {
409+ OperatorAllowAPIServerAccessLabel : "true" ,
410+ },
411+ }
412+ // Add OpenShift DNS NetworkPolicy (if applicable)
413+ if r .IsOpenShift () {
414+ dnsRule := networkingv1.NetworkPolicyEgressRule {}
415+ if dnsEndpoints , err := r .getEndpoints ("dns-default" , "openshift-dns" ); err == nil {
416+ if endpointPort := lutils .GetEndpointPortByName (& dnsEndpoints .Subsets [0 ].Ports , "dns" ); endpointPort != nil {
417+ dnsRule .Ports = append (dnsRule .Ports , lutils .CreateNetworkPolicyPortFromEndpointPort (endpointPort ))
418+ }
419+ if endpointPort := lutils .GetEndpointPortByName (& dnsEndpoints .Subsets [0 ].Ports , "dns-tcp" ); endpointPort != nil {
420+ dnsRule .Ports = append (dnsRule .Ports , lutils .CreateNetworkPolicyPortFromEndpointPort (endpointPort ))
421+ }
422+ peer := networkingv1.NetworkPolicyPeer {}
423+ peer .NamespaceSelector = & metav1.LabelSelector {
424+ MatchLabels : map [string ]string {
425+ "kubernetes.io/metadata.name" : "openshift-dns" ,
426+ },
427+ }
428+ dnsRule .To = append (dnsRule .To , peer )
429+ reqLogger .Info ("Found endpoints for dns-default service in the openshift-dns namespace" )
430+ } else {
431+ peer := networkingv1.NetworkPolicyPeer {}
432+ peer .NamespaceSelector = & metav1.LabelSelector {
433+ MatchLabels : map [string ]string {},
434+ }
435+ dnsRule .To = append (dnsRule .To , peer )
436+ reqLogger .Info ("Failed to retrieve endpoints for dns-default service in the openshift-dns namespace. Using more permissive rule." )
437+ }
438+ apiServerNetworkPolicy .Spec .Egress = append (apiServerNetworkPolicy .Spec .Egress , dnsRule )
439+ }
440+
441+ rule := networkingv1.NetworkPolicyEgressRule {}
442+ if apiServerEndpoints , err := r .getEndpoints ("kubernetes" , "default" ); err == nil {
443+ // Define the port
444+ port := networkingv1.NetworkPolicyPort {}
445+ port .Protocol = & apiServerEndpoints .Subsets [0 ].Ports [0 ].Protocol
446+ var portNumber intstr.IntOrString = intstr .FromInt ((int )(apiServerEndpoints .Subsets [0 ].Ports [0 ].Port ))
447+ port .Port = & portNumber
448+ rule .Ports = append (rule .Ports , port )
449+
450+ // Add the endpoint address as ipBlock entries
451+ for _ , endpoint := range apiServerEndpoints .Subsets {
452+ for _ , address := range endpoint .Addresses {
453+ peer := networkingv1.NetworkPolicyPeer {}
454+ ipBlock := networkingv1.IPBlock {}
455+ ipBlock .CIDR = address .IP + "/32"
456+
457+ peer .IPBlock = & ipBlock
458+ rule .To = append (rule .To , peer )
459+ }
426460 }
427- dnsRule .To = append (dnsRule .To , peer )
428- reqLogger .Info ("Found endpoints for dns-default service in the openshift-dns namespace" )
461+ reqLogger .Info ("Found endpoints for kubernetes service in the default namespace" )
429462 } else {
430463 peer := networkingv1.NetworkPolicyPeer {}
431464 peer .NamespaceSelector = & metav1.LabelSelector {
432465 MatchLabels : map [string ]string {},
433466 }
434- dnsRule .To = append (dnsRule .To , peer )
435- reqLogger .Info ("Failed to retrieve endpoints for dns-default service in the openshift-dns namespace. Using more permissive rule." )
467+ rule .To = append (rule .To , peer )
468+ reqLogger .Info ("Failed to retrieve endpoints for kubernetes service in the default namespace. Using more permissive rule." )
436469 }
437- apiServerNetworkPolicy .Spec .Egress = append (apiServerNetworkPolicy .Spec .Egress , dnsRule )
438- }
439-
440- rule := networkingv1.NetworkPolicyEgressRule {}
441- if apiServerEndpoints , err := r .getEndpoints ("kubernetes" , "default" ); err == nil {
442- // Define the port
443- port := networkingv1.NetworkPolicyPort {}
444- port .Protocol = & apiServerEndpoints .Subsets [0 ].Ports [0 ].Protocol
445- var portNumber intstr.IntOrString = intstr .FromInt ((int )(apiServerEndpoints .Subsets [0 ].Ports [0 ].Port ))
446- port .Port = & portNumber
447- rule .Ports = append (rule .Ports , port )
448-
449- // Add the endpoint address as ipBlock entries
450- for _ , endpoint := range apiServerEndpoints .Subsets {
451- for _ , address := range endpoint .Addresses {
452- peer := networkingv1.NetworkPolicyPeer {}
453- ipBlock := networkingv1.IPBlock {}
454- ipBlock .CIDR = address .IP + "/32"
455-
456- peer .IPBlock = & ipBlock
457- rule .To = append (rule .To , peer )
458- }
459- }
460- reqLogger .Info ("Found endpoints for kubernetes service in the default namespace" )
461- } else {
462- peer := networkingv1.NetworkPolicyPeer {}
463- peer .NamespaceSelector = & metav1.LabelSelector {
464- MatchLabels : map [string ]string {},
465- }
466- rule .To = append (rule .To , peer )
467- reqLogger .Info ("Failed to retrieve endpoints for kubernetes service in the default namespace. Using more permissive rule." )
468- }
469- apiServerNetworkPolicy .Spec .Egress = append (apiServerNetworkPolicy .Spec .Egress , rule )
470- apiServerNetworkPolicy .Labels = ba .GetLabels ()
471- apiServerNetworkPolicy .Annotations = oputils .MergeMaps (apiServerNetworkPolicy .Annotations , ba .GetAnnotations ())
472- apiServerNetworkPolicy .Spec .PolicyTypes = []networkingv1.PolicyType {networkingv1 .PolicyTypeEgress }
473- err = r .CreateOrUpdate (apiServerNetworkPolicy , instance , func () error {
470+ apiServerNetworkPolicy .Spec .Egress = append (apiServerNetworkPolicy .Spec .Egress , rule )
471+ apiServerNetworkPolicy .Labels = ba .GetLabels ()
472+ apiServerNetworkPolicy .Annotations = oputils .MergeMaps (apiServerNetworkPolicy .Annotations , ba .GetAnnotations ())
473+ apiServerNetworkPolicy .Spec .PolicyTypes = []networkingv1.PolicyType {networkingv1 .PolicyTypeEgress }
474474 return nil
475475 })
476476 if err != nil {
0 commit comments