Skip to content

Commit 30230e0

Browse files
kabicinkabicin
committed
Update webspherelibertyapplication_controller.go
1 parent 43bd5de commit 30230e0

File tree

1 file changed

+61
-61
lines changed

1 file changed

+61
-61
lines changed

controllers/webspherelibertyapplication_controller.go

Lines changed: 61 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -403,74 +403,74 @@ func (r *ReconcileWebSphereLiberty) Reconcile(ctx context.Context, request ctrl.
403403
Name: instance.Name + "-egress-apiserver-access",
404404
Namespace: instance.Namespace,
405405
}}
406-
apiServerNetworkPolicy.Spec.PodSelector = metav1.LabelSelector{
407-
MatchLabels: map[string]string{
408-
OperatorAllowAPIServerAccessLabel: "true",
409-
},
410-
}
411-
// Add OpenShift DNS NetworkPolicy (if applicable)
412-
if r.IsOpenShift() {
413-
dnsRule := networkingv1.NetworkPolicyEgressRule{}
414-
if dnsEndpoints, err := r.getEndpoints("dns-default", "openshift-dns"); err == nil {
415-
if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil {
416-
dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
417-
}
418-
if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil {
419-
dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
420-
}
421-
peer := networkingv1.NetworkPolicyPeer{}
422-
peer.NamespaceSelector = &metav1.LabelSelector{
423-
MatchLabels: map[string]string{
424-
"kubernetes.io/metadata.name": "openshift-dns",
425-
},
406+
err = r.CreateOrUpdate(apiServerNetworkPolicy, instance, func() error {
407+
apiServerNetworkPolicy.Spec.PodSelector = metav1.LabelSelector{
408+
MatchLabels: map[string]string{
409+
OperatorAllowAPIServerAccessLabel: "true",
410+
},
411+
}
412+
// Add OpenShift DNS NetworkPolicy (if applicable)
413+
if r.IsOpenShift() {
414+
dnsRule := networkingv1.NetworkPolicyEgressRule{}
415+
if dnsEndpoints, err := r.getEndpoints("dns-default", "openshift-dns"); err == nil {
416+
if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns"); endpointPort != nil {
417+
dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
418+
}
419+
if endpointPort := lutils.GetEndpointPortByName(&dnsEndpoints.Subsets[0].Ports, "dns-tcp"); endpointPort != nil {
420+
dnsRule.Ports = append(dnsRule.Ports, lutils.CreateNetworkPolicyPortFromEndpointPort(endpointPort))
421+
}
422+
peer := networkingv1.NetworkPolicyPeer{}
423+
peer.NamespaceSelector = &metav1.LabelSelector{
424+
MatchLabels: map[string]string{
425+
"kubernetes.io/metadata.name": "openshift-dns",
426+
},
427+
}
428+
dnsRule.To = append(dnsRule.To, peer)
429+
reqLogger.Info("Found endpoints for dns-default service in the openshift-dns namespace")
430+
} else {
431+
peer := networkingv1.NetworkPolicyPeer{}
432+
peer.NamespaceSelector = &metav1.LabelSelector{
433+
MatchLabels: map[string]string{},
434+
}
435+
dnsRule.To = append(dnsRule.To, peer)
436+
reqLogger.Info("Failed to retrieve endpoints for dns-default service in the openshift-dns namespace. Using more permissive rule.")
437+
}
438+
apiServerNetworkPolicy.Spec.Egress = append(apiServerNetworkPolicy.Spec.Egress, dnsRule)
439+
}
440+
441+
rule := networkingv1.NetworkPolicyEgressRule{}
442+
if apiServerEndpoints, err := r.getEndpoints("kubernetes", "default"); err == nil {
443+
// Define the port
444+
port := networkingv1.NetworkPolicyPort{}
445+
port.Protocol = &apiServerEndpoints.Subsets[0].Ports[0].Protocol
446+
var portNumber intstr.IntOrString = intstr.FromInt((int)(apiServerEndpoints.Subsets[0].Ports[0].Port))
447+
port.Port = &portNumber
448+
rule.Ports = append(rule.Ports, port)
449+
450+
// Add the endpoint address as ipBlock entries
451+
for _, endpoint := range apiServerEndpoints.Subsets {
452+
for _, address := range endpoint.Addresses {
453+
peer := networkingv1.NetworkPolicyPeer{}
454+
ipBlock := networkingv1.IPBlock{}
455+
ipBlock.CIDR = address.IP + "/32"
456+
457+
peer.IPBlock = &ipBlock
458+
rule.To = append(rule.To, peer)
459+
}
426460
}
427-
dnsRule.To = append(dnsRule.To, peer)
428-
reqLogger.Info("Found endpoints for dns-default service in the openshift-dns namespace")
461+
reqLogger.Info("Found endpoints for kubernetes service in the default namespace")
429462
} else {
430463
peer := networkingv1.NetworkPolicyPeer{}
431464
peer.NamespaceSelector = &metav1.LabelSelector{
432465
MatchLabels: map[string]string{},
433466
}
434-
dnsRule.To = append(dnsRule.To, peer)
435-
reqLogger.Info("Failed to retrieve endpoints for dns-default service in the openshift-dns namespace. Using more permissive rule.")
467+
rule.To = append(rule.To, peer)
468+
reqLogger.Info("Failed to retrieve endpoints for kubernetes service in the default namespace. Using more permissive rule.")
436469
}
437-
apiServerNetworkPolicy.Spec.Egress = append(apiServerNetworkPolicy.Spec.Egress, dnsRule)
438-
}
439-
440-
rule := networkingv1.NetworkPolicyEgressRule{}
441-
if apiServerEndpoints, err := r.getEndpoints("kubernetes", "default"); err == nil {
442-
// Define the port
443-
port := networkingv1.NetworkPolicyPort{}
444-
port.Protocol = &apiServerEndpoints.Subsets[0].Ports[0].Protocol
445-
var portNumber intstr.IntOrString = intstr.FromInt((int)(apiServerEndpoints.Subsets[0].Ports[0].Port))
446-
port.Port = &portNumber
447-
rule.Ports = append(rule.Ports, port)
448-
449-
// Add the endpoint address as ipBlock entries
450-
for _, endpoint := range apiServerEndpoints.Subsets {
451-
for _, address := range endpoint.Addresses {
452-
peer := networkingv1.NetworkPolicyPeer{}
453-
ipBlock := networkingv1.IPBlock{}
454-
ipBlock.CIDR = address.IP + "/32"
455-
456-
peer.IPBlock = &ipBlock
457-
rule.To = append(rule.To, peer)
458-
}
459-
}
460-
reqLogger.Info("Found endpoints for kubernetes service in the default namespace")
461-
} else {
462-
peer := networkingv1.NetworkPolicyPeer{}
463-
peer.NamespaceSelector = &metav1.LabelSelector{
464-
MatchLabels: map[string]string{},
465-
}
466-
rule.To = append(rule.To, peer)
467-
reqLogger.Info("Failed to retrieve endpoints for kubernetes service in the default namespace. Using more permissive rule.")
468-
}
469-
apiServerNetworkPolicy.Spec.Egress = append(apiServerNetworkPolicy.Spec.Egress, rule)
470-
apiServerNetworkPolicy.Labels = ba.GetLabels()
471-
apiServerNetworkPolicy.Annotations = oputils.MergeMaps(apiServerNetworkPolicy.Annotations, ba.GetAnnotations())
472-
apiServerNetworkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}
473-
err = r.CreateOrUpdate(apiServerNetworkPolicy, instance, func() error {
470+
apiServerNetworkPolicy.Spec.Egress = append(apiServerNetworkPolicy.Spec.Egress, rule)
471+
apiServerNetworkPolicy.Labels = ba.GetLabels()
472+
apiServerNetworkPolicy.Annotations = oputils.MergeMaps(apiServerNetworkPolicy.Annotations, ba.GetAnnotations())
473+
apiServerNetworkPolicy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}
474474
return nil
475475
})
476476
if err != nil {

0 commit comments

Comments
 (0)