Netork policy GA: select all pods in namespace if pod selector is not specified in the network policy spec

Murali Reddy · Murali Reddy · commit 279bc66a997c · 2017-07-31T22:47:43.000+05:30
as per semantics https://kubernetes.io/docs/api-reference/v1.7/#networkpolicy-v1-networking Fixes #90
diff --git a/app/controllers/network_policy_controller.go b/app/controllers/network_policy_controller.go
@@ -595,9 +595,19 @@ func (npc *NetworkPolicyController) getFirewallEnabledPods(nodeIp string) (*map[
 			podNeedsFirewall := false
 			for _, policy_obj := range watchers.NetworkPolicyWatcher.List() {
 				policy, _ := policy_obj.(*networking.NetworkPolicy)
+
+				// we are only interested in the network policies in same namespace that of pod
 				if policy.Namespace != pod.ObjectMeta.Namespace {
 					continue
 				}
+
+				// An empty podSelector matches all pods in this namespace.
+				if len(policy.Spec.PodSelector.MatchLabels) == 0 || len(policy.Spec.PodSelector.MatchExpressions) == 0 {
+					podNeedsFirewall = true
+					break
+				}
+
+				// if pod matches atleast on network policy labels then pod needs firewall
 				matchingPods, err := watchers.PodWatcher.ListByNamespaceAndLabels(policy.Namespace,
 					policy.Spec.PodSelector.MatchLabels)
 				if err != nil {
