Skip to content

Commit f99cbd1

Browse files
derailedderailed
committed
[Maint] add ns info to cid
1 parent f43ad34 commit f99cbd1

File tree

3 files changed

+21
-7
lines changed

3 files changed

+21
-7
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,3 +20,4 @@ spinach.yml
2020
/kind
2121
/spinach-me
2222
__debug_bin*
23+
.act-evt

internal/cilium/lint/cid.go

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,13 +45,14 @@ func (s *CiliumIdentity) Lint(ctx context.Context) error {
4545
for o := it.Next(); o != nil; o = it.Next() {
4646
cid := o.(*v2.CiliumIdentity)
4747
fqn := client.FQN(cid.Namespace, cid.Name)
48-
s.InitOutcome(fqn)
49-
ctx = internal.WithSpec(ctx, ilint.SpecFor(fqn, cid))
48+
id := client.FQN(extractNS(cid), cid.Name)
49+
s.InitOutcome(id)
50+
ctx = internal.WithSpec(ctx, ilint.SpecFor(id, cid))
5051
if err := s.checkStale(ctx, fqn, &refs); err != nil {
5152
return err
5253
}
5354
s.checkNS(ctx, cid)
54-
if err := s.checkSA(ctx, fqn, cid); err != nil {
55+
if err := s.checkSA(ctx, cid); err != nil {
5556
return err
5657
}
5758
}
@@ -75,6 +76,17 @@ const (
7576
k8sSALabel = "io.cilium.k8s.policy.serviceaccount"
7677
)
7778

79+
func extractNS(cid *v2.CiliumIdentity) string {
80+
if ns, ok := cid.Labels[k8sNSLabel]; ok {
81+
return ns
82+
}
83+
if ns, ok := cid.SecurityLabels[k8sSecNSLabel]; ok {
84+
return ns
85+
}
86+
87+
return client.BlankNamespace
88+
}
89+
7890
func (s *CiliumIdentity) checkNS(ctx context.Context, cid *v2.CiliumIdentity) {
7991
ns, ok := cid.Labels[k8sNSLabel]
8092
if !ok {
@@ -95,7 +107,7 @@ func (s *CiliumIdentity) checkNS(ctx context.Context, cid *v2.CiliumIdentity) {
95107
}
96108
}
97109

98-
func (s *CiliumIdentity) checkSA(ctx context.Context, fqn string, cid *v2.CiliumIdentity) error {
110+
func (s *CiliumIdentity) checkSA(ctx context.Context, cid *v2.CiliumIdentity) error {
99111
ns, ok := cid.Labels[k8sNSLabel]
100112
if !ok {
101113
return fmt.Errorf("unable to locate cid namespace")

internal/cilium/lint/cid_test.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,11 @@ func TestCiliumIdentity(t *testing.T) {
3131
assert.Nil(t, li.Lint(test.MakeContext("cilium.io/v2/ciliumidentities", "ciliumidentities")))
3232
assert.Equal(t, 3, len(li.Outcome()))
3333

34-
ii := li.Outcome()["100"]
34+
li.Outcome().Dump()
35+
ii := li.Outcome()["default/100"]
3536
assert.Equal(t, 0, len(ii))
3637

37-
ii = li.Outcome()["200"]
38+
ii = li.Outcome()["ns1/200"]
3839
assert.Equal(t, 3, len(ii))
3940
assert.Equal(t, "[POP-1600] Stale? unable to locate matching Cilium Endpoint", ii[0].Message)
4041
assert.Equal(t, rules.WarnLevel, ii[0].Level)
@@ -43,7 +44,7 @@ func TestCiliumIdentity(t *testing.T) {
4344
assert.Equal(t, `[POP-307] CiliumIdentity references a non existing ServiceAccount: "ns1/sa1"`, ii[2].Message)
4445
assert.Equal(t, rules.WarnLevel, ii[2].Level)
4546

46-
ii = li.Outcome()["300"]
47+
ii = li.Outcome()["default/300"]
4748
assert.Equal(t, 1, len(ii))
4849
assert.Equal(t, `[POP-1603] Missing security namespace label: "k8s:io.kubernetes.pod.namespace"`, ii[0].Message)
4950
assert.Equal(t, rules.WarnLevel, ii[0].Level)

0 commit comments

Comments
 (0)