Add global() selector #1229
Add global() selector #1229
Conversation
1) Implement a Token Global for handling `global'
lmm
force-pushed
the
lmm-port
branch
2 times, most recently
from
07be0bd
to
5b6faa8
Compare
Add support for rules and selector for global keyword and add unit test case
There was a problem hiding this comment.
I think we need some validation that global() isn't specified in regular selectors, since IIUC it won't function properly in that case, right?
e.g.,
spec.Selector will never select non-namespaced things, so it should be imposible to put global() in that field.
lib/apis/v3/policy.go
Outdated
| @@ -137,6 +137,9 @@ type EntityRule struct { | |||
| // For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting | |||
| // only workload endpoints in the same namespace as the NetworkPolicy. | |||
| // | |||
| // For NetworkPolicy, `global` NamespaceSelector implies that the Selector is limited to selecting | |||
|
@lmm please check with @krishgobinath about adding validation - he's planning to add this in the next week or so. |
|
@lmm Is there already a doc PR for this? I'd quite like to review that too, preferably before or at the same time as this one. (Or a design doc?) Specifically, as well as what @caseydavenport says, I'm wondering if |
There was a problem hiding this comment.
Am I right that this is mostly copied from our Enterprise code? Please can you list or identify the changes that are additional to that? (Because I think there's less value in reviewing Enterprise-copied code.)
If there isn't already a design or doc that says this, please can you also summarise, for me, where global() is allowed, and why?
Thanks @neiljerram . The first 2 commits are cherry-picked from enterprise code. The last commit is newly added. The docs PR (also cherry-picked) is here: projectcalico/calico#3643
|
lib/validator/v3/validator.go
Outdated
| reflect.ValueOf(spec.Selector), | ||
| "NetworkPolicySpec.Selector", | ||
| "", | ||
| reason(fmt.Sprintf("%s can only be used in a GlobalNetworkPolicy EntityRule", globalSelector)), |
There was a problem hiding this comment.
Add "namespaceSelector" ? (And similarly in all other occurrences below.)
| }, | ||
| }, | ||
| }, true, | ||
| ), |
There was a problem hiding this comment.
Need to add test and validation for disallowing global() in EntityRule selector field.
global() and projectcalico.org/name == '<value>' cannot be used with other selectors.
|
@neiljerram this is ready for another look. One comment re:
I had a chat with @doublek about this and the intent of the all(), global(), and projectcalico.org/name namespaceSelectors is that they should be used on their own and not in combination. I've added validation for this for global() and projectcalico.org/name. But I left all() untouched as we already do some canonicalization where all() && some-other-selector results in the selector parser to reduce that to all(), and maybe we want to preserve that behaviour? |
| @@ -66,6 +67,13 @@ var ( | |||
| // Hostname have to be valid ipv4, ipv6 or strings up to 64 characters. | |||
| prometheusHostRegexp = regexp.MustCompile(`^[a-zA-Z0-9:._+-]{1,64}$`) | |||
|
|
|||
| // global() cannot be used with other selectors. | |||
| andOr = `(&&|\|\|)` | |||
| globalSelectorRegex = regexp.MustCompile(fmt.Sprintf(`%v global\(\)|global\(\) %v`, andOr, andOr)) | |||
There was a problem hiding this comment.
nit: should the RE have * after the space, to allow for any amount of whitespace?
There was a problem hiding this comment.
Hmm, I see you already have a test for "global()||all()", so perhaps in the RE already stands for any amount of whitespace? (Otherwise, how is that test passing?)
There was a problem hiding this comment.
We parse the selector string first and use the String() from that result for the validation matching. The parsing will trim out all of the whitespace.
lib/validator/v3/validator.go
Outdated
| globalSelectorRegex = regexp.MustCompile(fmt.Sprintf(`%v global\(\)|global\(\) %v`, andOr, andOr)) | ||
|
|
||
| // projectcalico.org/name cannot be used with other selectors. | ||
| namespaceSelectorRegex = regexp.MustCompile(fmt.Sprintf(`%v projectcalico.org/name == ".*"|projectcalico.org/name == ".*" %v`, andOr, andOr)) |
There was a problem hiding this comment.
This looks plausible to me, but:
- is it right to add this validation into the current PR? is there a particular motivation for that?
- what about, for example,
projectcalico/name in {"red", "blue", ...}- which I think should be allowed on its own, but probably not combined with anything else.
Unless there's a strong reason to include, I think it might be better to split the projectcalico.org/name validation out into another PR, so we can discuss its motivation and details more there.
There was a problem hiding this comment.
I think you're right - I'll remove the projectcalico.org/name bits
lmm
dismissed
caseydavenport’s stale review
Comments covered by follow-up commits
Description
This PR adds support for the
global()keywordTodos
Release Note