Conversation
* translate k8s NPs used on OSS to CNPs
pkg/controller/clusterconnection/clusterconnection_controller.go
Outdated
Show resolved
Hide resolved
- TigeraComponentTierName -> CalicoTierName - TigeraComponentPolicyPrefix -> CalicoComponentPolicyPrefix - TigeraComponentDefaultDenyPolicyName -> CalicoComponentDefaultDenyPolicyName
| if err != nil { | ||
| return nil, err | ||
| } | ||
| var policies []client.Object |
There was a problem hiding this comment.
I think there's a bug here. For OSS, IncludeEgressNetworkPolicy will always be false (it's gated on the enterprise license having EgressAccessControlFeature), so policies will be empty and no CNP gets rendered for Guardian at all.
Meanwhile, the old k8s NetworkPolicy was removed from the Guardian component and added to deprecatedObjects(). So OSS Guardian ends up with zero network policy — the old one is deleted and the new one is never created.
It looks like ossNetworkPolicy() inside guardianCalicoSystemPolicy was intended to cover the OSS case, but it's dead code because it's behind this gate.
I think the fix is to always call guardianCalicoSystemPolicy when the tier is available, and use IncludeEgressNetworkPolicy (or variant) to control just the egress rules within the policy, rather than gating the entire policy creation.
There was a problem hiding this comment.
Actually that it is how it was before, this code it was the most confusing one, you can see that I treated on a way to leave the Entreprise how it was, and created a v3.NetworkPolicy for OSS. About the way that the Enterprise was creating the rule I warned Operator team.
KubeAPIServerServiceSelectorEntityRule -> KubeAPIServerEntityRule
3 participants
Description
Release Note
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.