Collect calico globalnetwork policy resource

Signed-off-by: Ram <[email protected]>
libopenstorage · Jun 18, 2021 · 5ee1a37 · 5ee1a37
1 parent 3f3f1da
commit 5ee1a37
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 1 deletion.
diff --git a/pkg/resourcecollector/globalnetworkpolicy.go b/pkg/resourcecollector/globalnetworkpolicy.go
@@ -0,0 +1,74 @@
+package resourcecollector
+
+import (
+	"context"
+	"strings"
+
+	"github.com/projectcalico/libcalico-go/lib/options"
+	"github.com/projectcalico/libcalico-go/lib/selector"
+	"github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func (r *ResourceCollector) globalNetworkPolicyToBeCollected(
+	object runtime.Unstructured,
+	namespace string,
+) (bool, error) {
+	if r.calicoOps == nil {
+		return false, nil
+	}
+
+	// Collect policy based on namespace selector
+	// TODO: instead of string replace evaluate exprs
+	namespaceSelector, found, err := unstructured.NestedString(object.UnstructuredContent(), "spec", "namespaceSelector")
+	if err != nil {
+		logrus.Warnf("Unable to retrive namespaceSelector from globalpolicy object, %v", err)
+	}
+	if found {
+		// policy is applied to all workerendpoint in given namespace
+		if strings.Contains(namespaceSelector, namespace) {
+			return true, nil
+		}
+	}
+
+	// Collect policy based on service account in given namespace
+	saSelector, found, err := unstructured.NestedString(object.UnstructuredContent(), "spec", "serviceAccountSelector")
+	if err != nil {
+		logrus.Warnf("Unable to retrive saSelector from globalpolicy object, %v", err)
+	}
+	if found {
+		saList, err := r.coreOps.ListServiceAccount(namespace, metav1.ListOptions{})
+		if err != nil {
+			return false, err
+		}
+		for _, sa := range saList.Items {
+			if strings.Contains(saSelector, sa.Name) {
+				return true, nil
+			}
+		}
+	}
+	policySelector, _, err := unstructured.NestedString(object.UnstructuredContent(), "spec", "selector")
+	if err != nil {
+		logrus.Warnf("Unable to retrive selector from globalpolicy object, %v", err)
+	}
+	sel, err := selector.Parse(policySelector)
+	if err != nil {
+		logrus.Warnf("Unable to parse selector from globalpolicy object, %v", err)
+	}
+	wkpList, err := r.calicoOps.WorkloadEndpoints().List(context.Background(), options.ListOptions{Namespace: namespace})
+	if err != nil {
+		logrus.Warnf("Unable to parse selector from globalpolicy object, %v", err)
+	}
+	for _, worker := range wkpList.Items {
+		if sel.Evaluate(worker.Labels) {
+			return true, nil
+		}
+	}
+	// If policy applies to all resource in cluster select those as well
+	if namespaceSelector == "" && saSelector == "" && policySelector == "" {
+		return true, nil
+	}
+	return false, nil
+}
diff --git a/pkg/resourcecollector/resourcecollector.go b/pkg/resourcecollector/resourcecollector.go
@@ -14,6 +14,7 @@ import (
 	"github.com/portworx/sched-ops/k8s/core"
 	"github.com/portworx/sched-ops/k8s/rbac"
 	storkops "github.com/portworx/sched-ops/k8s/stork"
+	"github.com/projectcalico/libcalico-go/lib/clientv3"
 	"github.com/sirupsen/logrus"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
@@ -48,6 +49,7 @@ type ResourceCollector struct {
 	coreOps          core.Ops
 	rbacOps          rbac.Ops
 	storkOps         storkops.Ops
+	calicoOps        clientv3.Interface
 }
 
 // Objects Collection of objects
@@ -96,6 +98,12 @@ func (r *ResourceCollector) Init(config *restclient.Config) error {
 	if err != nil {
 		return err
 	}
+
+	r.calicoOps, err = clientv3.NewFromEnv()
+	if err != nil {
+		logrus.Errorf("Unable to initialise calico client %v", err)
+	}
+
 	return nil
 }
 
@@ -136,7 +144,8 @@ func resourceToBeCollected(resource metav1.APIResource, grp schema.GroupVersion,
 		"ReplicaSet",
 		"LimitRange",
 		"NetworkPolicy",
-		"PodDisruptionBudget":
+		"PodDisruptionBudget",
+		"GlobalNetworkPolicy":
 		return true
 	case "Job":
 		return slice.ContainsString(optionalResourceTypes, "job", strings.ToLower) ||
@@ -474,6 +483,8 @@ func (r *ResourceCollector) objectToBeCollected(
 		return r.resourceQuotaToBeCollected(object)
 	case "NetworkPolicy":
 		return r.networkPolicyToBeCollected(object)
+	case "GlobalNetworkPolicy":
+		return r.globalNetworkPolicyToBeCollected(object, namespace)
 	}
 
 	return true, nil