in pkg/skoop/plugin/networkpolicy.go [326:401]
func (np *networkPolicy) checkIngressPolicyVerdict(policy *v1.NetworkPolicy, srcPod *corev1.Pod, src model.Endpoint, protocol model.Protocol) (deny bool, err error) {
if !np.hasPolicyType(policy, v1.PolicyTypeIngress) {
return false, nil
}
for _, ingressRule := range policy.Spec.Ingress {
if !np.containsPortWithProtocol(src.Port, protocol, ingressRule.Ports) {
continue
}
for _, from := range ingressRule.From {
if srcPod != nil {
if from.PodSelector != nil {
if srcPod.GetNamespace() != policy.GetNamespace() {
continue
}
selector, err := metav1.LabelSelectorAsSelector(from.PodSelector)
if err != nil {
return false, err
}
if selector.Empty() || selector.Matches(labels.Set(srcPod.Labels)) {
return false, nil
}
} else if from.NamespaceSelector != nil {
selector, err := metav1.LabelSelectorAsSelector(from.NamespaceSelector)
if err != nil {
return false, err
}
if selector.Empty() {
return false, nil
}
srcNamespace, err := np.k8sCli.CoreV1().Namespaces().Get(context.Background(), srcPod.GetName(), metav1.GetOptions{})
if err != nil {
return false, err
}
if selector.Matches(labels.Set(srcNamespace.Labels)) {
return false, nil
}
}
}
if from.IPBlock != nil {
if srcPod != nil && np.inClusterAddrEmitCidrRule {
continue
}
contains, err := np.strCidrContainsIP(from.IPBlock.CIDR, src.IP)
if err != nil {
return false, err
}
if !contains {
continue
}
var ipExcept bool
for _, exceptCIDR := range from.IPBlock.Except {
except, err := np.strCidrContainsIP(exceptCIDR, src.IP)
if err != nil {
return false, err
}
if except {
ipExcept = true
break
}
}
if !ipExcept {
return false, nil
}
}
}
}
return true, nil
}