func()

in pkg/skoop/plugin/networkpolicy.go [199:267]

• 67 lines of code
• 25 McCabe index (conditional complexity)

func (np *networkPolicy) checkEgressPolicyVerdict(policy *v1.NetworkPolicy, dstPod *corev1.Pod, dst model.Endpoint, protocol model.Protocol) (deny bool, err error) {
	if !np.hasPolicyType(policy, v1.PolicyTypeEgress) {
		return false, nil
	}
	for _, egressRule := range policy.Spec.Egress {
		if !np.containsPortWithProtocol(dst.Port, protocol, egressRule.Ports) {
			continue
		}

		for _, to := range egressRule.To {
			if dstPod != nil {
				if to.PodSelector != nil {
					if dstPod.GetNamespace() != policy.GetNamespace() {
						continue
					}
					selector, err := metav1.LabelSelectorAsSelector(to.PodSelector)
					if err != nil {
						return false, err
					}
					if selector.Empty() || selector.Matches(labels.Set(dstPod.Labels)) {
						return false, nil
					}
				} else if to.NamespaceSelector != nil {
					selector, err := metav1.LabelSelectorAsSelector(to.NamespaceSelector)
					if err != nil {
						return false, err
					}
					if selector.Empty() {
						return false, nil
					}
					dstNamespace, err := np.k8sCli.CoreV1().Namespaces().Get(context.Background(), dstPod.GetNamespace(), metav1.GetOptions{})
					if err != nil {
						return false, err
					}
					if selector.Matches(labels.Set(dstNamespace.Labels)) {
						return false, nil
					}
				}
			}
			if to.IPBlock != nil {
				if dstPod != nil && np.inClusterAddrEmitCidrRule {
					continue
				}
				contains, err := np.strCidrContainsIP(to.IPBlock.CIDR, dst.IP)
				if err != nil {
					return false, err
				}
				if contains {
					var ipExcept bool
					for _, exceptCIDR := range to.IPBlock.Except {
						except, err := np.strCidrContainsIP(exceptCIDR, dst.IP)
						if err != nil {
							return false, err
						}
						if except {
							ipExcept = true
							break
						}
					}
					if !ipExcept {
						return false, nil
					}
				}
			}
		}
	}

	return true, nil
}