func()

in pkg/skoop/plugin/networkpolicy.go [49:123]

• 73 lines of code
• 19 McCabe index (conditional complexity)

func (np *networkPolicy) CheckNetworkPolicy(src, dst model.Endpoint, protocol model.Protocol) ([]model.Suspicion, error) {
	var denies []*v1.NetworkPolicy
	var ret []model.Suspicion
	if src.Type == model.EndpointTypePod {
		pod, err := np.ipCache.GetPodFromIP(src.IP)
		if err != nil {
			return nil, fmt.Errorf("error get pod from ip ipCache: %v", err)
		}
		if dst.Type != model.EndpointTypeService && dst.Type != model.EndpointTypeLoadbalancer {
			nps, err := np.checkEgress(pod, dst, protocol)
			if err != nil {
				return nil, fmt.Errorf("error check egress policies: %v", err)
			}
			denies = append(denies, nps...)
		} else if !np.serviceAddrSkipCidrRule {
			// pod -> svc
			nps, err := np.checkEgress(pod, dst, protocol)
			if err != nil {
				return nil, fmt.Errorf("error check egress policies: %v", err)
			}
			denies = append(denies, nps...)
		}
	}
	if dst.Type == model.EndpointTypePod {
		pod, err := np.ipCache.GetPodFromIP(dst.IP)
		if err != nil {
			return nil, fmt.Errorf("error get pod from ip ipCache: %v", err)
		}
		nps, err := np.checkIngress(pod, src, protocol)
		if err != nil {
			return nil, fmt.Errorf("error check ingress policies: %v", err)
		}
		denies = append(denies, nps...)
	}
	if dst.Type == model.EndpointTypeService || dst.Type == model.EndpointTypeLoadbalancer {
		svc, err := np.ipCache.GetServiceFromIP(dst.IP)
		if err != nil {
			return nil, fmt.Errorf("error get service(%v) from ip ipCache: %v", dst.IP, err)
		}
		backends := np.service.Process(model.Packet{
			Src:      net.ParseIP(src.IP),
			Sport:    src.Port,
			Dst:      net.ParseIP(dst.IP),
			Dport:    dst.Port,
			Protocol: protocol,
		}, svc, nil)
		for _, backend := range backends {
			if backend.IP == dst.IP {
				return nil, fmt.Errorf("service network loop")
			}
			backendType, err := np.ipCache.GetIPType(backend.IP)
			if err != nil {
				return nil, err
			}
			dst := model.Endpoint{
				IP:   backend.IP,
				Type: backendType,
				Port: backend.Port,
			}
			sub, err := np.CheckNetworkPolicy(src, dst, protocol)
			if err != nil {
				return ret, err
			}
			ret = append(ret, sub...)
		}
	}

	for _, np := range denies {
		ret = append(ret, model.Suspicion{Level: model.SuspicionLevelCritical, Message: fmt.Sprintf("network policy %v/%v deny the packet from %v to(%v) %v:%v",
			np.Namespace, np.Name,
			src.IP, protocol, dst.IP, dst.Port),
		})
	}
	return ret, nil
}