in pkg/resolvers/policies_for_service.go [72:107]
func (r *defaultPolicyReferenceResolver) isServiceMatchLabelSelector(ctx context.Context, svc *corev1.Service, peer *networking.NetworkPolicyPeer, policyNamespace string) bool {
if peer.NamespaceSelector != nil {
ns := &corev1.Namespace{}
if err := r.k8sClient.Get(ctx, types.NamespacedName{Name: svc.Namespace}, ns); err != nil {
r.logger.Info("Failed to get namespace", "namespace", svc.Namespace, "err", err)
return false
}
nsSelector, err := metav1.LabelSelectorAsSelector(peer.NamespaceSelector)
if err != nil {
r.logger.Info("Failed to convert namespace selector to selector", "namespace", peer.NamespaceSelector, "err", err)
return false
}
if !nsSelector.Matches(labels.Set(ns.Labels)) {
return false
}
if peer.PodSelector == nil {
return true
}
} else if svc.Namespace != policyNamespace {
r.logger.V(1).Info("Svc and policy namespace does not match", "namespace", svc.Namespace)
return false
}
if svc.Spec.Selector == nil {
r.logger.V(1).Info("Ignoring service without selector", "service", k8s.NamespacedName(svc))
return false
}
svcSelector, err := metav1.LabelSelectorAsSelector(peer.PodSelector)
if err != nil {
r.logger.Info("Failed to convert pod selector to selector", "podSelector", peer.PodSelector, "err", err)
return false
}
if svcSelector.Matches(labels.Set(svc.Spec.Selector)) {
return true
}
return false
}