in pkg/resolvers/policies_for_pod.go [105:142]
func (r *defaultPolicyReferenceResolver) isPodLabelMatchPeer(ctx context.Context, pod *corev1.Pod, peer *networking.NetworkPolicyPeer, policyNamespace string) bool {
if peer.NamespaceSelector != nil {
ns := &corev1.Namespace{}
if err := r.k8sClient.Get(ctx, types.NamespacedName{Name: pod.Namespace}, ns); err != nil {
r.logger.Info("Unable to get namespace", "ns", pod.Namespace, "err", err)
return false
}
nsSelector, err := metav1.LabelSelectorAsSelector(peer.NamespaceSelector)
if err != nil {
r.logger.Info("Unable to get namespace selector", "selector", peer.NamespaceSelector, "err", err)
return false
}
if !nsSelector.Matches(labels.Set(ns.Labels)) {
r.logger.V(1).Info("nsSelector does not match ns labels", "selector", nsSelector,
"ns", ns)
return false
}
if peer.PodSelector == nil {
r.logger.V(1).Info("nsSelector matches ns labels", "selector", nsSelector,
"ns", ns)
return true
}
} else if pod.Namespace != policyNamespace {
r.logger.V(1).Info("Pod and policy namespace mismatch", "pod", k8s.NamespacedName(pod),
"policy ns", policyNamespace)
return false
}
podSelector, err := metav1.LabelSelectorAsSelector(peer.PodSelector)
if err != nil {
r.logger.Info("Unable to get pod selector", "err", err)
return false
}
if podSelector.Matches(labels.Set(pod.Labels)) {
return true
}
return false
}