in pkg/resolvers/endpoints.go [161:212]
func (r *defaultEndpointsResolver) resolveNetworkPeers(ctx context.Context, policy *networking.NetworkPolicy,
peers []networking.NetworkPolicyPeer, ports []networking.NetworkPolicyPort, policyType networking.PolicyType) ([]policyinfo.EndpointInfo, error) {
var networkPeers []policyinfo.EndpointInfo
for _, peer := range peers {
if peer.IPBlock != nil {
var except []policyinfo.NetworkAddress
for _, ea := range peer.IPBlock.Except {
except = append(except, policyinfo.NetworkAddress(ea))
}
var portList []policyinfo.Port
for _, port := range ports {
portInfo := r.convertToPolicyInfoPortForCIDRs(port)
if portInfo != nil {
portList = append(portList, *portInfo)
} else {
if policyType == networking.PolicyTypeIngress {
ports := r.getIngressRulesPorts(ctx, policy.Namespace, &policy.Spec.PodSelector, []networking.NetworkPolicyPort{port})
portList = append(portList, ports...)
}
}
}
// A non-empty input port list would imply the user wants to allow traffic only on the specified ports.
// However, in this case we are not able to resolve any of the ports from the CIDR list alone. In this
// case we do not add the CIDR to the list of resolved peers to prevent allow all ports.
if len(ports) != 0 && len(portList) == 0 {
r.logger.Info("Couldn't resolve ports from given CIDR list and will skip this rule", "peer", peer)
continue
}
networkPeers = append(networkPeers, policyinfo.EndpointInfo{
CIDR: policyinfo.NetworkAddress(peer.IPBlock.CIDR),
Except: except,
Ports: portList,
})
continue
}
var namespaces []string
if peer.NamespaceSelector != nil {
var err error
if namespaces, err = r.resolveNamespaces(ctx, peer.NamespaceSelector); err != nil {
return nil, err
}
} else {
namespaces = []string{policy.Namespace}
}
for _, ns := range namespaces {
networkPeers = append(networkPeers, r.getMatchingPodAddresses(ctx, peer.PodSelector, ns, policy, ports, policyType)...)
}
}
return networkPeers, nil
}