in pkg/resolvers/policies_for_service.go [18:54]
func (r *defaultPolicyReferenceResolver) getReferredPoliciesForService(ctx context.Context, svc, svcOld *corev1.Service) ([]networking.NetworkPolicy, error) {
if k8s.IsServiceHeadless(svc) {
r.logger.Info("Ignoring headless service", "svc", k8s.NamespacedName(svc))
return nil, nil
}
policiesWithEgressRules := r.policyTracker.GetPoliciesWithEgressRules()
potentialMatches := sets.Set[types.NamespacedName]{}
for pol := range policiesWithEgressRules {
if pol.Namespace == svc.Namespace {
potentialMatches.Insert(pol)
}
}
namespacedPoliciesSet := r.policyTracker.GetPoliciesWithNamespaceReferences()
potentialMatches = potentialMatches.Union(policiesWithEgressRules.Intersection(namespacedPoliciesSet))
r.logger.V(1).Info("Potential matches", "policies", potentialMatches.UnsortedList(), "svc", k8s.NamespacedName(svc))
var networkPolicyList []networking.NetworkPolicy
for policyRef := range potentialMatches {
r.logger.V(1).Info("Checking policy", "reference", policyRef)
policy := &networking.NetworkPolicy{}
if err := r.k8sClient.Get(ctx, policyRef, policy); err != nil {
if client.IgnoreNotFound(err) != nil {
return nil, errors.Wrap(err, "failed to get policy")
}
r.logger.V(1).Info("Policy not found", "reference", policyRef)
continue
}
if r.isServiceReferredOnEgress(ctx, svc, policy) {
networkPolicyList = append(networkPolicyList, *policy)
continue
}
if svcOld != nil && r.isServiceReferredOnEgress(ctx, svcOld, policy) {
networkPolicyList = append(networkPolicyList, *policy)
}
}
return networkPolicyList, nil
}