From 86572e8063ce583d93963d7837e8a5c2b7d92bb4 Mon Sep 17 00:00:00 2001 From: Erik Brakkee Date: Sat, 18 Jan 2025 11:40:12 +0100 Subject: [PATCH] now checking whether a pod is not part of any application. --- cmd/policygen/cluster.go | 12 ++++++++++++ cmd/policygen/configvalidator.go | 31 +++++++++++++++++++++++++++---- 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/cmd/policygen/cluster.go b/cmd/policygen/cluster.go index fcfd3bb..be2af54 100644 --- a/cmd/policygen/cluster.go +++ b/cmd/policygen/cluster.go @@ -95,6 +95,18 @@ func (c *Cluster) IsLinkerdEnabled(application *Application) bool { return ns.Annotations["linkerd.io/inject"] == "enabled" } +func (c *Cluster) NamespaceLIst() []v1.Namespace { + return MapValues(c.namespaces) +} + +func (c *Cluster) Namespace(name string) v1.Namespace { + return c.namespaces[name] +} + +func (c *Cluster) PodList(namespace string) []v1.Pod { + return c.pods[namespace] +} + func (c *Cluster) PortNumbers(application *Application) []Port { if !c.IsLinkerdEnabled(application) { return nil diff --git a/cmd/policygen/configvalidator.go b/cmd/policygen/configvalidator.go index c8733a2..369b034 100644 --- a/cmd/policygen/configvalidator.go +++ b/cmd/policygen/configvalidator.go @@ -1,11 +1,9 @@ package main import ( - "context" "fmt" "iter" "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "maps" "os" "slices" @@ -65,11 +63,14 @@ func validate(files []string, options *Options) error { applicationPods := make(map[string][]v1.Pod) for _, ns := range config.Namespaces { namespace := ns.Name - _, err = clientset.CoreV1().Namespaces().Get(context.Background(), namespace, metav1.GetOptions{}) - if err != nil { + + if cluster.Namespace(namespace).Name != namespace { LogValidationMsg(Error, "ERROR: namespace not found: %s", namespace) continue } + if !ns.Open { + podsNotPartOfAnyApplication(cluster, namespace, ns) + } // checking for service accounts shared by applications // map of namespace/sa -> []applicationname @@ -199,6 +200,28 @@ func validate(files []string, options *Options) error { return nil } +func podsNotPartOfAnyApplication(cluster *Cluster, namespace string, ns *Namespace) { + // Pods in the nemsapce that are not covered by any application + + namespacePods := cluster.PodList(namespace) + namespacePods = slices.DeleteFunc(namespacePods, func(pod v1.Pod) bool { + return pod.Spec.HostNetwork == true + }) + podNames := make(map[string]bool) + for _, pod := range namespacePods { + podNames[pod.Name] = true + } + for _, application := range ns.Applications { + for _, pod := range cluster.Pods(application) { + delete(podNames, pod.Name) + } + } + for podName, _ := range podNames { + LogValidationMsg(Error, "ERROR: pod %s/%s not part of any applications", + namespace, podName) + } +} + func HasPort(pod v1.Pod, port Port) bool { if port.Protocol == "" { port.Protocol = "TCP"