From b67cc4f8ada9ed47102f96e77b6de396e4957ae8 Mon Sep 17 00:00:00 2001 From: shireenf-ibm Date: Mon, 4 Nov 2024 11:35:52 +0200 Subject: [PATCH] collect from banp --- .../eval/internal/k8s/policy_connections.go | 24 ++++++------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go index dcdda707..ca7b74b3 100644 --- a/pkg/netpol/eval/internal/k8s/policy_connections.go +++ b/pkg/netpol/eval/internal/k8s/policy_connections.go @@ -116,25 +116,15 @@ func (pc *PolicyConnections) CollectAllowedConnsFromNetpols(npConns *PolicyConne // is allowed by default func (pc *PolicyConnections) CollectConnsFromBANP(banpConns *PolicyConnections) { // allowed and denied conns of current pc are non-overridden - banpConns.AllowedConns.Subtract(pc.DeniedConns) banpConns.DeniedConns.Subtract(pc.AllowedConns) - // currently, banpConns.AllowedConns contains: - // 1. traffic that was passed by ANPs (if there are such conns) - // 2. or traffic that had no match in ANPs - // so we can update current allowed conns with them - pc.AllowedConns.Union(banpConns.AllowedConns) - // also, banpConns.DeniedConns currently contains: - // 1. traffic that was passed by ANPs (if there are such conns) - // 2. or traffic that had no match in ANPs - // so we can update current denied conns with banpConns.DeniedConns pc.DeniedConns.Union(banpConns.DeniedConns) - // now Pass conns were handled automatically; pc.PassConns is not relevant anymore. - // Pass Conns which are not captured by BANP, will be handled now with all other conns - // all conns that are not determined by the ANP and BANP are allowed by default - nonCapturedConns := common.MakeConnectionSet(true) - nonCapturedConns.Subtract(pc.DeniedConns) - // add the allowed by default connections to the pc.Allowed : - pc.AllowedConns.Union(nonCapturedConns) + // now Pass conns which are denied by BANP were handled automatically; + // Pass Conns which are allowed or not captured by BANP, will be handled now with all other conns. + // pc.PassConns is not relevant anymore. + // the allowed conns are "all conns - the denied conns" + // since all conns that are not determined by the ANP and BANP are allowed by default + pc.AllowedConns = common.MakeConnectionSet(true) + pc.AllowedConns.Subtract(pc.DeniedConns) } // IsEmpty : returns true iff all connection sets in current policy-connections are empty