Merge pull request #2190 from duanjiong/networkpolicy-fix

only accept validated CIDR in namespace networkpolicy
2020-06-15 11:37:40 +08:00
parent 61d827db54 825e026930
commit 0ff0ab3f10
3 changed files with 7 additions and 766 deletions
--- a/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
+++ b/pkg/controller/network/nsnetworkpolicy/nsnetworkpolicy_controller.go
@@ -428,19 +428,21 @@ func (c *NSNetworkPolicyController) syncNs(key string) error {

 	matchWorkspace := false
 	delete := false
-	nsnpList, _ := c.informer.Lister().NamespaceNetworkPolicies(ns.Name).List(labels.Everything())
+	nsnpList, err := c.informer.Lister().NamespaceNetworkPolicies(ns.Name).List(labels.Everything())
 	if isNetworkIsolateEnabled(ns) {
 		matchWorkspace = false
 	} else if wksp.Spec.NetworkIsolation {
 		matchWorkspace = true
+	} else {
+		delete = true
+	}
+	if delete || matchWorkspace {
 		//delete all namespace np when networkisolate not active
-		if err != nil && len(nsnpList) > 0 {
+		if err == nil && len(nsnpList) > 0 {
 			if c.ksclient.NamespaceNetworkPolicies(ns.Name).DeleteCollection(nil, typev1.ListOptions{}) != nil {
 				klog.Errorf("Error when delete all nsnps in namespace %s", ns.Name)
 			}
 		}
-	} else {
-		delete = true
 	}

 	policy := generateNSNP(workspaceName, ns.Name, matchWorkspace)