-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handling selectors with matchexpressions (fixed) #377
base: new_exposure_analysis_first_branch
Are you sure you want to change the base?
handling selectors with matchexpressions (fixed) #377
Conversation
…esentative peers + first examples
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
few initial comments
general comment: the expression selectors could be represented as |
I thought about this either but found that it will cost multiple changes and will not differ that much for the "special" cases |
some comments regarding the last commit:
a suggestion: (not implemented here)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you also duplicate these tests for scenarios with actual pods also matched by these selectors?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
…ard/netpol-analyzer into new_handling_selectors_with_matchexpressions
if isRepresentativePod(peer) { | ||
// representative peer's namespace labels may be inferred from a rule with special matchExpression requirements | ||
// and also contains the representative ns name label which is not relevant for comparison | ||
peerMatchesNamespaceSelector, err = SelectorMatchesRepresentativePeerLabels(selector, peerNamespace.Labels, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't we just keep a reference to the selector(s) from which this representative peer was created, and consider a match only if this is the relevant selecotr, instead of implementing containment of selectors comparison?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we still need this containment, some selectors may intersect / be equivalent on one way to other selectors
i.e. a representative peer (built from one selector) may match two or more selectors actually and then the connection contains the ports of all the selectors.
an example : test_exposure_with_different_rules_6
(there are more examples like this too)
#236
task: