Fix action field in NetworkPolicyEvaluation for KNP

When processing Kubernetes NetworkPolicy, a default action Allow is assigned in Antrea controller. This was not handled corretly in NetworkPolicyEvaluation action field, for default isolation model. As it will undeterminately display action. This PR fixes the issue, by indicating the rule as default isolation with nil action field, and then assigning Isolate to the response in NetworkPolicyEvaluation. Signed-off-by: Qiyue Yao <[email protected]>
antrea-io · Apr 13, 2024 · de26136 · de26136
1 parent 90b3710
commit de26136
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/pkg/antctl/transform/networkpolicy/response.go b/pkg/antctl/transform/networkpolicy/response.go
@@ -190,7 +190,7 @@ func (r EvaluationResponse) GetTableRow(_ int) []string {
 		// Handle K8s NPs empty action field. "Allow" corresponds to a K8s NP
 		// allow action, and "Isolate" corresponds to a drop action because of the
 		// default isolation model. Otherwise, display the action field content.
-		action := "Allow"
+		action := ""
 		if r.Response.Rule.Action != nil {
 			action = string(*r.Response.Rule.Action)
 		} else if r.Response.RuleIndex == math.MaxInt32 {

diff --git a/pkg/antctl/transform/networkpolicy/response_test.go b/pkg/antctl/transform/networkpolicy/response_test.go
@@ -182,7 +182,7 @@ func TestEvaluationResponseTransform(t *testing.T) {
 	assert.Equal(t, []string{"NAME", "NAMESPACE", "POLICY-TYPE", "RULE-INDEX", "DIRECTION", "ACTION"}, test.GetTableHeader())
 	assert.False(t, test.SortRows())
 	assert.Equal(t, []string{"", "", "", "", "", ""}, test.GetTableRow(32))
-	testDropAction := crdv1beta1.RuleActionDrop
+	testDropAction, testDefaultAction := crdv1beta1.RuleActionDrop, crdv1beta1.RuleActionAllow
 
 	tests := []struct {
 		name           string
@@ -198,7 +198,7 @@ func TestEvaluationResponseTransform(t *testing.T) {
 					Name:      "testK8s",
 				},
 				RuleIndex: 10,
-				Rule:      cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn},
+				Rule:      cpv1beta.RuleRef{Direction: cpv1beta.DirectionIn, Action: &testDefaultAction},
 			},
 			expectedOutput: []string{"testK8s", "ns", "K8sNetworkPolicy", "10", "In", "Allow"},
 		},

diff --git a/pkg/controller/networkpolicy/endpoint_querier.go b/pkg/controller/networkpolicy/endpoint_querier.go
@@ -192,10 +192,10 @@ func processEndpointAppliedRules(appliedPolicies []*antreatypes.NetworkPolicy, i
 			for _, rule := range internalPolicy.Rules {
 				if rule.Direction == controlplane.DirectionIn && !isSourceEndpoint {
 					isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt32,
-						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}})
+						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name}})
 				} else if rule.Direction == controlplane.DirectionOut && isSourceEndpoint {
 					isolationRules = append(isolationRules, &antreatypes.RuleInfo{Policy: internalPolicy, Index: math.MaxInt32,
-						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name, Action: rule.Action}})
+						Rule: &controlplane.NetworkPolicyRule{Direction: rule.Direction, Name: rule.Name}})
 				}
 			}
 		}