Create warning event if client has internet intent without egress policy

If the egress policy is not enabled, we can't really handle any internet intent, since all internet intents are egress. Add a warning to notify about this configuration invalid status.
otterize · Feb 13, 2025 · 611cd07 · 611cd07
1 parent a0b45e2
commit 611cd07
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 2 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -59,7 +59,7 @@ jobs:
           working-directory: src
 
           # Optional: golangci-lint command line arguments.
-          args: --timeout 5m --out-format github-actions
+          args: --timeout 5m --out-format colored-line-number
 
           # Optional: show only new issues if it's a pull request. The default value is `false`.
           # only-new-issues: true

diff --git a/src/operator/controllers/intents_reconcilers/consts/consts.go b/src/operator/controllers/intents_reconcilers/consts/consts.go
@@ -29,4 +29,5 @@ const (
 	ReasonCreatedInternetEgressNetworkPolicies                    = "CreatedInternetEgressNetworkPolicies"
 	ReasonIntentToUnresolvedDns                                   = "IntentToUnresolvedDns"
 	ReasonInternetEgressNetworkPolicyCreationWaitingUnresolvedDNS = "InternetEgressNetworkPolicyCreationWaitingUnresolvedDNS"
+	ReasonInternetEgressNetworkPolicyWithEgressPolicyDisabled     = "ReasonInternetEgressNetworkPolicyWithEgressPolicyDisabled"
 )
diff --git a/src/operator/controllers/intents_reconcilers/networkpolicy/reconciler.go b/src/operator/controllers/intents_reconcilers/networkpolicy/reconciler.go
@@ -217,9 +217,21 @@ func (r *Reconciler) recordCreateFailedError(ep effectivepolicy.ServiceEffective
 
 func (r *Reconciler) buildEgressRules(ctx context.Context, ep effectivepolicy.ServiceEffectivePolicy) ([]v1.NetworkPolicyEgressRule, bool, error) {
 	rules := make([]v1.NetworkPolicyEgressRule, 0)
-	if len(ep.Calls) == 0 || len(r.egressRuleBuilders) == 0 {
+
+	if len(ep.Calls) == 0 {
 		return rules, false, nil
 	}
+
+	if len(r.egressRuleBuilders) == 0 {
+		hasInternetIntents := lo.SomeBy(ep.Calls, func(intent effectivepolicy.Call) bool { return intent.Internet != nil })
+		if hasInternetIntents {
+			logrus.Debugf("Client has interner intents but egress network policy is not enabled")
+			ep.ClientIntentsEventRecorder.RecordWarningEvent(consts.ReasonInternetEgressNetworkPolicyWithEgressPolicyDisabled, "ClientIntents refer to the Internet but egress network policy is disabled")
+		}
+
+		return rules, false, nil
+	}
+
 	if !r.EnforcementDefaultState {
 		logrus.Debugf("Enforcement is disabled globally skipping egress network policy creation for service %s in namespace %s", ep.Service.Name, ep.Service.Namespace)
 		ep.ClientIntentsEventRecorder.RecordNormalEventf(consts.ReasonEnforcementDefaultOff, "Enforcement is disabled globally, network policy creation skipped")

diff --git a/src/operator/controllers/intents_reconcilers/networkpolicy/reconciler_test.go b/src/operator/controllers/intents_reconcilers/networkpolicy/reconciler_test.go
@@ -0,0 +1,86 @@
+package networkpolicy
+
+import (
+	"context"
+	"github.com/otterize/intents-operator/src/operator/api/v2alpha1"
+	otterizev2alpha1 "github.com/otterize/intents-operator/src/operator/api/v2alpha1"
+	"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/consts"
+	"github.com/otterize/intents-operator/src/operator/effectivepolicy"
+	"github.com/otterize/intents-operator/src/shared/injectablerecorder"
+	"github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity"
+	"github.com/otterize/intents-operator/src/shared/testbase"
+	"github.com/stretchr/testify/suite"
+	"go.uber.org/mock/gomock"
+	v1 "k8s.io/api/networking/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"testing"
+)
+
+type NetworkPolicyReconcilerTestSuite struct {
+	testbase.MocksSuiteBase
+}
+
+func (s *NetworkPolicyReconcilerTestSuite) SetupTest() {
+	s.MocksSuiteBase.SetupTest()
+}
+
+func (s *NetworkPolicyReconcilerTestSuite) TearDownTest() {
+	s.MocksSuiteBase.TearDownTest()
+}
+
+func (s *NetworkPolicyReconcilerTestSuite) TestAddingWarningForInternetIntentWhenEgressPolicyIsDisabled() {
+	networkPolicyReconciler := NewReconciler(
+		s.Client,
+		scheme.Scheme,
+		nil,
+		nil,
+		nil,
+		true,
+		true,
+		true,
+		nil,
+		nil, // This means that the egress policy is disabled
+	)
+
+	calls := []effectivepolicy.Call{{
+		Target: otterizev2alpha1.Target{
+			Internet: &otterizev2alpha1.Internet{
+				Domains: []string{"example.com"},
+			},
+		},
+		ReferencingKubernetesServices: nil,
+		EventRecorder:                 nil,
+	}}
+
+	effectivePolicies := []effectivepolicy.ServiceEffectivePolicy{{
+		Service: serviceidentity.ServiceIdentity{
+			Name:        "test-service",
+			Namespace:   "test-namespace",
+			Kind:        "Service",
+			OwnerObject: nil,
+		},
+		CalledBy:            nil,
+		Calls:               calls,
+		ClientIntentsStatus: v2alpha1.IntentsStatus{},
+		ClientIntentsEventRecorder: injectablerecorder.NewObjectEventRecorder(
+			&injectablerecorder.InjectableRecorder{Recorder: s.Recorder},
+			nil),
+	}}
+
+	s.Client.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(
+		func(ctx context.Context, list *v1.NetworkPolicyList, opts ...client.ListOption) error {
+			return nil
+		}).AnyTimes()
+
+	_, errs := networkPolicyReconciler.ReconcileEffectivePolicies(context.Background(), effectivePolicies)
+	for _, err := range errs {
+		s.NoError(err)
+	}
+	s.ExpectEventsForRecorder(s.Recorder, consts.ReasonInternetEgressNetworkPolicyWithEgressPolicyDisabled)
+
+}
+
+func TestNetworkPolicyReconcilerTestSuite(t *testing.T) {
+	suite.Run(t, new(NetworkPolicyReconcilerTestSuite))
+}