From 8adde6bf873b46f365146bc14fc4c8f46d82f8dc Mon Sep 17 00:00:00 2001
From: Patrick Pichler <git@patrickpichler.dev>
Date: Tue, 25 Apr 2023 12:59:24 +0200
Subject: [PATCH] fix: report failure if network policy doesn't match any pods

Before, there was no failure reported by the netpol analyzer, if the
matcher on the policy doesn't match any pods.

Signed-off-by: Patrick Pichler <git@patrickpichler.dev>
---
 pkg/analyzer/netpol.go | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/pkg/analyzer/netpol.go b/pkg/analyzer/netpol.go
index c7d97d1c9a..a604c17547 100644
--- a/pkg/analyzer/netpol.go
+++ b/pkg/analyzer/netpol.go
@@ -54,23 +54,23 @@ func (NetworkPolicyAnalyzer) Analyze(a common.Analyzer) ([]common.Result, error)
 					},
 				},
 			})
-			continue
-		}
-		// Check if policy is not applied to any pods
-		podList, err := util.GetPodListByLabels(a.Client.GetClient(), a.Namespace, policy.Spec.PodSelector.MatchLabels)
-		if err != nil {
-			return nil, err
-		}
-		if len(podList.Items) == 0 {
-			failures = append(failures, common.Failure{
-				Text: fmt.Sprintf("Network policy is not applied to any pods: %s", policy.Name),
-				Sensitive: []common.Sensitive{
-					{
-						Unmasked: policy.Name,
-						Masked:   util.MaskString(policy.Name),
+		} else {
+			// Check if policy is not applied to any pods
+			podList, err := util.GetPodListByLabels(a.Client.GetClient(), a.Namespace, policy.Spec.PodSelector.MatchLabels)
+			if err != nil {
+				return nil, err
+			}
+			if len(podList.Items) == 0 {
+				failures = append(failures, common.Failure{
+					Text: fmt.Sprintf("Network policy is not applied to any pods: %s", policy.Name),
+					Sensitive: []common.Sensitive{
+						{
+							Unmasked: policy.Name,
+							Masked:   util.MaskString(policy.Name),
+						},
 					},
-				},
-			})
+				})
+			}
 		}
 
 		if len(failures) > 0 {