metal-stack · mwindower · Dec 2, 2020 · Nov 30, 2020 · Nov 30, 2020
@@ -125,11 +125,6 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	}
 
 	var errors *multierror.Error
-	log.Info("migrating old global network policies to kind ClusterwideNetworkPolicy")
-	if err = r.migrateToClusterwideNetworkPolicy(ctx, f, log); err != nil {
-		errors = multierror.Append(errors, err)
-	}
-
 	log.Info("reconciling nftables rules")
 	if err = r.reconcileRules(ctx, f, log); err != nil {
 		errors = multierror.Append(errors, err)
@@ -184,69 +179,6 @@ func (r *FirewallReconciler) validateFirewall(ctx context.Context, f firewallv1.
 	return nil
 }
 
-// migrateToClusterwideNetworkPolicy migrates old network policy objects to the new kind ClusterwideNetworkPolicy
-func (r *FirewallReconciler) migrateToClusterwideNetworkPolicy(ctx context.Context, f firewallv1.Firewall, log logr.Logger) error {
-	npsToIgnore := []string{"egress-allow-http", "egress-allow-https", "egress-allow-any", "egress-allow-dns", "egress-allow-ntp"}
-
-	var nps networking.NetworkPolicyList
-	if err := r.Client.List(ctx, &nps); err != nil {
-		return err
-	}
-
-	n := 0
-	for _, np := range nps.Items {
-		s := np.Spec
-		if len(s.PodSelector.MatchExpressions) != 0 || len(s.PodSelector.MatchLabels) != 0 {
-			continue
-		}
-
-		// is one of the old network policy objects like egress-allow-http that are replaced by cluster wide ones installed by gepm
-		if contains(npsToIgnore, np.Name) {
-			continue
-		}
-
-		cwnp, err := convert(np)
-		if err != nil {
-			return fmt.Errorf("could not migrate network policy to a cluster-wide np: %w", err)
-		}
-
-		if cwnp == nil {
-			// nothing to do here because network policy translates to an empty cwnp
-			continue
-		}
-
-		var current firewallv1.ClusterwideNetworkPolicy
-		err = r.Get(ctx, types.NamespacedName{Name: cwnp.Name, Namespace: firewallNamespace}, &current)
-
-		// cwnp already exists: don't try to merge or update - just ignore
-		if err == nil {
-			continue
-		}
-
-		if errors.IsNotFound(err) {
-			err = r.Client.Create(ctx, cwnp)
-		}
-
-		if err != nil {
-			return fmt.Errorf("could not migrate to cluster-wide network policy: %w", err)
-		}
-		n++
-	}
-
-	log.Info("migrated network policies to cluster-wide network policies", "n", n)
-
-	return nil
-}
-
-func contains(l []string, e string) bool {
-	for _, elem := range l {
-		if elem == e {
-			return true
-		}
-	}
-	return false
-}
-
 // converts a network-policy object that was used before in a cluster-wide manner to the new CRD
 func convert(np networking.NetworkPolicy) (*firewallv1.ClusterwideNetworkPolicy, error) {
 	cwnp := firewallv1.ClusterwideNetworkPolicy{
@@ -510,7 +442,6 @@ func (r *FirewallReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		// don't trigger a reconcilation for status updates
 		WithEventFilter(predicate.GenerationChangedPredicate{}).
 		Watches(&source.Kind{Type: &firewallv1.ClusterwideNetworkPolicy{}}, triggerFirewallReconcilation).
-		Watches(&source.Kind{Type: &networking.NetworkPolicy{}}, triggerFirewallReconcilation).
 		Watches(&source.Kind{Type: &corev1.Service{}}, triggerFirewallReconcilation).
 		Complete(r)
 }