Don't bypass selector provisioning when not default deny

If we have namespaces Source and Destination, and Destination contains a NetworkPolicy allowing access from Source, we need to provision the ipsets for Source and add them to relevant selectors, even though Source is DefaultAllow. Fixes #3059
weaveworks · Jul 12, 2017 · 46288b0 · 46288b0
1 parent b73b43f
commit 46288b0
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/npc/namespace.go b/npc/namespace.go
@@ -264,7 +264,9 @@ func (ns *ns) addNamespace(obj *coreapi.Namespace) error {
 
 	// Insert a rule to bypass policies if namespace is DefaultAllow
 	if !isDefaultDeny(obj) {
-		return ns.ensureBypassRule(ns.allPods.ipsetName)
+		if err := ns.ensureBypassRule(ns.allPods.ipsetName); err != nil {
+			return err
+		}
 	}
 
 	// Add namespace ipset to matching namespace selectors
@@ -281,10 +283,14 @@ func (ns *ns) updateNamespace(oldObj, newObj *coreapi.Namespace) error {
 	if oldDefaultDeny != newDefaultDeny {
 		common.Log.Infof("namespace DefaultDeny changed from %t to %t", oldDefaultDeny, newDefaultDeny)
 		if oldDefaultDeny {
-			return ns.ensureBypassRule(ns.allPods.ipsetName)
+			if err := ns.ensureBypassRule(ns.allPods.ipsetName); err != nil {
+				return err
+			}
 		}
 		if newDefaultDeny {
-			return ns.deleteBypassRule(ns.allPods.ipsetName)
+			if err := ns.deleteBypassRule(ns.allPods.ipsetName); err != nil {
+				return err
+			}
 		}
 	}
 
@@ -317,7 +323,9 @@ func (ns *ns) deleteNamespace(obj *coreapi.Namespace) error {
 
 	// Remove bypass rule
 	if !isDefaultDeny(obj) {
-		return ns.deleteBypassRule(ns.allPods.ipsetName)
+		if err := ns.deleteBypassRule(ns.allPods.ipsetName); err != nil {
+			return err
+		}
 	}
 
 	// Remove namespace ipset from any matching namespace selectors