From 17f21a8b412b0a4c274b26edcca5c2956f442842 Mon Sep 17 00:00:00 2001 From: Deng Yun Date: Wed, 26 Jun 2024 13:46:49 +0000 Subject: [PATCH] Change_project_group_membertype --- pkg/nsx/services/securitypolicy/builder.go | 56 +++++++++++++++------- 1 file changed, 40 insertions(+), 16 deletions(-) diff --git a/pkg/nsx/services/securitypolicy/builder.go b/pkg/nsx/services/securitypolicy/builder.go index df5b9a5be..7a782433d 100644 --- a/pkg/nsx/services/securitypolicy/builder.go +++ b/pkg/nsx/services/securitypolicy/builder.go @@ -1301,7 +1301,7 @@ func (service *SecurityPolicyService) updateMixedExpressionsMatchExpression(nsMa var err error opInIdx := 0 var opInMatchExpressions []v1.LabelSelectorRequirement - memberType := "" + isVpcEnable := isVpcEnabled(service) nsFound, opInIdx1 := service.matchExpressionOpInExist(nsMatchExpressions) portFound, opInIdx2 := service.matchExpressionOpInExist(matchExpressions) @@ -1312,22 +1312,30 @@ func (service *SecurityPolicyService) updateMixedExpressionsMatchExpression(nsMa return err } + nsMemberType := "Segment" + if isVpcEnable { + nsMemberType = "VPCSubnet" + } + portMemberType, memberType := "SegmentPort", "SegmentPort" + if isVpcEnable { + portMemberType, memberType = "VPCSubnetPort", "VPCSubnetPort" + } + if nsFound { opInIdx = opInIdx1 - memberType = "Segment" + memberType = nsMemberType opInMatchExpressions = nsMatchExpressions } else if portFound { opInIdx = opInIdx2 - memberType = "SegmentPort" opInMatchExpressions = matchExpressions } if !nsFound && !portFound { - err = service.buildExpressionsMatchExpression(matchExpressions, "SegmentPort", expressions) + err = service.buildExpressionsMatchExpression(matchExpressions, portMemberType, expressions) if err == nil { err = service.buildExpressionsMatchExpression( nsMatchExpressions, - "Segment", + nsMemberType, expressions, ) } @@ -1348,14 +1356,14 @@ func (service *SecurityPolicyService) updateMixedExpressionsMatchExpression(nsMa expressions.Add(tagValueExpression) } - service.updateExpressionsMatchLabels(matchLabels, "SegmentPort", expressions) - service.updateExpressionsMatchLabels(nsMatchLabels, "Segment", expressions) + service.updateExpressionsMatchLabels(matchLabels, portMemberType, expressions) + service.updateExpressionsMatchLabels(nsMatchLabels, nsMemberType, expressions) } if nsFound { - err = service.buildExpressionsMatchExpression(matchExpressions, "SegmentPort", expressions) + err = service.buildExpressionsMatchExpression(matchExpressions, portMemberType, expressions) } else { - err = service.buildExpressionsMatchExpression(nsMatchExpressions, "Segment", expressions) + err = service.buildExpressionsMatchExpression(nsMatchExpressions, nsMemberType, expressions) } if err != nil { break @@ -1441,9 +1449,16 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi // If NamespaceSelector is specified, peer group must be put under project level for sharing with VPC. // VpcSubnet and VpcSubnetPort types are not supported in project level group. // Project level group can support SegmentPort and Segment type. - // If groupShared is True, it means there are NamespaceSelectors in the rule groups, so we can use mixed criteria. - if isVpcEnable && !groupShared { - clusterMemberType = "VpcSubnetPort" + if isVpcEnable { + if !groupShared { + clusterMemberType = "VpcSubnetPort" + } + // If groupShared is True, it means there are NamespaceSelectors in the rule groups, so we can use mixed criteria. + if clusterMemberType == "Segment" { + clusterMemberType = "VpcSubnet" + } else { + clusterMemberType = "VpcSubnetPort" + } memberType = "VpcSubnetPort" } @@ -1519,10 +1534,10 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi // 1. A non-empty expression list, must be of odd size // 2. An expression list size is equal to or greater than 3 // 3. In a list, with indices starting from 0, all non-conjunction expressions must be at even indices - // Hence, add one more SegmentPort member condition to meet the criteria aforementioned + // Hence, add one more SegmentPort/VpcSubnetPort member condition to meet the criteria aforementioned service.addOperatorIfNeeded(expressions, "AND") clusterSegPortExpression := service.buildExpression( - "Condition", "SegmentPort", + "Condition", memberType, fmt.Sprintf("%s|%s", getScopeCluserTag(service), getCluster(service)), "Tag", "EQUALS", "EQUALS", ) @@ -1532,6 +1547,9 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi } else { tagValueExpression = nil memberType = "Segment" + if isVpcEnable { + memberType = "VpcSubnet" + } matchLabels = peer.NamespaceSelector.MatchLabels matchExpressions = &peer.NamespaceSelector.MatchExpressions // NamespaceSelector has one more built-in labels @@ -1539,6 +1557,11 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi } } else { // Handle PodSelector or VMSelector mixed with NamespaceSelector memberType = "Segment" + portMemberType := "SegmentPort" + if isVpcEnable { + memberType = "VpcSubnet" + portMemberType = "VpcSubnetPort" + } nsMatchLabels := peer.NamespaceSelector.MatchLabels nsMatchExpressions := &peer.NamespaceSelector.MatchExpressions @@ -1568,7 +1591,7 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi matchExpressionsCount = len(*mergedMatchExpressions) + len(*nsMergedMatchExpressions) opInValueCount += nsOpInValCount - service.updateExpressionsMatchLabels(matchLabels, "SegmentPort", expressions) + service.updateExpressionsMatchLabels(matchLabels, portMemberType, expressions) service.updateExpressionsMatchLabels(nsMatchLabels, memberType, expressions) // NamespaceSelector AND with PodSelector or VMSelector expressions to produce final expressions @@ -1626,7 +1649,8 @@ func (service *SecurityPolicyService) updatePeerExpressions(obj *v1alpha1.Securi false, ) } else { - // Since cluster memberType is set as "Segment" or "SegmentPort", So the final produced group criteria is always treated as a mixed criteria + // Since cluster memberType is set as "Segment" or "SegmentPort", + // or "VpcSubnet" or "VpcSubnetPort", So the final produced group criteria is always treated as a mixed criteria totalCriteriaCount, totalExprCount, err = service.validateSelectorExpressions( matchLabelsCount, matchExpressionsCount,