From dadcb74dabf1c245fde7bf8f82e20526488a5e8e Mon Sep 17 00:00:00 2001
From: Dyanngg <dingyang@vmware.com>
Date: Thu, 26 Jan 2023 21:34:06 -0800
Subject: [PATCH] Improve namespace label filtering

Signed-off-by: Dyanngg <dingyang@vmware.com>
---
 .../networkpolicy/clusternetworkpolicy.go     | 42 ++++++++++++-------
 .../networkpolicy/networkpolicy_controller.go |  7 +---
 2 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go
index d1cd79b2cb5..a62b892f1ee 100644
--- a/pkg/controller/networkpolicy/clusternetworkpolicy.go
+++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go
@@ -155,15 +155,17 @@ func (n *NetworkPolicyController) filterPerNamespaceRuleACNPsByNSLabels(nsLabels
 	return affectedPolicies
 }
 
-// getNSLabelRuleACNPs gets all ACNPs that have rules based on Namespace label values.
-func (n *NetworkPolicyController) getNSLabelRuleACNPs() sets.String {
-	nsLabelRulePolicy := sets.NewString()
-	objs, _ := n.cnpInformer.Informer().GetIndexer().ByIndex(namespaceLabelRuleIndex, hasSuchRule)
-	for _, obj := range objs {
-		cnp := obj.(*crdv1alpha1.ClusterNetworkPolicy)
-		nsLabelRulePolicy.Insert(cnp.Name)
+// getNSLabelRuleACNPs gets all ACNPs that have relevant rules based on Namespace label keys.
+func (n *NetworkPolicyController) getNSLabelRuleACNPs(nsLabels labels.Set) sets.String {
+	matchedNSLabelRulePolicy := sets.NewString()
+	for k := range nsLabels {
+		objs, _ := n.cnpInformer.Informer().GetIndexer().ByIndex(namespaceLabelRuleIndex, k)
+		for _, obj := range objs {
+			cnp := obj.(*crdv1alpha1.ClusterNetworkPolicy)
+			matchedNSLabelRulePolicy.Insert(cnp.Name)
+		}
 	}
-	return nsLabelRulePolicy
+	return matchedNSLabelRulePolicy
 }
 
 // addNamespace receives Namespace ADD events and triggers all ClusterNetworkPolicies that have a
@@ -173,6 +175,9 @@ func (n *NetworkPolicyController) addNamespace(obj interface{}) {
 	namespace := obj.(*v1.Namespace)
 	klog.V(2).Infof("Processing Namespace %s ADD event, labels: %v", namespace.Name, namespace.Labels)
 	affectedACNPs := n.filterPerNamespaceRuleACNPsByNSLabels(namespace.Labels)
+	// Any ACNPs that has Namespace label rules that refers to the Namespace's label
+	// key set need to be re-processed.
+	affectedACNPs = affectedACNPs.Union(n.getNSLabelRuleACNPs(namespace.Labels))
 	for cnpName := range affectedACNPs {
 		// Ignore the ClusterNetworkPolicy if it has been removed during the process.
 		if cnp, err := n.cnpLister.Get(cnpName); err == nil {
@@ -194,9 +199,10 @@ func (n *NetworkPolicyController) updateNamespace(oldObj, curObj interface{}) {
 		affectedACNPsByOldLabels := n.filterPerNamespaceRuleACNPsByNSLabels(oldNamespace.Labels)
 		affectedACNPsByCurLabels := n.filterPerNamespaceRuleACNPsByNSLabels(curNamespace.Labels)
 		affectedACNPs := utilsets.SymmetricDifferenceString(affectedACNPsByOldLabels, affectedACNPsByCurLabels)
-		// ACNPs that have rules created based on Namespace label values need to be reprocessed
-		// regardless of Namespace label before and after the update.
-		affectedACNPs = affectedACNPs.Union(n.getNSLabelRuleACNPs())
+		// Any ACNPs that has Namespace label rules that refers to the original or
+		// current Namespaces' label key set need to be re-processed.
+		acnpsWithRulesMatchingNSLabelKeys := n.getNSLabelRuleACNPs(oldNamespace.Labels).Union(n.getNSLabelRuleACNPs(curNamespace.Labels))
+		affectedACNPs = affectedACNPs.Union(acnpsWithRulesMatchingNSLabelKeys)
 		for cnpName := range affectedACNPs {
 			// Ignore the ClusterNetworkPolicy if it has been removed during the process.
 			if cnp, err := n.cnpLister.Get(cnpName); err == nil {
@@ -232,6 +238,7 @@ func (n *NetworkPolicyController) deleteNamespace(old interface{}) {
 	defer n.heartbeat("deleteNamespace")
 	klog.V(2).Infof("Processing Namespace %s DELETE event, labels: %v", namespace.Name, namespace.Labels)
 	affectedACNPs := n.filterPerNamespaceRuleACNPsByNSLabels(namespace.Labels)
+	affectedACNPs = affectedACNPs.Union(n.getNSLabelRuleACNPs(namespace.Labels))
 	for _, cnpName := range affectedACNPs.List() {
 		// Ignore the ClusterNetworkPolicy if it has been removed during the process.
 		if cnp, err := n.cnpLister.Get(cnpName); err == nil {
@@ -553,22 +560,27 @@ func hasPerNamespaceRule(cnp *crdv1alpha1.ClusterNetworkPolicy) bool {
 	return false
 }
 
-func hasNamespaceLabelRule(cnp *crdv1alpha1.ClusterNetworkPolicy) bool {
+func namespaceRuleLabelKeys(cnp *crdv1alpha1.ClusterNetworkPolicy) sets.String {
+	keys := sets.NewString()
 	for _, ingress := range cnp.Spec.Ingress {
 		for _, peer := range ingress.From {
 			if peer.Namespaces != nil && len(peer.Namespaces.SameLabels) > 0 {
-				return true
+				for _, k := range peer.Namespaces.SameLabels {
+					keys.Insert(k)
+				}
 			}
 		}
 	}
 	for _, egress := range cnp.Spec.Egress {
 		for _, peer := range egress.To {
 			if peer.Namespaces != nil && len(peer.Namespaces.SameLabels) > 0 {
-				return true
+				for _, k := range peer.Namespaces.SameLabels {
+					keys.Insert(k)
+				}
 			}
 		}
 	}
-	return false
+	return keys
 }
 
 func (n *NetworkPolicyController) getNamespaceLabels(ns string) map[string]string {
diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go
index 483ec2af547..e759d29b125 100644
--- a/pkg/controller/networkpolicy/networkpolicy_controller.go
+++ b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -94,7 +94,7 @@ const (
 	internalGroupType  grouping.GroupType = "internalGroup"
 
 	perNamespaceRuleIndex   = "hasPerNamespaceRule"
-	namespaceLabelRuleIndex = "hasNamespaceLabelRule"
+	namespaceLabelRuleIndex = "namespaceRuleLabelKeys"
 	hasSuchRule             = "true"
 )
 
@@ -326,10 +326,7 @@ var cnpIndexers = cache.Indexers{
 		if !ok {
 			return []string{}, nil
 		}
-		if hasNSLabelRule := hasNamespaceLabelRule(cnp); hasNSLabelRule {
-			return []string{hasSuchRule}, nil
-		}
-		return []string{}, nil
+		return namespaceRuleLabelKeys(cnp).List(), nil
 	},
 }