diff --git a/controllers/firewall_controller.go b/controllers/firewall_controller.go index 63e49910..89f272f7 100644 --- a/controllers/firewall_controller.go +++ b/controllers/firewall_controller.go @@ -125,11 +125,6 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { } var errors *multierror.Error - log.Info("migrating old global network policies to kind ClusterwideNetworkPolicy") - if err = r.migrateToClusterwideNetworkPolicy(ctx, f, log); err != nil { - errors = multierror.Append(errors, err) - } - log.Info("reconciling nftables rules") if err = r.reconcileRules(ctx, f, log); err != nil { errors = multierror.Append(errors, err) @@ -184,69 +179,6 @@ func (r *FirewallReconciler) validateFirewall(ctx context.Context, f firewallv1. return nil } -// migrateToClusterwideNetworkPolicy migrates old network policy objects to the new kind ClusterwideNetworkPolicy -func (r *FirewallReconciler) migrateToClusterwideNetworkPolicy(ctx context.Context, f firewallv1.Firewall, log logr.Logger) error { - npsToIgnore := []string{"egress-allow-http", "egress-allow-https", "egress-allow-any", "egress-allow-dns", "egress-allow-ntp"} - - var nps networking.NetworkPolicyList - if err := r.Client.List(ctx, &nps); err != nil { - return err - } - - n := 0 - for _, np := range nps.Items { - s := np.Spec - if len(s.PodSelector.MatchExpressions) != 0 || len(s.PodSelector.MatchLabels) != 0 { - continue - } - - // is one of the old network policy objects like egress-allow-http that are replaced by cluster wide ones installed by gepm - if contains(npsToIgnore, np.Name) { - continue - } - - cwnp, err := convert(np) - if err != nil { - return fmt.Errorf("could not migrate network policy to a cluster-wide np: %w", err) - } - - if cwnp == nil { - // nothing to do here because network policy translates to an empty cwnp - continue - } - - var current firewallv1.ClusterwideNetworkPolicy - err = r.Get(ctx, types.NamespacedName{Name: cwnp.Name, Namespace: firewallNamespace}, ¤t) - - // cwnp already exists: don't try to merge or update - just ignore - if err == nil { - continue - } - - if errors.IsNotFound(err) { - err = r.Client.Create(ctx, cwnp) - } - - if err != nil { - return fmt.Errorf("could not migrate to cluster-wide network policy: %w", err) - } - n++ - } - - log.Info("migrated network policies to cluster-wide network policies", "n", n) - - return nil -} - -func contains(l []string, e string) bool { - for _, elem := range l { - if elem == e { - return true - } - } - return false -} - // converts a network-policy object that was used before in a cluster-wide manner to the new CRD func convert(np networking.NetworkPolicy) (*firewallv1.ClusterwideNetworkPolicy, error) { cwnp := firewallv1.ClusterwideNetworkPolicy{ @@ -510,7 +442,6 @@ func (r *FirewallReconciler) SetupWithManager(mgr ctrl.Manager) error { // don't trigger a reconcilation for status updates WithEventFilter(predicate.GenerationChangedPredicate{}). Watches(&source.Kind{Type: &firewallv1.ClusterwideNetworkPolicy{}}, triggerFirewallReconcilation). - Watches(&source.Kind{Type: &networking.NetworkPolicy{}}, triggerFirewallReconcilation). Watches(&source.Kind{Type: &corev1.Service{}}, triggerFirewallReconcilation). Complete(r) }