Skip to content

Commit 62ba00e

Browse files
author
Kubernetes Submit Queue
authored
Merge pull request kubernetes#47123 from danwinship/networkpolicy-update
Automatic merge from submit-queue Allow NetworkPolicy.spec updates ValidateNetworkPolicyUpdate currently prohibits changes to `spec` in an existing NetworkPolicy. We were going to fix this for 1.7 but I forgot to submit this PR after the main PR merged. Too late for 1.7? @thockin @caseydavenport @cmluciano This only changes networking.NetworkPolicy validation at the moment... Should I change extensions.NetworkPolicy validation too? Fixes kubernetes#35911 We should add a test to the e2e NetworkPolicy test for this too if this is going to merge. **Release note**: ```release-note As part of the NetworkPolicy "v1" changes, it is also now possible to update the spec field of an existing NetworkPolicy. (Previously you had to delete and recreate a NetworkPolicy if you wanted to change it.) ```
2 parents 95a4a5d + c03a6ec commit 62ba00e

File tree

2 files changed

+26
-27
lines changed

2 files changed

+26
-27
lines changed

pkg/apis/networking/validation/validation.go

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,6 @@ limitations under the License.
1717
package validation
1818

1919
import (
20-
"reflect"
21-
2220
unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
2321
"k8s.io/apimachinery/pkg/util/intstr"
2422
"k8s.io/apimachinery/pkg/util/validation"
@@ -92,8 +90,6 @@ func ValidateNetworkPolicy(np *networking.NetworkPolicy) field.ErrorList {
9290
func ValidateNetworkPolicyUpdate(update, old *networking.NetworkPolicy) field.ErrorList {
9391
allErrs := field.ErrorList{}
9492
allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&update.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
95-
if !reflect.DeepEqual(update.Spec, old.Spec) {
96-
allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to networkpolicy spec are forbidden."))
97-
}
93+
allErrs = append(allErrs, ValidateNetworkPolicySpec(&update.Spec, field.NewPath("spec"))...)
9894
return allErrs
9995
}

pkg/apis/networking/validation/validation_test.go

Lines changed: 25 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -271,8 +271,8 @@ func TestValidateNetworkPolicyUpdate(t *testing.T) {
271271
old networking.NetworkPolicy
272272
update networking.NetworkPolicy
273273
}
274-
successCases := []npUpdateTest{
275-
{
274+
successCases := map[string]npUpdateTest{
275+
"no change": {
276276
old: networking.NetworkPolicy{
277277
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
278278
Spec: networking.NetworkPolicySpec{
@@ -292,17 +292,7 @@ func TestValidateNetworkPolicyUpdate(t *testing.T) {
292292
},
293293
},
294294
},
295-
}
296-
297-
for _, successCase := range successCases {
298-
successCase.old.ObjectMeta.ResourceVersion = "1"
299-
successCase.update.ObjectMeta.ResourceVersion = "1"
300-
if errs := ValidateNetworkPolicyUpdate(&successCase.update, &successCase.old); len(errs) != 0 {
301-
t.Errorf("expected success: %v", errs)
302-
}
303-
}
304-
errorCases := map[string]npUpdateTest{
305-
"change name": {
295+
"change spec": {
306296
old: networking.NetworkPolicy{
307297
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
308298
Spec: networking.NetworkPolicySpec{
@@ -311,14 +301,27 @@ func TestValidateNetworkPolicyUpdate(t *testing.T) {
311301
},
312302
},
313303
update: networking.NetworkPolicy{
314-
ObjectMeta: metav1.ObjectMeta{Name: "baz", Namespace: "bar"},
304+
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
315305
Spec: networking.NetworkPolicySpec{
316-
PodSelector: metav1.LabelSelector{},
317-
Ingress: []networking.NetworkPolicyIngressRule{},
306+
PodSelector: metav1.LabelSelector{
307+
MatchLabels: map[string]string{"a": "b"},
308+
},
309+
Ingress: []networking.NetworkPolicyIngressRule{},
318310
},
319311
},
320312
},
321-
"change spec": {
313+
}
314+
315+
for testName, successCase := range successCases {
316+
successCase.old.ObjectMeta.ResourceVersion = "1"
317+
successCase.update.ObjectMeta.ResourceVersion = "1"
318+
if errs := ValidateNetworkPolicyUpdate(&successCase.update, &successCase.old); len(errs) != 0 {
319+
t.Errorf("expected success (%s): %v", testName, errs)
320+
}
321+
}
322+
323+
errorCases := map[string]npUpdateTest{
324+
"change name": {
322325
old: networking.NetworkPolicy{
323326
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
324327
Spec: networking.NetworkPolicySpec{
@@ -327,18 +330,18 @@ func TestValidateNetworkPolicyUpdate(t *testing.T) {
327330
},
328331
},
329332
update: networking.NetworkPolicy{
330-
ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
333+
ObjectMeta: metav1.ObjectMeta{Name: "baz", Namespace: "bar"},
331334
Spec: networking.NetworkPolicySpec{
332-
PodSelector: metav1.LabelSelector{
333-
MatchLabels: map[string]string{"a": "b"},
334-
},
335-
Ingress: []networking.NetworkPolicyIngressRule{},
335+
PodSelector: metav1.LabelSelector{},
336+
Ingress: []networking.NetworkPolicyIngressRule{},
336337
},
337338
},
338339
},
339340
}
340341

341342
for testName, errorCase := range errorCases {
343+
errorCase.old.ObjectMeta.ResourceVersion = "1"
344+
errorCase.update.ObjectMeta.ResourceVersion = "1"
342345
if errs := ValidateNetworkPolicyUpdate(&errorCase.update, &errorCase.old); len(errs) == 0 {
343346
t.Errorf("expected failure: %s", testName)
344347
}

0 commit comments

Comments
 (0)