add pod and service utils (#7)

* add pod and service utils

Author: kishorj

internal/eventhandlers/pod.go

@@ -18,9 +18,9 @@ package eventhandlers
 
 import (
 	"context"
+
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/k8s"
 	"github.com/aws/amazon-network-policy-controller-k8s/pkg/resolvers"
-
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -81,6 +81,10 @@ func (h *enqueueRequestForPodEvent) Generic(_ context.Context, _ event.GenericEv
 }
 
 func (h *enqueueRequestForPodEvent) enqueueReferredPolicies(ctx context.Context, _ workqueue.RateLimitingInterface, pod *corev1.Pod, podOld *corev1.Pod) {
+	if len(k8s.GetPodIP(pod)) == 0 {
+		h.logger.V(1).Info("Pod does not have an IP yet", "pod", k8s.NamespacedName(pod))
+		return
+	}
 	referredPolicies, err := h.policyResolver.GetReferredPoliciesForPod(ctx, pod, podOld)
 	if err != nil {
 		h.logger.Error(err, "Unable to get referred policies", "pod", k8s.NamespacedName(pod))

pkg/k8s/pod_utils.go

@@ -0,0 +1,45 @@
+package k8s
+
+import (
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+const (
+	podIPAnnotation = "vpc.amazonaws.com/pod-ips"
+)
+
+// GetPodIP returns the pod IP from the pod status or from the pod annotation.
+func GetPodIP(pod *corev1.Pod) string {
+	if len(pod.Status.PodIP) > 0 {
+		return pod.Status.PodIP
+	} else {
+		return pod.Annotations[podIPAnnotation]
+	}
+}
+
+// LookupContainerPortAndName returns numerical containerPort and portName for specific port and protocol
+func LookupContainerPortAndName(pod *corev1.Pod, port intstr.IntOrString, protocol corev1.Protocol) (int32, string, error) {
+	for _, podContainer := range pod.Spec.Containers {
+		for _, podPort := range podContainer.Ports {
+			if podPort.Protocol != protocol {
+				continue
+			}
+			switch port.Type {
+			case intstr.String:
+				if podPort.Name == port.StrVal {
+					return podPort.ContainerPort, podPort.Name, nil
+				}
+			case intstr.Int:
+				if podPort.ContainerPort == port.IntVal {
+					return podPort.ContainerPort, podPort.Name, nil
+				}
+			}
+		}
+	}
+	if port.Type == intstr.Int {
+		return port.IntVal, "", nil
+	}
+	return 0, "", errors.Errorf("unable to find port %s on pod %s", port.String(), NamespacedName(pod))
+}

pkg/k8s/pod_utils_test.go

@@ -0,0 +1,186 @@
+package k8s
+
+import (
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"testing"
+)
+
+func Test_GetPodIP(t *testing.T) {
+	tests := []struct {
+		name string
+		pod  *corev1.Pod
+		want string
+	}{
+		{
+			name: "pod with status IP",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					PodIP: "192.168.11.22",
+				},
+			},
+			want: "192.168.11.22",
+		},
+		{
+			name: "pod with annotation IP",
+			pod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						podIPAnnotation: "1.2.3.4",
+					},
+				},
+			},
+			want: "1.2.3.4",
+		},
+		{
+			name: "pod without status IP or annotation IP",
+			pod:  &corev1.Pod{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := GetPodIP(tt.pod)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func Test_LookupContainerPortAndName(t *testing.T) {
+	pod := &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "pod",
+		},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Ports: []corev1.ContainerPort{
+						{
+							Name:          "http",
+							ContainerPort: 80,
+							Protocol:      corev1.ProtocolTCP,
+						},
+					},
+				},
+				{
+					Ports: []corev1.ContainerPort{
+						{
+							Name:          "https",
+							ContainerPort: 443,
+							Protocol:      corev1.ProtocolTCP,
+						},
+						{
+							ContainerPort: 8080,
+							Protocol:      corev1.ProtocolTCP,
+						},
+					},
+				},
+			},
+		},
+	}
+	type want struct {
+		port int32
+		name string
+	}
+	type args struct {
+		pod      *corev1.Pod
+		protocol corev1.Protocol
+		port     intstr.IntOrString
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    want
+		wantErr string
+	}{
+		{
+			name: "resolve numeric pod",
+			args: args{
+				pod:  pod,
+				port: intstr.FromInt(8080),
+			},
+			want: want{
+				port: 8080,
+			},
+		},
+		{
+			name: "numeric pod not in pod spec can still be resolved",
+			args: args{
+				pod:  pod,
+				port: intstr.FromInt(9090),
+			},
+			want: want{
+				port: 9090,
+			},
+		},
+		{
+			name: "lookup based on port name",
+			args: args{
+				pod:  pod,
+				port: intstr.FromString("http"),
+			},
+			want: want{
+				port: 80,
+				name: "http",
+			},
+		},
+		{
+			name: "lookup based on port name in another container",
+			args: args{
+				pod:  pod,
+				port: intstr.FromString("https"),
+			},
+			want: want{
+				port: 443,
+				name: "https",
+			},
+		},
+		{
+			name: "port matches, but protocol does not",
+			args: args{
+				pod:      pod,
+				port:     intstr.FromString("https"),
+				protocol: corev1.ProtocolUDP,
+			},
+			wantErr: "unable to find port https on pod default/pod",
+		},
+		{
+			name: "numeric port lookup ignores the protocol",
+			args: args{
+				pod:      pod,
+				port:     intstr.FromInt(443),
+				protocol: corev1.ProtocolUDP,
+			},
+			want: want{
+				port: 443,
+			},
+		},
+		{
+			name: "nonexistent port name",
+			args: args{
+				pod:  pod,
+				port: intstr.FromString("nonexistent"),
+			},
+			wantErr: "unable to find port nonexistent on pod default/pod",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			protocol := tt.args.protocol
+			if len(protocol) == 0 {
+				protocol = corev1.ProtocolTCP
+			}
+			got := want{}
+			var err error
+			got.port, got.name, err = LookupContainerPortAndName(tt.args.pod, tt.args.port, protocol)
+			if len(tt.wantErr) > 0 {
+				assert.EqualError(t, err, tt.wantErr)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}

pkg/k8s/service_utils.go

@@ -0,0 +1,44 @@
+package k8s
+
+import (
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// LookupServiceListenPort returns the numerical port for the service listen port if the target port name matches
+// or the port number and the protocol matches the target port. If no matching port is found, it returns a 0 and an error.
+func LookupServiceListenPort(svc *corev1.Service, port intstr.IntOrString, protocol corev1.Protocol) (int32, error) {
+	for _, svcPort := range svc.Spec.Ports {
+		if svcPort.TargetPort.Type == port.Type && svcPort.TargetPort.String() == port.String() && svcPort.Protocol == protocol {
+			return svcPort.Port, nil
+		}
+	}
+	return 0, errors.Errorf("unable to find port %s on service %s", port.String(), NamespacedName(svc))
+}
+
+// LookupListenPortFromPodSpec returns the numerical listener port from the service spec if the input port matches the target port
+// in the pod spec
+func LookupListenPortFromPodSpec(svc *corev1.Service, pod *corev1.Pod, port intstr.IntOrString, protocol corev1.Protocol) (int32, error) {
+	containerPort, containerPortName, err := LookupContainerPortAndName(pod, port, protocol)
+	if err != nil {
+		return 0, err
+	}
+	for _, svcPort := range svc.Spec.Ports {
+		if svcPort.Protocol != protocol {
+			continue
+		}
+		switch svcPort.TargetPort.Type {
+		case intstr.String:
+			if containerPortName == svcPort.TargetPort.StrVal {
+				return svcPort.Port, nil
+			}
+
+		case intstr.Int:
+			if containerPort == svcPort.TargetPort.IntVal {
+				return svcPort.Port, nil
+			}
+		}
+	}
+	return 0, errors.Errorf("unable to find listener port for port %s on service %s", port.String(), NamespacedName(svc))
+}