Support enabling enforcement per namespace while using defaultShadow enforcement mode

src/operator/controllers/intents_controller.go

@@ -80,13 +80,14 @@ func NewIntentsReconciler(
 	otterizeClient operator_cloud_client.CloudClient,
 	operatorPodName string,
 	operatorPodNamespace string,
+	activeNamespaces []string,
 	additionalReconcilers ...reconcilergroup.ReconcilerWithEvents,
 ) *IntentsReconciler {
 
 	serviceIdResolver := serviceidresolver.NewResolver(client)
 	reconcilers := []reconcilergroup.ReconcilerWithEvents{
 		intents_reconcilers.NewPodLabelReconciler(client, scheme),
-		intents_reconcilers.NewKafkaACLReconciler(client, scheme, kafkaServerStore, enforcementConfig.EnableKafkaACL, kafkaacls.NewKafkaIntentsAdmin, enforcementConfig.EnforcementDefaultState, operatorPodName, operatorPodNamespace, serviceIdResolver),
+		intents_reconcilers.NewKafkaACLReconciler(client, scheme, kafkaServerStore, enforcementConfig.EnableKafkaACL, kafkaacls.NewKafkaIntentsAdmin, enforcementConfig.EnforcementDefaultState, operatorPodName, operatorPodNamespace, serviceIdResolver, activeNamespaces),
 		intents_reconcilers.NewIstioPolicyReconciler(client, scheme, restrictToNamespaces, enforcementConfig.EnableIstioPolicy, enforcementConfig.EnforcementDefaultState),
 	}
 	reconcilers = append(reconcilers, additionalReconcilers...)

src/operator/controllers/intents_controller_test.go

@@ -33,6 +33,7 @@ func (s *IntentsControllerTestSuite) SetupTest() {
 		"",
 		"",
 		nil,
+		nil,
 	)
 }
 

src/operator/controllers/intents_reconcilers/external_traffic_network_policy/external_traffic_network_policy_test.go

@@ -71,7 +71,7 @@ func (s *ExternalNetworkPolicyReconcilerTestSuite) SetupTest() {
 	defaultActive := !isShadowMode
 	netpolHandler := external_traffic.NewNetworkPolicyHandler(s.Mgr.GetClient(), s.TestEnv.Scheme, allowexternaltraffic.IfBlockedByOtterize)
 	s.defaultDenyReconciler = protected_service_reconcilers.NewDefaultDenyReconciler(s.Mgr.GetClient(), netpolHandler, true)
-	netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, true, defaultActive, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
+	netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, []string{}, true, defaultActive, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
 	epReconciler := effectivepolicy.NewGroupReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolReconciler)
 	s.EffectivePolicyIntentsReconciler = intents_reconcilers.NewServiceEffectiveIntentsReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, epReconciler)
 	s.Require().NoError((&controllers.IntentsReconciler{}).InitIntentsServerIndices(s.Mgr))
@@ -86,7 +86,7 @@ func (s *ExternalNetworkPolicyReconcilerTestSuite) SetupTest() {
 	s.IngressReconciler.InjectRecorder(recorder)
 	s.Require().NoError(err)
 
-	s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, defaultActive, true)
+	s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, defaultActive, true, nil)
 	err = s.podWatcher.InitIntentsClientIndices(s.Mgr)
 	s.Require().NoError(err)
 

src/operator/controllers/intents_reconcilers/external_traffic_network_policy/external_traffic_network_policy_with_no_intents_test.go

@@ -63,7 +63,7 @@ func (s *ExternalNetworkPolicyReconcilerWithNoIntentsTestSuite) SetupTest() {
 
 	recorder := s.Mgr.GetEventRecorderFor("intents-operator")
 	netpolHandler := external_traffic.NewNetworkPolicyHandler(s.Mgr.GetClient(), s.TestEnv.Scheme, allowexternaltraffic.Always)
-	netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, true, true, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
+	netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, []string{}, true, true, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
 	groupReconciler := effectivepolicy.NewGroupReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolReconciler)
 	s.EffectivePolicyIntentsReconciler = intents_reconcilers.NewServiceEffectiveIntentsReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, groupReconciler)
 	s.Require().NoError((&controllers.IntentsReconciler{}).InitIntentsServerIndices(s.Mgr))
@@ -78,7 +78,7 @@ func (s *ExternalNetworkPolicyReconcilerWithNoIntentsTestSuite) SetupTest() {
 	s.IngressReconciler.InjectRecorder(recorder)
 	s.Require().NoError(err)
 
-	s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, true, true)
+	s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, true, true, nil)
 	err = s.podWatcher.InitIntentsClientIndices(s.Mgr)
 	s.Require().NoError(err)
 

src/operator/controllers/intents_reconcilers/istio_policy.go

@@ -42,7 +42,7 @@ func NewIstioPolicyReconciler(
 	}
 
 	reconciler.policyManager = istiopolicy.NewPolicyManager(c, &reconciler.InjectableRecorder, restrictToNamespaces,
-		reconciler.enforcementDefaultState, reconciler.enableIstioPolicyCreation)
+		reconciler.enforcementDefaultState, reconciler.enableIstioPolicyCreation, nil)
 
 	return reconciler
 }

src/operator/controllers/intents_reconcilers/kafka_acls.go

@@ -38,6 +38,7 @@ type KafkaACLReconciler struct {
 	operatorPodName         string
 	operatorPodNamespace    string
 	serviceResolver         serviceidresolver.ServiceResolver
+	activeNamespaces        []string
 	injectablerecorder.InjectableRecorder
 }
 
@@ -51,6 +52,7 @@ func NewKafkaACLReconciler(
 	operatorPodName string,
 	operatorPodNamespace string,
 	serviceResolver serviceidresolver.ServiceResolver,
+	activeNamespaces []string,
 ) *KafkaACLReconciler {
 	return &KafkaACLReconciler{
 		client:                  client,
@@ -62,6 +64,7 @@ func NewKafkaACLReconciler(
 		operatorPodName:         operatorPodName,
 		operatorPodNamespace:    operatorPodNamespace,
 		serviceResolver:         serviceResolver,
+		activeNamespaces:        activeNamespaces,
 	}
 }
 
@@ -88,7 +91,7 @@ func (r *KafkaACLReconciler) applyACLs(ctx context.Context, intents *otterizev1a
 
 	if err := r.KafkaServersStore.MapErr(func(serverName types.NamespacedName, config *otterizev1alpha3.KafkaServerConfig, tls otterizev1alpha3.TLSSource) error {
 		intentsForServer := intentsByServer[serverName]
-		shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState)
+		shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState, r.activeNamespaces)
 		if err != nil {
 			return errors.Wrap(err)
 		}
@@ -130,7 +133,7 @@ func (r *KafkaACLReconciler) applyACLs(ctx context.Context, intents *otterizev1a
 
 func (r *KafkaACLReconciler) RemoveACLs(ctx context.Context, intents *otterizev1alpha3.ClientIntents) error {
 	return r.KafkaServersStore.MapErr(func(serverName types.NamespacedName, config *otterizev1alpha3.KafkaServerConfig, tls otterizev1alpha3.TLSSource) error {
-		shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState)
+		shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState, r.activeNamespaces)
 		if err != nil {
 			return errors.Wrap(err)
 		}

src/operator/controllers/intents_reconcilers/kafka_acls_test.go

@@ -121,6 +121,7 @@ func (s *KafkaACLReconcilerTestSuite) initKafkaIntentsAdmin(enableAclCreation bo
 		operatorPodName,
 		s.operatorNamespace,
 		s.mockServiceResolver,
+		nil,
 	)
 	s.recorder = record.NewFakeRecorder(100)
 	s.Reconciler.InjectRecorder(s.recorder)

src/operator/controllers/intents_reconcilers/networkpolicy/builders/ingress_network_policy_test.go

@@ -45,7 +45,9 @@ func (s *NetworkPolicyReconcilerTestSuite) testCreateNetworkPolicy(
 	formattedTargetServer string,
 	defaultEnforcementState bool,
 	protectedServices []otterizev1alpha3.ProtectedService,
+	enforcedNamespaces []string,
 ) {
+	s.Reconciler.EnforcedNamespaces = enforcedNamespaces
 	s.Reconciler.EnforcementDefaultState = defaultEnforcementState
 	namespacedName := types.NamespacedName{
 		Namespace: testNamespace,
@@ -182,6 +184,27 @@ func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicy() {
 		formattedTargetServer,
 		true,
 		nil,
+		nil,
+	)
+	s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
+}
+
+func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicyActiveNamespace() {
+	clientIntentsName := "client-intents"
+	policyName := "test-server-access"
+	serviceName := "test-client"
+	serverNamespace := testNamespace
+	formattedTargetServer := "test-server-test-namespace-8ddecb"
+
+	s.testCreateNetworkPolicy(
+		clientIntentsName,
+		serverNamespace,
+		serviceName,
+		policyName,
+		formattedTargetServer,
+		false,
+		nil,
+		[]string{serverNamespace},
 	)
 	s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
 }
@@ -211,6 +234,7 @@ func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicyWithProtectedS
 		formattedTargetServer,
 		false,
 		protectedService,
+		nil,
 	)
 	s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
 }
@@ -251,6 +275,7 @@ func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicyWithProtectedS
 		formattedTargetServer,
 		false,
 		protectedServices,
+		nil,
 	)
 	s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
 }
@@ -270,6 +295,7 @@ func (s *NetworkPolicyReconcilerTestSuite) TestNetworkPolicyCreateCrossNamespace
 		formattedTargetServer,
 		true,
 		nil,
+		nil,
 	)
 	s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
 }

src/operator/controllers/intents_reconcilers/networkpolicy/builders/test_base.go

@@ -50,6 +50,7 @@ func (s *RulesBuilderTestSuiteBase) SetupTest() {
 		s.scheme,
 		s.externalNetpolHandler,
 		restrictToNamespaces,
+		make([]string, 0),
 		true,
 		true,
 		nil,

src/operator/controllers/intents_reconcilers/networkpolicy/reconciler.go

@@ -49,6 +49,7 @@ type Reconciler struct {
 	client.Client
 	Scheme                      *runtime.Scheme
 	RestrictToNamespaces        []string
+	EnforcedNamespaces          []string
 	EnableNetworkPolicyCreation bool
 	EnforcementDefaultState     bool
 	injectablerecorder.InjectableRecorder
@@ -62,6 +63,7 @@ func NewReconciler(
 	s *runtime.Scheme,
 	externalNetpolHandler ExternalNetpolHandler,
 	restrictToNamespaces []string,
+	enforcedNamespaces []string,
 	enableNetworkPolicyCreation bool,
 	enforcementDefaultState bool,
 	ingressBuilders []IngressRuleBuilder,
@@ -71,6 +73,7 @@ func NewReconciler(
 		Client:                      c,
 		Scheme:                      s,
 		RestrictToNamespaces:        restrictToNamespaces,
+		EnforcedNamespaces:          enforcedNamespaces,
 		EnableNetworkPolicyCreation: enableNetworkPolicyCreation,
 		EnforcementDefaultState:     enforcementDefaultState,
 		egressRuleBuilders:          egressBuilders,
@@ -216,7 +219,7 @@ func (r *Reconciler) buildIngressRules(ctx context.Context, ep effectivepolicy.S
 	if len(ep.CalledBy) == 0 || len(r.ingressRuleBuilders) == 0 {
 		return rules, false, nil
 	}
-	shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.Client, ep.Service.Name, ep.Service.Namespace, r.EnforcementDefaultState)
+	shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.Client, ep.Service.Name, ep.Service.Namespace, r.EnforcementDefaultState, r.EnforcedNamespaces)
 	if err != nil {
 		return rules, false, errors.Wrap(err)
 	}

src/operator/controllers/intents_reconcilers/protected_services/should_protect.go

@@ -4,19 +4,27 @@ import (
 	"context"
 	otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
 	"github.com/otterize/intents-operator/src/shared/errors"
+	"github.com/samber/lo"
 	"github.com/sirupsen/logrus"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx context.Context, kube client.Client, serverName string, serverNamespace string, enforcementDefaultState bool) (bool, error) {
+func IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx context.Context, kube client.Client, serverName string, serverNamespace string, enforcementDefaultState bool, activeNamespaces []string) (bool, error) {
 	if enforcementDefaultState {
 		logrus.Debug("Enforcement is default on, so all services should be protected")
 		return true, nil
 	}
+	logrus.Debug("Protected services are enabled")
 
-	logrus.Debug("Protected services are enabled, checking if server is in protected list")
+	logrus.Debugf("checking if server's namespace is in acrive namespaces")
+	if lo.Contains(activeNamespaces, serverNamespace) {
+		logrus.Debugf("Server %s in namespace %s is in active namespaces", serverName, serverNamespace)
+		return true, nil
+	}
+
+	logrus.Debugf("checking if server is in protected list")
 	var protectedServicesResources otterizev1alpha3.ProtectedServiceList
 	err := kube.List(ctx, &protectedServicesResources,
 		client.MatchingFields{otterizev1alpha3.OtterizeProtectedServiceNameIndexField: serverName},

src/operator/controllers/istiopolicy/policy_manager.go

@@ -45,6 +45,7 @@ type PolicyManagerImpl struct {
 	client                    client.Client
 	recorder                  *injectablerecorder.InjectableRecorder
 	restrictToNamespaces      []string
+	activeNamespaces          []string
 	enforcementDefaultState   bool
 	enableIstioPolicyCreation bool
 }
@@ -56,13 +57,14 @@ type PolicyManager interface {
 	UpdateServerSidecar(ctx context.Context, clientIntents *v1alpha3.ClientIntents, serverName string, missingSideCar bool) error
 }
 
-func NewPolicyManager(client client.Client, recorder *injectablerecorder.InjectableRecorder, restrictedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool) *PolicyManagerImpl {
+func NewPolicyManager(client client.Client, recorder *injectablerecorder.InjectableRecorder, restrictedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool, activeNamespaces []string) *PolicyManagerImpl {
 	return &PolicyManagerImpl{
 		client:                    client,
 		recorder:                  recorder,
 		restrictToNamespaces:      restrictedNamespaces,
 		enforcementDefaultState:   enforcementDefaultState,
 		enableIstioPolicyCreation: istioEnforcementEnabled,
+		activeNamespaces:          activeNamespaces,
 	}
 }
 
@@ -321,7 +323,7 @@ func (c *PolicyManagerImpl) createOrUpdatePolicies(
 			continue
 		}
 		shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(
-			ctx, c.client, intent.GetTargetServerName(), intent.GetTargetServerNamespace(clientIntents.Namespace), c.enforcementDefaultState)
+			ctx, c.client, intent.GetTargetServerName(), intent.GetTargetServerNamespace(clientIntents.Namespace), c.enforcementDefaultState, c.activeNamespaces)
 		if err != nil {
 			return nil, errors.Wrap(err)
 		}

src/operator/controllers/istiopolicy/policy_manager_test.go

@@ -27,7 +27,7 @@ type PolicyManagerTestSuite struct {
 
 func (s *PolicyManagerTestSuite) SetupTest() {
 	s.MocksSuiteBase.SetupTest()
-	s.admin = NewPolicyManager(s.Client, &injectablerecorder.InjectableRecorder{Recorder: s.Recorder}, []string{}, true, true)
+	s.admin = NewPolicyManager(s.Client, &injectablerecorder.InjectableRecorder{Recorder: s.Recorder}, []string{}, true, true, nil)
 }
 
 func (s *PolicyManagerTestSuite) TearDownTest() {

src/operator/controllers/pod_reconcilers/pods.go

@@ -38,9 +38,9 @@ type PodWatcher struct {
 	injectablerecorder.InjectableRecorder
 }
 
-func NewPodWatcher(c client.Client, eventRecorder record.EventRecorder, watchedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool) *PodWatcher {
+func NewPodWatcher(c client.Client, eventRecorder record.EventRecorder, watchedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool, activeNamespaces []string) *PodWatcher {
 	recorder := injectablerecorder.InjectableRecorder{Recorder: eventRecorder}
-	creator := istiopolicy.NewPolicyManager(c, &recorder, watchedNamespaces, enforcementDefaultState, istioEnforcementEnabled)
+	creator := istiopolicy.NewPolicyManager(c, &recorder, watchedNamespaces, enforcementDefaultState, istioEnforcementEnabled, activeNamespaces)
 	return &PodWatcher{
 		Client:             c,
 		serviceIdResolver:  serviceidresolver.NewResolver(c),

src/operator/controllers/pod_reconcilers/pods_test.go

@@ -48,7 +48,7 @@ func (s *WatcherPodLabelReconcilerTestSuite) SetupSuite() {
 func (s *WatcherPodLabelReconcilerTestSuite) SetupTest() {
 	s.ControllerManagerTestSuiteBase.SetupTest()
 	recorder := s.Mgr.GetEventRecorderFor("intents-operator")
-	s.Reconciler = NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, true, true)
+	s.Reconciler = NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, true, true, nil)
 	s.Require().NoError(s.Reconciler.InitIntentsClientIndices(s.Mgr))
 }
 

src/operator/main.go

@@ -123,6 +123,7 @@ func main() {
 	selfSignedCert := viper.GetBool(operatorconfig.SelfSignedCertKey)
 	allowExternalTraffic := allowexternaltraffic.Enum(viper.GetString(operatorconfig.AllowExternalTrafficKey))
 	watchedNamespaces := viper.GetStringSlice(operatorconfig.WatchedNamespacesKey)
+	enforcedNamespaces := viper.GetStringSlice(operatorconfig.ActiveEnforcementNamespacesKey)
 	enforcementConfig := controllers.EnforcementConfig{
 		EnforcementDefaultState:              viper.GetBool(operatorconfig.EnforcementDefaultStateKey),
 		EnableNetworkPolicy:                  viper.GetBool(operatorconfig.EnableNetworkPolicyKey),
@@ -216,7 +217,7 @@ func main() {
 	additionalIntentsReconcilers := make([]reconcilergroup.ReconcilerWithEvents, 0)
 	svcNetworkPolicyBuilder := builders.NewPortNetworkPolicyReconciler(mgr.GetClient())
 	dnsServerNetpolBuilder := builders.NewIngressDNSServerAutoAllowNetpolBuilder()
-	epNetpolReconciler := networkpolicy.NewReconciler(mgr.GetClient(), scheme, extNetpolHandler, watchedNamespaces, enforcementConfig.EnableNetworkPolicy, enforcementConfig.EnforcementDefaultState,
+	epNetpolReconciler := networkpolicy.NewReconciler(mgr.GetClient(), scheme, extNetpolHandler, watchedNamespaces, enforcedNamespaces, enforcementConfig.EnableNetworkPolicy, enforcementConfig.EnforcementDefaultState,
 		[]networkpolicy.IngressRuleBuilder{ingressRulesBuilder, svcNetworkPolicyBuilder, dnsServerNetpolBuilder}, make([]networkpolicy.EgressRuleBuilder, 0))
 	epGroupReconciler := effectivepolicy.NewGroupReconciler(mgr.GetClient(), scheme, epNetpolReconciler)
 	if enforcementConfig.EnableEgressNetworkPolicyReconcilers {
@@ -395,6 +396,7 @@ func main() {
 		otterizeCloudClient,
 		podName,
 		podNamespace,
+		enforcedNamespaces,
 		additionalIntentsReconcilers...,
 	)
 
@@ -458,7 +460,7 @@ func main() {
 		logrus.WithError(err).Panic("unable to create controller", "controller", "ProtectedServices")
 	}
 
-	podWatcher := pod_reconcilers.NewPodWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), watchedNamespaces, enforcementConfig.EnforcementDefaultState, enforcementConfig.EnableIstioPolicy)
+	podWatcher := pod_reconcilers.NewPodWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), watchedNamespaces, enforcementConfig.EnforcementDefaultState, enforcementConfig.EnableIstioPolicy, enforcedNamespaces)
 	nsWatcher := pod_reconcilers.NewNamespaceWatcher(mgr.GetClient())
 	svcWatcher := port_network_policy.NewServiceWatcher(mgr.GetClient(), mgr.GetEventRecorderFor("intents-operator"), epGroupReconciler)