Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support enabling enforcement per namespace while using defaultShadow enforcement mode #407

Merged
merged 3 commits into from
Apr 10, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/operator/controllers/intents_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package controllers
import (
"context"
"fmt"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/database"
Expand Down Expand Up @@ -80,13 +81,14 @@ func NewIntentsReconciler(
otterizeClient operator_cloud_client.CloudClient,
operatorPodName string,
operatorPodNamespace string,
activeNamespaces goset.Set[string],
additionalReconcilers ...reconcilergroup.ReconcilerWithEvents,
) *IntentsReconciler {

serviceIdResolver := serviceidresolver.NewResolver(client)
reconcilers := []reconcilergroup.ReconcilerWithEvents{
intents_reconcilers.NewPodLabelReconciler(client, scheme),
intents_reconcilers.NewKafkaACLReconciler(client, scheme, kafkaServerStore, enforcementConfig.EnableKafkaACL, kafkaacls.NewKafkaIntentsAdmin, enforcementConfig.EnforcementDefaultState, operatorPodName, operatorPodNamespace, serviceIdResolver),
intents_reconcilers.NewKafkaACLReconciler(client, scheme, kafkaServerStore, enforcementConfig.EnableKafkaACL, kafkaacls.NewKafkaIntentsAdmin, enforcementConfig.EnforcementDefaultState, operatorPodName, operatorPodNamespace, serviceIdResolver, activeNamespaces),
intents_reconcilers.NewIstioPolicyReconciler(client, scheme, restrictToNamespaces, enforcementConfig.EnableIstioPolicy, enforcementConfig.EnforcementDefaultState),
}
reconcilers = append(reconcilers, additionalReconcilers...)
Expand Down
2 changes: 2 additions & 0 deletions src/operator/controllers/intents_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package controllers

import (
"context"
"github.com/amit7itz/goset"
otterizev1alpha2 "github.com/otterize/intents-operator/src/operator/api/v1alpha2"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/shared/testbase"
Expand Down Expand Up @@ -32,6 +33,7 @@ func (s *IntentsControllerTestSuite) SetupTest() {
nil,
"",
"",
*goset.NewSet[string](),
nil,
)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package external_traffic_network_policy
import (
"context"
"fmt"
"github.com/amit7itz/goset"
"github.com/google/uuid"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers"
Expand Down Expand Up @@ -71,7 +72,7 @@ func (s *ExternalNetworkPolicyReconcilerTestSuite) SetupTest() {
defaultActive := !isShadowMode
netpolHandler := external_traffic.NewNetworkPolicyHandler(s.Mgr.GetClient(), s.TestEnv.Scheme, allowexternaltraffic.IfBlockedByOtterize)
s.defaultDenyReconciler = protected_service_reconcilers.NewDefaultDenyReconciler(s.Mgr.GetClient(), netpolHandler, true)
netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, true, defaultActive, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, *goset.NewSet[string](), true, defaultActive, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
epReconciler := effectivepolicy.NewGroupReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolReconciler)
s.EffectivePolicyIntentsReconciler = intents_reconcilers.NewServiceEffectiveIntentsReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, epReconciler)
s.Require().NoError((&controllers.IntentsReconciler{}).InitIntentsServerIndices(s.Mgr))
Expand All @@ -86,7 +87,7 @@ func (s *ExternalNetworkPolicyReconcilerTestSuite) SetupTest() {
s.IngressReconciler.InjectRecorder(recorder)
s.Require().NoError(err)

s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, defaultActive, true)
s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, defaultActive, true, *goset.NewSet[string]())
err = s.podWatcher.InitIntentsClientIndices(s.Mgr)
s.Require().NoError(err)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package external_traffic_network_policy
import (
"context"
"fmt"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers"
"github.com/otterize/intents-operator/src/operator/controllers/external_traffic"
Expand Down Expand Up @@ -63,7 +64,7 @@ func (s *ExternalNetworkPolicyReconcilerWithNoIntentsTestSuite) SetupTest() {

recorder := s.Mgr.GetEventRecorderFor("intents-operator")
netpolHandler := external_traffic.NewNetworkPolicyHandler(s.Mgr.GetClient(), s.TestEnv.Scheme, allowexternaltraffic.Always)
netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, true, true, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
netpolReconciler := networkpolicy.NewReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolHandler, []string{}, *goset.NewSet[string](), true, true, []networkpolicy.IngressRuleBuilder{builders.NewIngressNetpolBuilder()}, nil)
groupReconciler := effectivepolicy.NewGroupReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, netpolReconciler)
s.EffectivePolicyIntentsReconciler = intents_reconcilers.NewServiceEffectiveIntentsReconciler(s.Mgr.GetClient(), s.TestEnv.Scheme, groupReconciler)
s.Require().NoError((&controllers.IntentsReconciler{}).InitIntentsServerIndices(s.Mgr))
Expand All @@ -78,7 +79,7 @@ func (s *ExternalNetworkPolicyReconcilerWithNoIntentsTestSuite) SetupTest() {
s.IngressReconciler.InjectRecorder(recorder)
s.Require().NoError(err)

s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, true, true)
s.podWatcher = pod_reconcilers.NewPodWatcher(s.Mgr.GetClient(), recorder, []string{}, true, true, *goset.NewSet[string]())
err = s.podWatcher.InitIntentsClientIndices(s.Mgr)
s.Require().NoError(err)

Expand Down
3 changes: 2 additions & 1 deletion src/operator/controllers/intents_reconcilers/istio_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package intents_reconcilers

import (
"context"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/consts"
istiopolicy "github.com/otterize/intents-operator/src/operator/controllers/istiopolicy"
Expand Down Expand Up @@ -42,7 +43,7 @@ func NewIstioPolicyReconciler(
}

reconciler.policyManager = istiopolicy.NewPolicyManager(c, &reconciler.InjectableRecorder, restrictToNamespaces,
reconciler.enforcementDefaultState, reconciler.enableIstioPolicyCreation)
reconciler.enforcementDefaultState, reconciler.enableIstioPolicyCreation, *goset.NewSet[string]())

return reconciler
}
Expand Down
8 changes: 6 additions & 2 deletions src/operator/controllers/intents_reconcilers/kafka_acls.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package intents_reconcilers

import (
"context"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/consts"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/protected_services"
Expand Down Expand Up @@ -38,6 +39,7 @@ type KafkaACLReconciler struct {
operatorPodName string
operatorPodNamespace string
serviceResolver serviceidresolver.ServiceResolver
activeNamespaces goset.Set[string]
injectablerecorder.InjectableRecorder
}

Expand All @@ -51,6 +53,7 @@ func NewKafkaACLReconciler(
operatorPodName string,
operatorPodNamespace string,
serviceResolver serviceidresolver.ServiceResolver,
activeNamespaces goset.Set[string],
) *KafkaACLReconciler {
return &KafkaACLReconciler{
client: client,
Expand All @@ -62,6 +65,7 @@ func NewKafkaACLReconciler(
operatorPodName: operatorPodName,
operatorPodNamespace: operatorPodNamespace,
serviceResolver: serviceResolver,
activeNamespaces: activeNamespaces,
}
}

Expand All @@ -88,7 +92,7 @@ func (r *KafkaACLReconciler) applyACLs(ctx context.Context, intents *otterizev1a

if err := r.KafkaServersStore.MapErr(func(serverName types.NamespacedName, config *otterizev1alpha3.KafkaServerConfig, tls otterizev1alpha3.TLSSource) error {
intentsForServer := intentsByServer[serverName]
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState)
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState, r.activeNamespaces)
if err != nil {
return errors.Wrap(err)
}
Expand Down Expand Up @@ -130,7 +134,7 @@ func (r *KafkaACLReconciler) applyACLs(ctx context.Context, intents *otterizev1a

func (r *KafkaACLReconciler) RemoveACLs(ctx context.Context, intents *otterizev1alpha3.ClientIntents) error {
return r.KafkaServersStore.MapErr(func(serverName types.NamespacedName, config *otterizev1alpha3.KafkaServerConfig, tls otterizev1alpha3.TLSSource) error {
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState)
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.client, serverName.Name, serverName.Namespace, r.enforcementDefaultState, r.activeNamespaces)
if err != nil {
return errors.Wrap(err)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"fmt"
"github.com/Shopify/sarama"
"github.com/amit7itz/goset"
"github.com/google/uuid"
otterizev1alpha2 "github.com/otterize/intents-operator/src/operator/api/v1alpha2"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
Expand Down Expand Up @@ -121,6 +122,7 @@ func (s *KafkaACLReconcilerTestSuite) initKafkaIntentsAdmin(enableAclCreation bo
operatorPodName,
s.operatorNamespace,
s.mockServiceResolver,
*goset.NewSet[string](),
)
s.recorder = record.NewFakeRecorder(100)
s.Reconciler.InjectRecorder(s.recorder)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package builders
import (
"context"
"fmt"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/consts"
Expand Down Expand Up @@ -45,7 +46,9 @@ func (s *NetworkPolicyReconcilerTestSuite) testCreateNetworkPolicy(
formattedTargetServer string,
defaultEnforcementState bool,
protectedServices []otterizev1alpha3.ProtectedService,
enforcedNamespaces goset.Set[string],
) {
s.Reconciler.EnforcedNamespaces = enforcedNamespaces
s.Reconciler.EnforcementDefaultState = defaultEnforcementState
namespacedName := types.NamespacedName{
Namespace: testNamespace,
Expand Down Expand Up @@ -182,6 +185,27 @@ func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicy() {
formattedTargetServer,
true,
nil,
*goset.NewSet[string](),
)
s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
}

func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicyActiveNamespace() {
clientIntentsName := "client-intents"
policyName := "test-server-access"
serviceName := "test-client"
serverNamespace := testNamespace
formattedTargetServer := "test-server-test-namespace-8ddecb"

s.testCreateNetworkPolicy(
clientIntentsName,
serverNamespace,
serviceName,
policyName,
formattedTargetServer,
false,
nil,
*goset.FromSlice([]string{serverNamespace}),
)
s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
}
Expand Down Expand Up @@ -211,6 +235,7 @@ func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicyWithProtectedS
formattedTargetServer,
false,
protectedService,
*goset.NewSet[string](),
)
s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
}
Expand Down Expand Up @@ -251,6 +276,7 @@ func (s *NetworkPolicyReconcilerTestSuite) TestCreateNetworkPolicyWithProtectedS
formattedTargetServer,
false,
protectedServices,
*goset.NewSet[string](),
)
s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
}
Expand All @@ -270,6 +296,7 @@ func (s *NetworkPolicyReconcilerTestSuite) TestNetworkPolicyCreateCrossNamespace
formattedTargetServer,
true,
nil,
*goset.NewSet[string](),
)
s.ExpectEvent(consts.ReasonCreatedNetworkPolicies)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package builders

import (
"context"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers"
mocks "github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/mocks"
Expand Down Expand Up @@ -50,6 +51,7 @@ func (s *RulesBuilderTestSuiteBase) SetupTest() {
s.scheme,
s.externalNetpolHandler,
restrictToNamespaces,
*goset.NewSet[string](),
true,
true,
nil,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ type Reconciler struct {
client.Client
Scheme *runtime.Scheme
RestrictToNamespaces []string
EnforcedNamespaces goset.Set[string]
EnableNetworkPolicyCreation bool
EnforcementDefaultState bool
injectablerecorder.InjectableRecorder
Expand All @@ -62,6 +63,7 @@ func NewReconciler(
s *runtime.Scheme,
externalNetpolHandler ExternalNetpolHandler,
restrictToNamespaces []string,
enforcedNamespaces goset.Set[string],
enableNetworkPolicyCreation bool,
enforcementDefaultState bool,
ingressBuilders []IngressRuleBuilder,
Expand All @@ -71,6 +73,7 @@ func NewReconciler(
Client: c,
Scheme: s,
RestrictToNamespaces: restrictToNamespaces,
EnforcedNamespaces: enforcedNamespaces,
EnableNetworkPolicyCreation: enableNetworkPolicyCreation,
EnforcementDefaultState: enforcementDefaultState,
egressRuleBuilders: egressBuilders,
Expand Down Expand Up @@ -216,7 +219,7 @@ func (r *Reconciler) buildIngressRules(ctx context.Context, ep effectivepolicy.S
if len(ep.CalledBy) == 0 || len(r.ingressRuleBuilders) == 0 {
return rules, false, nil
}
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.Client, ep.Service.Name, ep.Service.Namespace, r.EnforcementDefaultState)
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx, r.Client, ep.Service.Name, ep.Service.Namespace, r.EnforcementDefaultState, r.EnforcedNamespaces)
if err != nil {
return rules, false, errors.Wrap(err)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package protected_services

import (
"context"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/shared/errors"
"github.com/sirupsen/logrus"
Expand All @@ -10,13 +11,20 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

func IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx context.Context, kube client.Client, serverName string, serverNamespace string, enforcementDefaultState bool) (bool, error) {
func IsServerEnforcementEnabledDueToProtectionOrDefaultState(ctx context.Context, kube client.Client, serverName string, serverNamespace string, enforcementDefaultState bool, activeNamespaces goset.Set[string]) (bool, error) {
if enforcementDefaultState {
logrus.Debug("Enforcement is default on, so all services should be protected")
return true, nil
}
logrus.Debug("Protected services are enabled")

logrus.Debug("Protected services are enabled, checking if server is in protected list")
logrus.Debugf("checking if server's namespace is in acrive namespaces")
if activeNamespaces.Contains(serverNamespace) {
logrus.Debugf("Server %s in namespace %s is in active namespaces", serverName, serverNamespace)
return true, nil
}

logrus.Debugf("checking if server is in protected list")
var protectedServicesResources otterizev1alpha3.ProtectedServiceList
err := kube.List(ctx, &protectedServicesResources,
client.MatchingFields{otterizev1alpha3.OtterizeProtectedServiceNameIndexField: serverName},
Expand Down
6 changes: 4 additions & 2 deletions src/operator/controllers/istiopolicy/policy_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ type PolicyManagerImpl struct {
client client.Client
recorder *injectablerecorder.InjectableRecorder
restrictToNamespaces []string
activeNamespaces goset.Set[string]
enforcementDefaultState bool
enableIstioPolicyCreation bool
}
Expand All @@ -56,13 +57,14 @@ type PolicyManager interface {
UpdateServerSidecar(ctx context.Context, clientIntents *v1alpha3.ClientIntents, serverName string, missingSideCar bool) error
}

func NewPolicyManager(client client.Client, recorder *injectablerecorder.InjectableRecorder, restrictedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool) *PolicyManagerImpl {
func NewPolicyManager(client client.Client, recorder *injectablerecorder.InjectableRecorder, restrictedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool, activeNamespaces goset.Set[string]) *PolicyManagerImpl {
return &PolicyManagerImpl{
client: client,
recorder: recorder,
restrictToNamespaces: restrictedNamespaces,
enforcementDefaultState: enforcementDefaultState,
enableIstioPolicyCreation: istioEnforcementEnabled,
activeNamespaces: activeNamespaces,
}
}

Expand Down Expand Up @@ -321,7 +323,7 @@ func (c *PolicyManagerImpl) createOrUpdatePolicies(
continue
}
shouldCreatePolicy, err := protected_services.IsServerEnforcementEnabledDueToProtectionOrDefaultState(
ctx, c.client, intent.GetTargetServerName(), intent.GetTargetServerNamespace(clientIntents.Namespace), c.enforcementDefaultState)
ctx, c.client, intent.GetTargetServerName(), intent.GetTargetServerNamespace(clientIntents.Namespace), c.enforcementDefaultState, c.activeNamespaces)
if err != nil {
return nil, errors.Wrap(err)
}
Expand Down
3 changes: 2 additions & 1 deletion src/operator/controllers/istiopolicy/policy_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"encoding/json"
"fmt"
"github.com/amit7itz/goset"
"github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/intents_reconcilers/consts"
"github.com/otterize/intents-operator/src/shared/injectablerecorder"
Expand All @@ -27,7 +28,7 @@ type PolicyManagerTestSuite struct {

func (s *PolicyManagerTestSuite) SetupTest() {
s.MocksSuiteBase.SetupTest()
s.admin = NewPolicyManager(s.Client, &injectablerecorder.InjectableRecorder{Recorder: s.Recorder}, []string{}, true, true)
s.admin = NewPolicyManager(s.Client, &injectablerecorder.InjectableRecorder{Recorder: s.Recorder}, []string{}, true, true, *goset.NewSet[string]())
}

func (s *PolicyManagerTestSuite) TearDownTest() {
Expand Down
5 changes: 3 additions & 2 deletions src/operator/controllers/pod_reconcilers/pods.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package pod_reconcilers
import (
"context"
"fmt"
"github.com/amit7itz/goset"
otterizev1alpha3 "github.com/otterize/intents-operator/src/operator/api/v1alpha3"
"github.com/otterize/intents-operator/src/operator/controllers/istiopolicy"
"github.com/otterize/intents-operator/src/prometheus"
Expand Down Expand Up @@ -38,9 +39,9 @@ type PodWatcher struct {
injectablerecorder.InjectableRecorder
}

func NewPodWatcher(c client.Client, eventRecorder record.EventRecorder, watchedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool) *PodWatcher {
func NewPodWatcher(c client.Client, eventRecorder record.EventRecorder, watchedNamespaces []string, enforcementDefaultState bool, istioEnforcementEnabled bool, activeNamespaces goset.Set[string]) *PodWatcher {
recorder := injectablerecorder.InjectableRecorder{Recorder: eventRecorder}
creator := istiopolicy.NewPolicyManager(c, &recorder, watchedNamespaces, enforcementDefaultState, istioEnforcementEnabled)
creator := istiopolicy.NewPolicyManager(c, &recorder, watchedNamespaces, enforcementDefaultState, istioEnforcementEnabled, activeNamespaces)
return &PodWatcher{
Client: c,
serviceIdResolver: serviceidresolver.NewResolver(c),
Expand Down
Loading
Loading