policyengine/PolicyDispatcher: allow to delete unprivileged policy

Signed-off-by: Kfir Toledo <[email protected]>
clusterlink-net · Mar 31, 2024 · 453881e · 453881e
1 parent 146f19d
commit 453881e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/pkg/controlplane/authz/controllers.go b/pkg/controlplane/authz/controllers.go
@@ -34,8 +34,8 @@ func CreateControllers(mgr *Manager, controllerManager ctrl.Manager, crdMode boo
 				return mgr.addAccessPolicy(object.(*v1alpha1.AccessPolicy))
 			},
 			DeleteHandler: func(ctx context.Context, name types.NamespacedName) error {
-				mgr.deleteAccessPolicy(name)
-				return nil
+				return mgr.deleteAccessPolicy(name)
+
 			},
 		})
 		if err != nil {

diff --git a/pkg/controlplane/authz/manager.go b/pkg/controlplane/authz/manager.go
@@ -26,6 +26,7 @@ import (
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/clusterlink-net/clusterlink/pkg/api"
@@ -216,8 +217,22 @@ func (m *Manager) addPod(pod *v1.Pod) {
 	}
 }
 
-func (m *Manager) deleteAccessPolicy(_ types.NamespacedName) {
-	// TODO: call policy decider
+func (m *Manager) deleteAccessPolicy(name types.NamespacedName) error {
+	accessPolicy := v1alpha1.AccessPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name.Name,
+			Namespace: name.Namespace,
+		}}
+
+	policyData, err := json.Marshal(accessPolicy)
+	if err != nil {
+		return err
+	}
+
+	return m.policyDecider.DeleteAccessPolicy(&api.Policy{
+		Name: accessPolicy.Name,
+		Spec: api.PolicySpec{Blob: policyData},
+	})
 }
 
 func (m *Manager) addAccessPolicy(accessPolicy *v1alpha1.AccessPolicy) error {