From 453881e4ef8cf9247c1fba90f283263818497a8f Mon Sep 17 00:00:00 2001 From: Kfir Toledo Date: Sun, 31 Mar 2024 18:22:35 +0300 Subject: [PATCH] policyengine/PolicyDispatcher: allow to delete unprivileged policy Signed-off-by: Kfir Toledo --- pkg/controlplane/authz/controllers.go | 4 ++-- pkg/controlplane/authz/manager.go | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/pkg/controlplane/authz/controllers.go b/pkg/controlplane/authz/controllers.go index 5c84c65e0..0db9c05e4 100644 --- a/pkg/controlplane/authz/controllers.go +++ b/pkg/controlplane/authz/controllers.go @@ -34,8 +34,8 @@ func CreateControllers(mgr *Manager, controllerManager ctrl.Manager, crdMode boo return mgr.addAccessPolicy(object.(*v1alpha1.AccessPolicy)) }, DeleteHandler: func(ctx context.Context, name types.NamespacedName) error { - mgr.deleteAccessPolicy(name) - return nil + return mgr.deleteAccessPolicy(name) + }, }) if err != nil { diff --git a/pkg/controlplane/authz/manager.go b/pkg/controlplane/authz/manager.go index 67945ae5a..56108f0bb 100644 --- a/pkg/controlplane/authz/manager.go +++ b/pkg/controlplane/authz/manager.go @@ -26,6 +26,7 @@ import ( "github.com/sirupsen/logrus" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "github.com/clusterlink-net/clusterlink/pkg/api" @@ -216,8 +217,22 @@ func (m *Manager) addPod(pod *v1.Pod) { } } -func (m *Manager) deleteAccessPolicy(_ types.NamespacedName) { - // TODO: call policy decider +func (m *Manager) deleteAccessPolicy(name types.NamespacedName) error { + accessPolicy := v1alpha1.AccessPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, + }} + + policyData, err := json.Marshal(accessPolicy) + if err != nil { + return err + } + + return m.policyDecider.DeleteAccessPolicy(&api.Policy{ + Name: accessPolicy.Name, + Spec: api.PolicySpec{Blob: policyData}, + }) } func (m *Manager) addAccessPolicy(accessPolicy *v1alpha1.AccessPolicy) error {