consider ANP/BANP in policy deconstructor (#9994)

mazdakn · web-flow · commit 121f96a850a0 · 2025-03-18T13:30:35.000-07:00
diff --git a/felix/calc/endpoint_lookup_cache.go b/felix/calc/endpoint_lookup_cache.go
@@ -31,6 +31,7 @@ import (
 	v3 "github.com/projectcalico/calico/libcalico-go/lib/apis/v3"
 	"github.com/projectcalico/calico/libcalico-go/lib/backend/api"
 	"github.com/projectcalico/calico/libcalico-go/lib/backend/model"
+	"github.com/projectcalico/calico/libcalico-go/lib/names"
 	"github.com/projectcalico/calico/libcalico-go/lib/set"
 )
 
@@ -232,7 +233,7 @@ func (ec *EndpointLookupsCache) CreateEndpointData(key model.EndpointKey, ep mod
 		tdEgress := &TierData{}
 		var hasIngress, hasEgress bool
 		for _, pol := range ti.OrderedPolicies {
-			namespace, tier, name, err := deconstructPolicyName(pol.Key.Name)
+			namespace, tier, name, err := names.DeconstructPolicyName(pol.Key.Name)
 			if err != nil {
 				log.WithError(err).Error("Unable to parse policy name")
 				continue
diff --git a/felix/calc/policy_lookup_cache.go b/felix/calc/policy_lookup_cache.go
@@ -164,7 +164,7 @@ func (pc *PolicyLookupsCache) updatePolicyRulesNFLOGPrefixes(key model.PolicyKey
 	}
 	pc.tierRefs[key.Tier] = count + 1
 
-	namespace, tier, name, err := deconstructPolicyName(key.Name)
+	namespace, tier, name, err := names.DeconstructPolicyName(key.Name)
 	if err != nil {
 		log.WithError(err).Error("Unable to parse policy name")
 		return
@@ -567,61 +567,6 @@ func (r *RuleID) GetFlowLogPolicyName() string {
 	return r.fpName
 }
 
-// deconstructPolicyName deconstructs the v1 policy name that is constructed by the SyncerUpdateProcessors in
-// libcalico-go and extracts the v3 fields: namespace, tier, name.
-//
-// The v1 policy name is of the format:
-// -  <namespace>/<tier>.<name> for a namespaced NetworkPolicies
-// -  <tier>.<name> for GlobalNetworkPolicies.
-// -  <namespace>/knp.default.<name> for a k8s NetworkPolicies
-// and for the staged counterparts, respectively:
-// -  <namespace>/staged:<tier>.<name>
-// -  staged:<tier>.<name>
-// -  <namespace>/staged:knp.default.<name>
-//
-// The namespace is returned blank for GlobalNetworkPolicies.
-// For k8s network policies, the tier is always "default" and the name will be returned including the
-// knp.default prefix.
-//
-// Staged policies will have the simplified name prefixed with "staged:", eg:
-// - <namespace>/staged:<tier>.<name>      => Name=staged:<name>, Namespace=<namespace>, Tier=<tier>
-// - staged:<tier>.<name>                  => Name=staged:<name>, Namespace=<namespace>, Tier=<tier>
-// - <namespace>/staged:knp.default.<name> => Name=staged:knp.default.<name>, Namespace=<name>, Tier=default
-func deconstructPolicyName(name string) (string, string, string, error) {
-	var namespace string
-
-	// Split the name to extract the namespace.
-	parts := strings.Split(name, "/")
-	switch len(parts) {
-	case 1: // GlobalNetworkPolicy
-		name = parts[0]
-	case 2: // NetworkPolicy (Calico or Kubernetes)
-		namespace = parts[0]
-		name = parts[1]
-	default:
-		return "", "", "", fmt.Errorf("could not parse policy %s", name)
-	}
-
-	// Remove the staged prefix if present so we can extract the tier.
-	var stagedPrefix string
-	if model.PolicyIsStaged(name) {
-		stagedPrefix = model.PolicyNamePrefixStaged
-		name = name[len(model.PolicyNamePrefixStaged):]
-	}
-
-	// If the policy name starts with "knp.default" then this is a kubernetes network policy.
-	if strings.HasPrefix(name, "knp.default.") {
-		return namespace, "default", stagedPrefix + name, nil
-	}
-
-	// This is a non-kubernetes policy, so extract the tier name from the policy name.
-	if parts = strings.SplitN(name, ".", 2); len(parts) == 2 {
-		return namespace, parts[0], stagedPrefix + parts[1], nil
-	}
-
-	return "", "", "", fmt.Errorf("could not parse policy %s", name)
-}
-
 // Dump returns the contents of important structures in the LookupManager used for
 // logging purposes in the test code. This should not be used in any mainline code.
 func (pc *PolicyLookupsCache) Dump() string {
diff --git a/felix/calc/policy_lookups_cache_test.go b/felix/calc/policy_lookups_cache_test.go
@@ -102,6 +102,46 @@ var (
 	prefix_knp1_t1_i0D = toprefix("DPI0|namespace-1/knp.default.policy-1.1.1.1")
 	ruleID_knp1_t1_i0D = NewRuleID("default", "knp.default.policy-1.1.1.1", "namespace-1", 0, rules.RuleDirIngress, rules.RuleActionDeny)
 
+	// K8s AdminNetworkPolicy kanp.adminnetworkpolicy.policy-1.1
+	kanp1_t1_1i0e_key = model.PolicyKey{
+		Tier: "adminnetworkpolicy",
+		Name: "kanp.adminnetworkpolicy.policy-1.1.1.1",
+	}
+	kanp1_t1_1i0e = &model.Policy{
+		InboundRules: []model.Rule{
+			{Action: "deny"},
+		},
+	}
+	prefix_kanp1_t1_i0D = toprefix("DPI0|kanp.adminnetworkpolicy.policy-1.1.1.1")
+	ruleID_kanp1_t1_i0D = NewRuleID(
+		"adminnetworkpolicy",
+		"kanp.adminnetworkpolicy.policy-1.1.1.1",
+		"",
+		0,
+		rules.RuleDirIngress,
+		rules.RuleActionDeny,
+	)
+
+	// K8s BaselineAdminNetworkPolicy kbanp.baselineadminnetworkpolicy.policy-1.1
+	kbanp1_t1_1i0e_key = model.PolicyKey{
+		Tier: "baselineadminnetworkpolicy",
+		Name: "kbanp.baselineadminnetworkpolicy.policy-1.1.1.1",
+	}
+	kbanp1_t1_1i0e = &model.Policy{
+		InboundRules: []model.Rule{
+			{Action: "deny"},
+		},
+	}
+	prefix_kbanp1_t1_i0D = toprefix("DPI0|kbanp.baselineadminnetworkpolicy.policy-1.1.1.1")
+	ruleID_kbanp1_t1_i0D = NewRuleID(
+		"baselineadminnetworkpolicy",
+		"kbanp.baselineadminnetworkpolicy.policy-1.1.1.1",
+		"",
+		0,
+		rules.RuleDirIngress,
+		rules.RuleActionDeny,
+	)
+
 	// Profile profile-1
 	pr1_1i1e_key = model.ProfileRulesKey{
 		ProfileKey: model.ProfileKey{Name: "profile-1"},
@@ -120,14 +160,22 @@ var (
 	ruleID_prof_e0D = NewRuleID("", "profile-1", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
 
 	// Tier no-matches
-	prefix_nomatch_t1_i = toprefix("DPI|tier-1")
-	ruleID_nomatch_t1_i = NewRuleID("tier-1", "", "", 0, rules.RuleDirIngress, rules.RuleActionDeny)
-	prefix_nomatch_t1_e = toprefix("DPE|tier-1")
-	ruleID_nomatch_t1_e = NewRuleID("tier-1", "", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
-	prefix_nomatch_td_i = toprefix("DPI|default")
-	ruleID_nomatch_td_i = NewRuleID("default", "", "", 0, rules.RuleDirIngress, rules.RuleActionDeny)
-	prefix_nomatch_td_e = toprefix("DPE|default")
-	ruleID_nomatch_td_e = NewRuleID("default", "", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
+	prefix_nomatch_t1_i    = toprefix("DPI|tier-1")
+	ruleID_nomatch_t1_i    = NewRuleID("tier-1", "", "", 0, rules.RuleDirIngress, rules.RuleActionDeny)
+	prefix_nomatch_t1_e    = toprefix("DPE|tier-1")
+	ruleID_nomatch_t1_e    = NewRuleID("tier-1", "", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
+	prefix_nomatch_td_i    = toprefix("DPI|default")
+	ruleID_nomatch_td_i    = NewRuleID("default", "", "", 0, rules.RuleDirIngress, rules.RuleActionDeny)
+	prefix_nomatch_td_e    = toprefix("DPE|default")
+	ruleID_nomatch_td_e    = NewRuleID("default", "", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
+	prefix_nomatch_tanp_i  = toprefix("DPI|adminnetworkpolicy")
+	ruleID_nomatch_tanp_i  = NewRuleID("adminnetworkpolicy", "", "", 0, rules.RuleDirIngress, rules.RuleActionDeny)
+	prefix_nomatch_tanp_e  = toprefix("DPE|adminnetworkpolicy")
+	ruleID_nomatch_tanp_e  = NewRuleID("adminnetworkpolicy", "", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
+	prefix_nomatch_tbanp_i = toprefix("DPI|baselineadminnetworkpolicy")
+	ruleID_nomatch_tbanp_i = NewRuleID("baselineadminnetworkpolicy", "", "", 0, rules.RuleDirIngress, rules.RuleActionDeny)
+	prefix_nomatch_tbanp_e = toprefix("DPE|baselineadminnetworkpolicy")
+	ruleID_nomatch_tbanp_e = NewRuleID("baselineadminnetworkpolicy", "", "", 0, rules.RuleDirEgress, rules.RuleActionDeny)
 
 	// Profile no-matches
 	prefix_nomatch_prof_i = toprefix("DRI")
@@ -181,6 +229,12 @@ var _ = Describe("PolicyLookupsCache tests", func() {
 		Entry("KNP1 (1i0e) no match default ingress", knp1_t1_1i0e_key, knp1_t1_1i0e, prefix_nomatch_td_i, ruleID_nomatch_td_i),
 		Entry("KNP1 (1i0e) no match default egress", knp1_t1_1i0e_key, knp1_t1_1i0e, prefix_nomatch_td_e, ruleID_nomatch_td_e),
 		Entry("KNP1 (1i0e) i0", knp1_t1_1i0e_key, knp1_t1_1i0e, prefix_knp1_t1_i0D, ruleID_knp1_t1_i0D),
+		Entry("KANP1 (1i0e) no match default ingress", kanp1_t1_1i0e_key, kanp1_t1_1i0e, prefix_nomatch_tanp_i, ruleID_nomatch_tanp_i),
+		Entry("KANP1 (1i0e) no match default egress", kanp1_t1_1i0e_key, kanp1_t1_1i0e, prefix_nomatch_tanp_e, ruleID_nomatch_tanp_e),
+		Entry("KANP1 (1i0e) i0", kanp1_t1_1i0e_key, kanp1_t1_1i0e, prefix_kanp1_t1_i0D, ruleID_kanp1_t1_i0D),
+		Entry("KBANP1 (1i0e) no match default ingress", kbanp1_t1_1i0e_key, kbanp1_t1_1i0e, prefix_nomatch_tbanp_i, ruleID_nomatch_tbanp_i),
+		Entry("KBANP1 (1i0e) no match default egress", kbanp1_t1_1i0e_key, kbanp1_t1_1i0e, prefix_nomatch_tbanp_e, ruleID_nomatch_tbanp_e),
+		Entry("KBANP1 (1i0e) i0", kbanp1_t1_1i0e_key, kbanp1_t1_1i0e, prefix_kbanp1_t1_i0D, ruleID_kbanp1_t1_i0D),
 	)
 
 	DescribeTable(
diff --git a/libcalico-go/lib/names/policy.go b/libcalico-go/lib/names/policy.go
@@ -18,6 +18,8 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+
+	"github.com/projectcalico/calico/libcalico-go/lib/backend/model"
 )
 
 const (
@@ -155,3 +157,68 @@ func TierOrDefault(tier string) string {
 		return tier
 	}
 }
+
+// deconstructPolicyName deconstructs the v1 policy name that is constructed by the SyncerUpdateProcessors in
+// libcalico-go and extracts the v3 fields: namespace, tier, name.
+//
+// The v1 policy name is of the format:
+// -  <namespace>/<tier>.<name> for a namespaced NetworkPolicies
+// -  <tier>.<name> for GlobalNetworkPolicies.
+// -  <namespace>/knp.default.<name> for a k8s NetworkPolicies
+// -  kanp.adminnetworkpolicy.<name> for a k8s AdminNetworkPolicies
+// -  kbanp.baselineadminnetworkpolicy.<name> for a k8s BaselineAdminNetworkPolicies
+// and for the staged counterparts, respectively:
+// -  <namespace>/staged:<tier>.<name>
+// -  staged:<tier>.<name>
+// -  <namespace>/staged:knp.default.<name>
+//
+// The namespace is returned blank for GlobalNetworkPolicies.
+// For k8s network policies, the tier is always "default" and the name will be returned including the
+// knp.default prefix.
+//
+// Staged policies will have the simplified name prefixed with "staged:", eg:
+// - <namespace>/staged:<tier>.<name>      => Name=staged:<name>, Namespace=<namespace>, Tier=<tier>
+// - staged:<tier>.<name>                  => Name=staged:<name>, Namespace=<namespace>, Tier=<tier>
+// - <namespace>/staged:knp.default.<name> => Name=staged:knp.default.<name>, Namespace=<name>, Tier=default
+func DeconstructPolicyName(name string) (string, string, string, error) {
+	var namespace string
+
+	// Split the name to extract the namespace.
+	parts := strings.Split(name, "/")
+	switch len(parts) {
+	case 1: // GlobalNetworkPolicy
+		name = parts[0]
+	case 2: // NetworkPolicy (Calico or Kubernetes)
+		namespace = parts[0]
+		name = parts[1]
+	default:
+		return "", "", "", fmt.Errorf("could not parse policy %s", name)
+	}
+
+	// Remove the staged prefix if present so we can extract the tier.
+	var stagedPrefix string
+	if model.PolicyIsStaged(name) {
+		stagedPrefix = model.PolicyNamePrefixStaged
+		name = name[len(model.PolicyNamePrefixStaged):]
+	}
+
+	// If policy name starts with "knp.default" then this is k8s network policy.
+	if strings.HasPrefix(name, K8sNetworkPolicyNamePrefix) {
+		return namespace, DefaultTierName, stagedPrefix + name, nil
+	}
+	// If policy name starts with "kanp.adminnetworkpolicy" then this is k8s admin network policy.
+	if strings.HasPrefix(name, K8sAdminNetworkPolicyNamePrefix) {
+		return namespace, AdminNetworkPolicyTierName, stagedPrefix + name, nil
+	}
+	// If policy name starts with "kbanp.baselineadminnetworkpolicy" then this is k8s baseline admin network policy.
+	if strings.HasPrefix(name, K8sBaselineAdminNetworkPolicyNamePrefix) {
+		return namespace, BaselineAdminNetworkPolicyTierName, stagedPrefix + name, nil
+	}
+
+	// This is a non-kubernetes policy, so extract the tier name from the policy name.
+	if parts = strings.SplitN(name, ".", 2); len(parts) == 2 {
+		return namespace, parts[0], stagedPrefix + parts[1], nil
+	}
+
+	return "", "", "", fmt.Errorf("could not parse policy %s", name)
+}
diff --git a/libcalico-go/lib/upgrade/migrator/migrate.go b/libcalico-go/lib/upgrade/migrator/migrate.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2017-2018 Tigera, Inc. All rights reserved.
+// Copyright (c) 2017-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@ import (
 	"github.com/projectcalico/calico/libcalico-go/lib/backend/model"
 	"github.com/projectcalico/calico/libcalico-go/lib/clientv3"
 	cerrors "github.com/projectcalico/calico/libcalico-go/lib/errors"
+	"github.com/projectcalico/calico/libcalico-go/lib/names"
 	"github.com/projectcalico/calico/libcalico-go/lib/options"
 	"github.com/projectcalico/calico/libcalico-go/lib/upgrade/converters"
 	"github.com/projectcalico/calico/libcalico-go/lib/upgrade/migrator/clients"
@@ -372,7 +373,7 @@ var noFilter = func(_ model.Key) bool { return false }
 // Filter to filter out K8s backed network policies
 var filterGNP = func(k model.Key) bool {
 	gk := k.(model.PolicyKey)
-	return strings.HasPrefix(gk.Name, "knp.default.")
+	return strings.HasPrefix(gk.Name, names.K8sNetworkPolicyNamePrefix)
 }
 
 // Filter to filter out K8s (namespace) and OpenStack backed profiles
