diff --git a/pkg/render/common/networkpolicy/networkpolicy.go b/pkg/render/common/networkpolicy/networkpolicy.go index 95e81bc079..d472a82afe 100644 --- a/pkg/render/common/networkpolicy/networkpolicy.go +++ b/pkg/render/common/networkpolicy/networkpolicy.go @@ -196,9 +196,10 @@ func AllowTigeraDefaultDeny(namespace string) *v3.NetworkPolicy { // Entity rules not belonging to Calico/Tigera components. var KubeAPIServerEntityRule = v3.EntityRule{ - NamespaceSelector: "projectcalico.org/name == 'default'", - Selector: "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - Ports: Ports(443, 6443, 12388), + Services: &v3.ServiceMatch{ + Name: "kubernetes", + Namespace: "default", + }, } var KubeAPIServerServiceSelectorEntityRule = v3.EntityRule{ diff --git a/pkg/render/testutils/expected_policies/apiserver.json b/pkg/render/testutils/expected_policies/apiserver.json index 4531eec4ef..dd03185804 100644 --- a/pkg/render/testutils/expected_policies/apiserver.json +++ b/pkg/render/testutils/expected_policies/apiserver.json @@ -65,13 +65,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/apiserver_ocp.json b/pkg/render/testutils/expected_policies/apiserver_ocp.json index e13e159c9e..193e2ddc13 100644 --- a/pkg/render/testutils/expected_policies/apiserver_ocp.json +++ b/pkg/render/testutils/expected_policies/apiserver_ocp.json @@ -76,13 +76,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/dex.json b/pkg/render/testutils/expected_policies/dex.json index f51f652e35..ddb51fa3ba 100644 --- a/pkg/render/testutils/expected_policies/dex.json +++ b/pkg/render/testutils/expected_policies/dex.json @@ -109,13 +109,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/dex_ocp.json b/pkg/render/testutils/expected_policies/dex_ocp.json index e1ede5dcdb..b3ea35b5b1 100644 --- a/pkg/render/testutils/expected_policies/dex_ocp.json +++ b/pkg/render/testutils/expected_policies/dex_ocp.json @@ -120,13 +120,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/elastic-operator.json b/pkg/render/testutils/expected_policies/elastic-operator.json index 4424b48706..c332fc1531 100644 --- a/pkg/render/testutils/expected_policies/elastic-operator.json +++ b/pkg/render/testutils/expected_policies/elastic-operator.json @@ -28,13 +28,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/elastic-operator_ocp.json b/pkg/render/testutils/expected_policies/elastic-operator_ocp.json index eb77738818..6b8ff193fe 100644 --- a/pkg/render/testutils/expected_policies/elastic-operator_ocp.json +++ b/pkg/render/testutils/expected_policies/elastic-operator_ocp.json @@ -39,13 +39,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/guardian.json b/pkg/render/testutils/expected_policies/guardian.json index d7f957f41b..31acf2f599 100644 --- a/pkg/render/testutils/expected_policies/guardian.json +++ b/pkg/render/testutils/expected_policies/guardian.json @@ -142,13 +142,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/guardian_ocp.json b/pkg/render/testutils/expected_policies/guardian_ocp.json index 9568d38df1..a8e525c033 100644 --- a/pkg/render/testutils/expected_policies/guardian_ocp.json +++ b/pkg/render/testutils/expected_policies/guardian_ocp.json @@ -153,13 +153,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json index ee6e0829b6..92d05c1d9f 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed.json @@ -63,13 +63,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed_ocp.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed_ocp.json index d1884f92e3..d17a759d6e 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed_ocp.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_managed_ocp.json @@ -74,13 +74,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json index 36879541f3..e7ab9e3ff6 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json @@ -74,13 +74,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management_ocp.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management_ocp.json index 4ca56fdd44..ee65e8d953 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_management_ocp.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_management_ocp.json @@ -85,13 +85,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json index 948033afcd..29485f69f9 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json @@ -63,13 +63,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone_ocp.json b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone_ocp.json index 0e09b44f7e..a286dcc305 100644 --- a/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone_ocp.json +++ b/pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone_ocp.json @@ -74,13 +74,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/packetcapture.json b/pkg/render/testutils/expected_policies/packetcapture.json index eec7007b31..d1bcf84061 100644 --- a/pkg/render/testutils/expected_policies/packetcapture.json +++ b/pkg/render/testutils/expected_policies/packetcapture.json @@ -33,13 +33,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/packetcapture_managed.json b/pkg/render/testutils/expected_policies/packetcapture_managed.json index fd9332bd1b..ecd255ecf1 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_managed.json +++ b/pkg/render/testutils/expected_policies/packetcapture_managed.json @@ -33,13 +33,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/packetcapture_managed_ocp.json b/pkg/render/testutils/expected_policies/packetcapture_managed_ocp.json index a30b608dc8..1b902ca48e 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_managed_ocp.json +++ b/pkg/render/testutils/expected_policies/packetcapture_managed_ocp.json @@ -33,13 +33,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/packetcapture_ocp.json b/pkg/render/testutils/expected_policies/packetcapture_ocp.json index 4a0b6e8321..4dba6e65d7 100644 --- a/pkg/render/testutils/expected_policies/packetcapture_ocp.json +++ b/pkg/render/testutils/expected_policies/packetcapture_ocp.json @@ -33,13 +33,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/prometheus-operator.json b/pkg/render/testutils/expected_policies/prometheus-operator.json index 087fd8e77d..b87fe77533 100644 --- a/pkg/render/testutils/expected_policies/prometheus-operator.json +++ b/pkg/render/testutils/expected_policies/prometheus-operator.json @@ -28,13 +28,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } } ] diff --git a/pkg/render/testutils/expected_policies/prometheus-operator_ocp.json b/pkg/render/testutils/expected_policies/prometheus-operator_ocp.json index efd168e3b2..1867cac28b 100644 --- a/pkg/render/testutils/expected_policies/prometheus-operator_ocp.json +++ b/pkg/render/testutils/expected_policies/prometheus-operator_ocp.json @@ -39,13 +39,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } } ] diff --git a/pkg/render/testutils/expected_policies/prometheus.json b/pkg/render/testutils/expected_policies/prometheus.json index bd43027309..133bc06225 100644 --- a/pkg/render/testutils/expected_policies/prometheus.json +++ b/pkg/render/testutils/expected_policies/prometheus.json @@ -40,13 +40,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, { diff --git a/pkg/render/testutils/expected_policies/prometheus_ocp.json b/pkg/render/testutils/expected_policies/prometheus_ocp.json index a64946fd9a..0a0d16bd75 100644 --- a/pkg/render/testutils/expected_policies/prometheus_ocp.json +++ b/pkg/render/testutils/expected_policies/prometheus_ocp.json @@ -51,13 +51,10 @@ "action": "Allow", "protocol": "TCP", "destination": { - "namespaceSelector": "projectcalico.org/name == 'default'", - "selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", - "ports": [ - 443, - 6443, - 12388 - ] + "services": { + "name": "kubernetes", + "namespace": "default" + } } }, {