Merge branch 'equivalence-based-queries-optmized' into containment-ba…

…sed-queries-optmized
IBM · Jun 27, 2023 · af4c84f · af4c84f
2 parents ac38097 + 6e632b5
commit af4c84f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/nca/NetworkConfig/NetworkConfig.py b/nca/NetworkConfig/NetworkConfig.py
@@ -288,8 +288,12 @@ def allowed_connections_optimized(self, layer_name=None):
             ConnectivityProperties.make_conn_props_from_dict({"dst_peers": host_eps})
         if host_eps and NetworkLayerName.K8s_Calico not in self.policies_container.layers:
             # maintain K8s_Calico layer as active if peer container has hostEndpoint
-            conns_res = self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container,
-                                                                                                 NetworkLayerName.K8s_Calico)
+            conns_res = \
+                self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container,
+                                                                                         NetworkLayerName.K8s_Calico)
+            conns_res.allowed_conns &= conn_hep
+            conns_res.denied_conns &= conn_hep
+            conns_res.pass_conns &= conn_hep
         else:
             conns_res = OptimizedPolicyConnections()
             conns_res.all_allowed_conns = ConnectivityProperties.get_all_conns_props_per_config_peers(self.peer_container)

diff --git a/nca/Resources/NetworkPolicy.py b/nca/Resources/NetworkPolicy.py
@@ -54,7 +54,10 @@ def __init__(self, name, namespace):
         self.ingress_rules = []
         self.egress_rules = []
 
-        # optimized connectivity properties
+        # The flag below is used for lazy calculation of optimized policy connections (as a union of rules connections)
+        # The flag is set to False for new policies (including in redundancy query, when removing a rule from policy by
+        # creating a new policy with a subset of rules), or after changing peers domains (per query).
+        # When this flag is False, the sync_opt_props function will (re)calculate optimized policy connections.
         self.optimized_props_in_sync = False
         self._init_opt_props()
 
@@ -67,6 +70,9 @@ def __init__(self, name, namespace):
         # if this flag is False, excluding ipv6 addresses from the query results will be enabled
 
     def _init_opt_props(self):
+        """
+        The members below are used for lazy evaluation of policy connectivity properties.
+        """
         self.optimized_allow_ingress_props = ConnectivityProperties.make_empty_props()
         self.optimized_deny_ingress_props = ConnectivityProperties.make_empty_props()
         self.optimized_pass_ingress_props = ConnectivityProperties.make_empty_props()