From e3e0d16842bfb259defc0c9cecaea5592326f798 Mon Sep 17 00:00:00 2001
From: Qiyue Yao <yaoq@vmware.com>
Date: Fri, 8 Dec 2023 16:17:58 -0800
Subject: [PATCH] Fix endpoint querier rule index

The current endpoint querier rule index shows the index
of the rule among all matched rules in the policy for
this endpoint, which is not super useful for the users.
This change updates the rule index to show the rule index
among all rules in the policy.

Fixes #5782

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
---
 .../networkpolicy/endpoint_querier.go         | 13 +++--
 .../networkpolicy/endpoint_querier_test.go    | 56 +++++++++++++++++++
 2 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/pkg/controller/networkpolicy/endpoint_querier.go b/pkg/controller/networkpolicy/endpoint_querier.go
index b8b39c46fa8..18f2a04b63b 100644
--- a/pkg/controller/networkpolicy/endpoint_querier.go
+++ b/pkg/controller/networkpolicy/endpoint_querier.go
@@ -20,6 +20,7 @@ package networkpolicy
 import (
 	"k8s.io/apimachinery/pkg/types"
 
+	"antrea.io/antrea/pkg/apis/controlplane"
 	cpv1beta "antrea.io/antrea/pkg/apis/controlplane/v1beta2"
 	"antrea.io/antrea/pkg/controller/networkpolicy/store"
 	antreatypes "antrea.io/antrea/pkg/controller/types"
@@ -127,13 +128,11 @@ func (eq *endpointQuerier) QueryNetworkPolicies(namespace string, podName string
 			return nil, err
 		}
 		for _, policy := range policies {
-			egressIndex := 0
-			ingressIndex := 0
+			egressIndex, ingressIndex := 0, 0
 			for _, rule := range policy.(*antreatypes.NetworkPolicy).Rules {
 				for _, addressGroupTrial := range rule.To.AddressGroups {
 					if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) {
 						egress = append(egress, &ruleTemp{policy: policy.(*antreatypes.NetworkPolicy), index: egressIndex})
-						egressIndex++
 						// an AddressGroup can only be referenced in a rule once
 						break
 					}
@@ -141,11 +140,17 @@ func (eq *endpointQuerier) QueryNetworkPolicies(namespace string, podName string
 				for _, addressGroupTrial := range rule.From.AddressGroups {
 					if addressGroupTrial == string(addressGroup.(*antreatypes.AddressGroup).UID) {
 						ingress = append(ingress, &ruleTemp{policy: policy.(*antreatypes.NetworkPolicy), index: ingressIndex})
-						ingressIndex++
 						// an AddressGroup can only be referenced in a rule once
 						break
 					}
 				}
+				// ingressIndex/egressIndex indicates the rule index among this policy's ingress/egress rules
+				// Antrea Native NP rules priorities are set as index, but KNP rules have the same default rule priorities
+				if rule.Direction == controlplane.DirectionIn {
+					ingressIndex++
+				} else {
+					egressIndex++
+				}
 			}
 		}
 	}
diff --git a/pkg/controller/networkpolicy/endpoint_querier_test.go b/pkg/controller/networkpolicy/endpoint_querier_test.go
index 4f41120813d..0cd4beb7dec 100644
--- a/pkg/controller/networkpolicy/endpoint_querier_test.go
+++ b/pkg/controller/networkpolicy/endpoint_querier_test.go
@@ -118,6 +118,7 @@ var policies = []*networkingv1.NetworkPolicy{
 				},
 			},
 			PolicyTypes: []networkingv1.PolicyType{
+				networkingv1.PolicyTypeIngress,
 				networkingv1.PolicyTypeEgress,
 			},
 		},
@@ -137,6 +138,40 @@ var policies = []*networkingv1.NetworkPolicy{
 			},
 		},
 	},
+	{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-multiple-ingress",
+			Namespace: "testNamespace",
+			UID:       types.UID("uid-3"),
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{
+				MatchLabels: map[string]string{"foo": "bar"},
+			},
+			Ingress: []networkingv1.NetworkPolicyIngressRule{
+				{
+					From: []networkingv1.NetworkPolicyPeer{
+						{
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels:      map[string]string{"foo": "baz"},
+								MatchExpressions: nil,
+							},
+						},
+					},
+				},
+				{
+					From: []networkingv1.NetworkPolicyPeer{
+						{
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels:      map[string]string{"foo": "bar"},
+								MatchExpressions: nil,
+							},
+						},
+					},
+				},
+			},
+		},
+	},
 }
 
 var namespaces = []*corev1.Namespace{
@@ -184,6 +219,7 @@ func makeControllerAndEndpointQuerier(objects ...runtime.Object) *endpointQuerie
 func TestEndpointQuery(t *testing.T) {
 	policyRef0 := PolicyRef{policies[0].Namespace, policies[0].Name, policies[0].UID}
 	policyRef1 := PolicyRef{policies[1].Namespace, policies[1].Name, policies[1].UID}
+	policyRef2 := PolicyRef{policies[2].Namespace, policies[2].Name, policies[2].UID}
 
 	testCases := []struct {
 		name             string
@@ -251,6 +287,26 @@ func TestEndpointQuery(t *testing.T) {
 				},
 			},
 		},
+		{
+			"MultipleRule", // Pod is selected by policy with multiple rules
+			[]runtime.Object{namespaces[0], pods[0], policies[2]},
+			"testNamespace",
+			"podA",
+			&EndpointQueryResponse{
+				[]Endpoint{
+					{
+						Namespace: "testNamespace",
+						Name:      "podA",
+						Policies: []Policy{
+							{policyRef2},
+						},
+						Rules: []Rule{
+							{policyRef2, v1beta2.DirectionIn, 1},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {