kumahq · Automaat · Jan 28, 2025 · Jan 16, 2025 · Jan 16, 2025 · Jan 20, 2025
@@ -184,6 +184,15 @@ func dppSelectedByPolicy(
 			return inbounds, gwListeners, gateway, nil
 		}
 		return []core_rules.InboundListener{}, nil, false, nil
+	case common_api.Dataplane:
+		if gateway != nil {
+			return []core_rules.InboundListener{}, nil, false, nil
+		}
+		if allDataplanesSelected(ref) || isSelectedByResourceIdentifier(dpp, ref, meta) || isSelectedByLabels(dpp, ref) {
+			inbounds := inboundsSelectedBySectionName(ref.SectionName, dpp)
+			return inbounds, nil, false, nil
+		}
+		return []core_rules.InboundListener{}, nil, false, nil
 	case common_api.MeshSubset:
 		if isSupportedProxyType(ref.ProxyTypes, resolveDataplaneProxyType(dpp)) {
 			inbounds, gwListeners, gateway := inboundsSelectedByTags(ref.Tags, dpp, gateway)
@@ -221,6 +230,48 @@ func dppSelectedByPolicy(
 	}
 }
 
+func allDataplanesSelected(ref common_api.TargetRef) bool {
+	return ref.Name == "" && ref.Namespace == "" && ref.Labels == nil
+}
+
+func inboundsSelectedBySectionName(sectionName string, dpp *core_mesh.DataplaneResource) []core_rules.InboundListener {
+	var selectedInbounds []core_rules.InboundListener
+	for _, inbound := range dpp.Spec.GetNetworking().Inbound {
+		if inbound.State == mesh_proto.Dataplane_Networking_Inbound_Ignored {
+			continue
+		}
+		if sectionName == "" || inbound.Name == sectionName {
+			intf := dpp.Spec.GetNetworking().ToInboundInterface(inbound)
+			selectedInbounds = append(selectedInbounds, core_rules.InboundListener{
+				Address: intf.DataplaneIP,
+				Port:    intf.DataplanePort,
+			})
+		}
+	}
+	return selectedInbounds
+}
+
+// TODO this is common functionality with selecting MeshService by labels, we should refactor this and extract to some common function
+func isSelectedByLabels(dpp *core_mesh.DataplaneResource, ref common_api.TargetRef) bool {
+	if ref.Labels == nil {
+		return false
+	}
+
+	for label, value := range ref.Labels {
+		if dpp.GetMeta().GetLabels()[label] != value {
+			return false
+		}
+	}
+	return true
+}
+
+func isSelectedByResourceIdentifier(dpp *core_mesh.DataplaneResource, ref common_api.TargetRef, meta core_model.ResourceMeta) bool {
+	if ref.Name == "" {
+		return false
+	}
+	return core_model.NewResourceIdentifier(dpp) == core_model.TargetRefToResourceIdentifier(meta, ref)
+}
+
 func dppSelectedByNamespace(meta core_model.ResourceMeta, dpp *core_mesh.DataplaneResource) bool {
 	switch core_model.PolicyRole(meta) {
 	case mesh_proto.ConsumerPolicyRole, mesh_proto.WorkloadOwnerPolicyRole:

@@ -1,6 +1,7 @@
 package matchers_test
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -18,10 +19,12 @@ import (
 	"github.com/kumahq/kuma/pkg/plugins/policies/meshhttproute/api/v1alpha1"
 	meshtrafficpermission_api "github.com/kumahq/kuma/pkg/plugins/policies/meshtrafficpermission/api/v1alpha1"
 	test_matchers "github.com/kumahq/kuma/pkg/test/matchers"
+	test_resources "github.com/kumahq/kuma/pkg/test/resources"
 )
 
 var _ = Describe("MatchedPolicies", func() {
 	type testCase struct {
+		testName     string
 		dppFile      string
 		mesFile      string
 		policiesFile string
@@ -37,25 +40,29 @@ var _ = Describe("MatchedPolicies", func() {
 		testCaseMap := map[string]*testCase{}
 		for _, f := range files {
 			parts := strings.Split(f.Name(), ".")
+			if len(parts) < 2 {
+				continue
+			}
 			// file name has a format 01.golden.yaml
-			num, fileType := parts[0], parts[1]
-			if _, ok := testCaseMap[num]; !ok {
-				testCaseMap[num] = &testCase{}
+			name, fileType := parts[0], parts[1]
+			if _, ok := testCaseMap[name]; !ok {
+				testCaseMap[name] = &testCase{}
+				testCaseMap[name].testName = name
 			}
 			switch fileType {
 			case "dataplane":
-				testCaseMap[num].dppFile = filepath.Join(testDir, f.Name())
+				testCaseMap[name].dppFile = filepath.Join(testDir, f.Name())
 			case "policies":
-				testCaseMap[num].policiesFile = filepath.Join(testDir, f.Name())
+				testCaseMap[name].policiesFile = filepath.Join(testDir, f.Name())
 			case "golden":
-				testCaseMap[num].goldenFile = filepath.Join(testDir, f.Name())
+				testCaseMap[name].goldenFile = filepath.Join(testDir, f.Name())
 			case "mes":
-				testCaseMap[num].mesFile = filepath.Join(testDir, f.Name())
+				testCaseMap[name].mesFile = filepath.Join(testDir, f.Name())
 			}
 		}
 
 		for _, tc := range testCaseMap {
-			res = append(res, Entry(tc.goldenFile, *tc))
+			res = append(res, Entry(tc.testName, *tc))
 		}
 		return res
 	}
@@ -71,15 +78,7 @@ var _ = Describe("MatchedPolicies", func() {
 			// we're expecting all policies in the file to have the same type or to be mixed with MeshHTTPRoutes
 			Expect(resTypes).To(Or(HaveLen(1), HaveLen(2)))
 
-			var resType core_model.ResourceType
-			switch {
-			case len(resTypes) == 1:
-				resType = resTypes[0]
-			case len(resTypes) == 2 && resTypes[1] == v1alpha1.MeshHTTPRouteType:
-				resType = resTypes[0]
-			case len(resTypes) == 2 && resTypes[0] == v1alpha1.MeshHTTPRouteType:
-				resType = resTypes[1]
-			}
+			resType := getResourceType(resTypes)
 
 			// when
 			policies, err := matchers.MatchedPolicies(resType, dpp, resources)
@@ -206,4 +205,100 @@ var _ = Describe("MatchedPolicies", func() {
 		},
 		generateTableEntries(filepath.Join("testdata", "matchedpolicies", "meshgateways")),
 	)
+
+	type dataplaneTestCase struct {
+		dataplaneMeta test_resources.BuildMeta
+		policyMeta    test_resources.BuildMeta
+		goldenFile    string
+	}
+	DescribeTableSubtree("should match by kind Dataplane", func(givenResources testCase) {
+		DescribeTable("should TODO", func(given dataplaneTestCase) {
+			// given
+			dpp := readDPP(givenResources.dppFile)
+			test_resources.UpdateResourceMeta(given.dataplaneMeta, dpp)
+
+			resources, resTypes := readPolicies(givenResources.policiesFile)
+
+			resType := getResourceType(resTypes)
+			test_resources.UpdateResourcesMeta(given.policyMeta, resources.MeshLocalResources[resType])
+
+			// when
+			policies, err := matchers.MatchedPolicies(resType, dpp, resources)
+			Expect(err).ToNot(HaveOccurred())
+
+			// then
+			matchedPolicyList, err := registry.Global().NewList(resType)
+			Expect(err).ToNot(HaveOccurred())
+
+			for _, policy := range policies.DataplanePolicies {
+				Expect(matchedPolicyList.AddItem(policy)).To(Succeed())
+			}
+			bytes, err := yaml.Marshal(rest.From.ResourceList(matchedPolicyList))
+			Expect(err).ToNot(HaveOccurred())
+			Expect(string(bytes)).To(test_matchers.MatchGoldenYAML(given.goldenFile))
+		},
+			Entry("uni zone", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneUni,
+				policyMeta:    test_resources.ZoneUni,
+				goldenFile:    buildGoldenFilePath("uni-zone", givenResources.testName),
+			}),
+			Entry("k8s zone", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneK8s,
+				policyMeta:    test_resources.ZoneK8s,
+				goldenFile:    buildGoldenFilePath("k8s-zone", givenResources.testName),
+			}),
+			Entry("policy global uni, dpp uni", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneUni,
+				policyMeta:    test_resources.SystemPolicy(test_resources.GlobalUni),
+				goldenFile:    buildGoldenFilePath("policy-from-global-uni-zone-uni", givenResources.testName),
+			}),
+			Entry("policy global uni, dpp k8s", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneK8s,
+				policyMeta:    test_resources.SystemPolicy(test_resources.GlobalUni),
+				goldenFile:    buildGoldenFilePath("policy-from-global-uni-zone-k8s", givenResources.testName),
+			}),
+			Entry("policy global k8s, dpp uni", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneUni,
+				policyMeta:    test_resources.SystemPolicy(test_resources.GlobalK8s),
+				goldenFile:    buildGoldenFilePath("policy-from-global-k8s-zone-uni", givenResources.testName),
+			}),
+			Entry("policy global k8s, dpp k8s", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneK8s,
+				policyMeta:    test_resources.SystemPolicy(test_resources.GlobalK8s),
+				goldenFile:    buildGoldenFilePath("policy-from-global-k8s-zone-k8s", givenResources.testName),
+			}),
+			Entry("policy global k8s, dpp uni", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneUni,
+				policyMeta:    test_resources.SystemPolicy(test_resources.GlobalUni),
+				goldenFile:    buildGoldenFilePath("policy-global-uni-dpp-k8s", givenResources.testName),
+			}),
+			Entry("policy synced from other k8s zone", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneUni,
+				policyMeta:    test_resources.ProducerPolicy(test_resources.SyncToUni(test_resources.ZoneK8s)),
+				goldenFile:    buildGoldenFilePath("policy-form-k8s-to-uni", givenResources.testName),
+			}),
+			Entry("policy synced from other k8s zone to k8s", dataplaneTestCase{
+				dataplaneMeta: test_resources.ZoneK8s,
+				policyMeta:    test_resources.ProducerPolicy(test_resources.SyncToK8s(test_resources.ZoneK8s)),
+				goldenFile:    buildGoldenFilePath("policy-form-k8s-to-k8s", givenResources.testName),
+			}),
+		)
+	}, generateTableEntries(filepath.Join("testdata", "matchedpolicies", "dataplane-kind")))
 })
+
+func getResourceType(resTypes []core_model.ResourceType) core_model.ResourceType {
+	var resType core_model.ResourceType
+	switch {
+	case len(resTypes) == 1:
+		resType = resTypes[0]
+	case len(resTypes) == 2 && resTypes[1] == v1alpha1.MeshHTTPRouteType:
+		resType = resTypes[0]
+	case len(resTypes) == 2 && resTypes[0] == v1alpha1.MeshHTTPRouteType:
+		resType = resTypes[1]
+	}
+	return resType
+}
+
+func buildGoldenFilePath(caseName, testName string) string {
+	return filepath.Join("testdata", "matchedpolicies", "dataplane-kind", testName, fmt.Sprintf("%s.golden.yaml", caseName))
+}
@@ -0,0 +1,16 @@
+type: Dataplane
+mesh: mesh-1
+name: dp-1
+labels:
+  app: demo
+networking:
+  address: 1.1.1.1
+  inbound:
+    - port: 8080
+      tags:
+        kuma.io/service: web
+        version: v1
+    - port: 8081
+      tags:
+        kuma.io/service: web
+        version: v3
@@ -0,0 +1,27 @@
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-1
+spec:
+  targetRef:
+    kind: Dataplane
+    labels:
+      app: demo
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Deny
+---
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-2
+spec:
+  targetRef:
+    kind: Dataplane
+    labels:
+      app: test
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Allow
@@ -0,0 +1,24 @@
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  labels:
+    k8s.kuma.io/namespace: ns-k8s
+    kuma.io/display-name: mtp-1
+    kuma.io/mesh: mesh-1
+    kuma.io/origin: zone
+    kuma.io/zone: zone-k8s
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1.ns-k8s
+  spec:
+    from:
+    - default:
+        action: Deny
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: Dataplane
+      labels:
+        app: demo
+  type: MeshTrafficPermission
+next: null
+total: 0
diff --git a/...stdata/matchedpolicies/dataplane-kind/select-by-labels/policy-form-k8s-to-k8s.golden.yaml b/...stdata/matchedpolicies/dataplane-kind/select-by-labels/policy-form-k8s-to-k8s.golden.yaml
@@ -0,0 +1,25 @@
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  labels:
+    k8s.kuma.io/namespace: ns-k8s
+    kuma.io/display-name: mtp-1
+    kuma.io/mesh: mesh-1
+    kuma.io/origin: zone
+    kuma.io/policy-role: producer
+    kuma.io/zone: zone-k8s
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1-dz68xw22zdcf2ffv.kuma-system
+  spec:
+    from:
+    - default:
+        action: Deny
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: Dataplane
+      labels:
+        app: demo
+  type: MeshTrafficPermission
+next: null
+total: 0
diff --git a/...stdata/matchedpolicies/dataplane-kind/select-by-labels/policy-form-k8s-to-uni.golden.yaml b/...stdata/matchedpolicies/dataplane-kind/select-by-labels/policy-form-k8s-to-uni.golden.yaml
@@ -0,0 +1,25 @@
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  labels:
+    k8s.kuma.io/namespace: ns-k8s
+    kuma.io/display-name: mtp-1
+    kuma.io/mesh: mesh-1
+    kuma.io/origin: zone
+    kuma.io/policy-role: producer
+    kuma.io/zone: zone-k8s
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1-dz68xw22zdcf2ffv
+  spec:
+    from:
+    - default:
+        action: Deny
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: Dataplane
+      labels:
+        app: demo
+  type: MeshTrafficPermission
+next: null
+total: 0
diff --git a/...tchedpolicies/dataplane-kind/select-by-labels/policy-from-global-k8s-zone-k8s.golden.yaml b/...tchedpolicies/dataplane-kind/select-by-labels/policy-from-global-k8s-zone-k8s.golden.yaml
@@ -0,0 +1,24 @@
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  labels:
+    k8s.kuma.io/namespace: kuma-system
+    kuma.io/display-name: mtp-1
+    kuma.io/mesh: mesh-1
+    kuma.io/origin: global
+    kuma.io/policy-role: system
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1.ns-k8s
+  spec:
+    from:
+    - default:
+        action: Deny
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: Dataplane
+      labels:
+        app: demo
+  type: MeshTrafficPermission
+next: null
+total: 0