Ensure Pod SG is updated on podSelector of NP spec update

When the podSelector of a Network Policy Spec is updated from '{}'
to any other value, the pods that are not supposed to be enforced
by the policy anymore do not have their Security Group updated
to the default one. This commit fixes the issue by also taking into
account the possible value of '{}' in the podSelector NP spec.

Change-Id: I35519acfdf8ef250880e36bcf789c063ba86b31e
Closes-Bug: 1826548

kuryr_kubernetes/controller/drivers/network_policy.py

@@ -53,7 +53,7 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
         if self.get_kuryrnetpolicy_crd(policy):
             previous_selector = (
                 self.update_security_group_rules_from_network_policy(policy))
-            if previous_selector:
+            if previous_selector or previous_selector == {}:
                 return self.affected_pods(policy, previous_selector)
             if previous_selector is None:
                 return self.namespaced_pods(policy)
@@ -642,7 +642,7 @@ class NetworkPolicyDriver(base.NetworkPolicyDriver):
                       netpolicy_crd_name)
 
     def affected_pods(self, policy, selector=None):
-        if selector:
+        if selector or selector == {}:
             pod_selector = selector
         else:
             pod_selector = policy['spec'].get('podSelector')

kuryr_kubernetes/tests/unit/controller/drivers/test_network_policy.py

@@ -195,6 +195,34 @@ class TestNetworkPolicyDriver(test_base.TestCase):
         m_affected.assert_not_called()
         m_namespaced.assert_called_once_with(self._policy)
 
+    @mock.patch.object(network_policy.NetworkPolicyDriver, 'affected_pods')
+    @mock.patch.object(network_policy.NetworkPolicyDriver, 'namespaced_pods')
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
+                       'get_kuryrnetpolicy_crd')
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
+                       'create_security_group_rules_from_network_policy')
+    @mock.patch.object(network_policy.NetworkPolicyDriver,
+                       'update_security_group_rules_from_network_policy')
+    def test_ensure_network_policy_with_existing_crd_empty_selector(
+            self, m_update, m_create, m_get_crd, m_namespaced, m_affected):
+        previous_selector = {}
+        pod_selector = {'matchLabels': {'run': 'demo'}}
+        updated_policy = self._policy.copy()
+        updated_policy['spec']['podSelector'] = pod_selector
+        crd_with_empty_selector = self._crd.copy()
+        crd_with_empty_selector['spec']['podSelector'] = previous_selector
+
+        m_get_crd.return_value = crd_with_empty_selector
+        m_update.return_value = previous_selector
+
+        self._driver.ensure_network_policy(updated_policy, self._project_id)
+
+        m_get_crd.assert_called_once_with(updated_policy)
+        m_create.assert_not_called()
+        m_update.assert_called_once_with(updated_policy)
+        m_affected.assert_called_with(self._policy, previous_selector)
+        m_namespaced.assert_not_called()
+
     @mock.patch.object(network_policy.NetworkPolicyDriver,
                        '_add_default_np_rules')
     @mock.patch.object(network_policy.NetworkPolicyDriver,
@@ -465,6 +493,13 @@ class TestNetworkPolicyDriver(test_base.TestCase):
         self._driver.affected_pods(self._policy, selector)
         m_namespaced.assert_not_called()
 
+    @mock.patch.object(network_policy.NetworkPolicyDriver, 'namespaced_pods')
+    def test_affected_pods_with_empty_podselector(self, m_namespaced):
+        m_namespaced.return_value = []
+        pod_selector = {}
+        self._driver.affected_pods(self._policy, pod_selector)
+        m_namespaced.assert_called_with(self._policy)
+
     def test_namespaced_pods(self):
         self.kubernetes.get.return_value = {'items': []}