From a872430ee218297cd976095ae4a322266f8e1d43 Mon Sep 17 00:00:00 2001
From: Dyanngg <dingyang@vmware.com>
Date: Thu, 1 Dec 2022 11:42:24 -0800
Subject: [PATCH] Add addressgroup peer for in-cluster stretched networkpolicy
 enforcement

Signed-off-by: Dyanngg <dingyang@vmware.com>
---
 pkg/apis/controlplane/types.go                 | 2 +-
 pkg/controller/networkpolicy/crd_utils.go      | 5 +++--
 pkg/controller/networkpolicy/crd_utils_test.go | 3 +++
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go
index 05dbdcf5fa5..2ec299ed687 100644
--- a/pkg/apis/controlplane/types.go
+++ b/pkg/apis/controlplane/types.go
@@ -323,7 +323,7 @@ type HTTPProtocol struct {
 }
 
 // NetworkPolicyPeer describes a peer of NetworkPolicyRules.
-// It could be a list of names of AddressGroups and/or a list of IPBlock.
+// It could contain one of the subfields or a combination of them.
 type NetworkPolicyPeer struct {
 	// A list of names of AddressGroups.
 	AddressGroups []string
diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go
index f7d1da08250..0319ffc9675 100644
--- a/pkg/controller/networkpolicy/crd_utils.go
+++ b/pkg/controller/networkpolicy/crd_utils.go
@@ -189,12 +189,13 @@ func (n *NetworkPolicyController) toAntreaPeerForCRD(peers []v1alpha1.NetworkPol
 		} else if peer.NodeSelector != nil {
 			addressGroup := n.createAddressGroup("", nil, nil, nil, peer.NodeSelector)
 			addressGroups = append(addressGroups, addressGroup)
-		} else if peer.Scope == v1alpha1.ScopeClusterSet {
-			clusterSetScopeSelectors = append(clusterSetScopeSelectors, antreatypes.NewGroupSelector(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, nil, nil))
 		} else {
 			addressGroup := n.createAddressGroup(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, peer.ExternalEntitySelector, nil)
 			addressGroups = append(addressGroups, addressGroup)
 		}
+		if peer.Scope == v1alpha1.ScopeClusterSet {
+			clusterSetScopeSelectors = append(clusterSetScopeSelectors, antreatypes.NewGroupSelector(np.GetNamespace(), peer.PodSelector, peer.NamespaceSelector, nil, nil))
+		}
 	}
 	var labelIdentities []uint32
 	if n.multiclusterEnabled {
diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go
index bb592728cc3..efd9c42616a 100644
--- a/pkg/controller/networkpolicy/crd_utils_test.go
+++ b/pkg/controller/networkpolicy/crd_utils_test.go
@@ -455,6 +455,9 @@ func TestToAntreaPeerForCRD(t *testing.T) {
 			},
 			outPeer: controlplane.NetworkPolicyPeer{
 				LabelIdentities: []uint32{1},
+				AddressGroups: []string{
+					getNormalizedUID(antreatypes.NewGroupSelector("", &selectorA, nil, nil, nil).NormalizedName),
+				},
 			},
 			direction:       controlplane.DirectionIn,
 			clusterSetScope: true,