diff --git a/pkg/apis/extensions/validation/validation.go b/pkg/apis/extensions/validation/validation.go index d6762d6d346..0dd521a0c17 100644 --- a/pkg/apis/extensions/validation/validation.go +++ b/pkg/apis/extensions/validation/validation.go @@ -828,26 +828,25 @@ func ValidateNetworkPolicySpec(spec *extensions.NetworkPolicySpec, fldPath *fiel allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(&spec.PodSelector, fldPath.Child("podSelector"))...) // Validate ingress rules. - for _, i := range spec.Ingress { + for i, ingress := range spec.Ingress { + ingressPath := fldPath.Child("ingress").Index(i) // TODO: Update From to be a pointer to slice as soon as auto-generation supports it. - for _, f := range i.From { + for i, from := range ingress.From { + fromPath := ingressPath.Child("from").Index(i) numFroms := 0 - if f.PodSelector != nil { + if from.PodSelector != nil { numFroms++ - allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(f.PodSelector, fldPath.Child("podSelector"))...) + allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(from.PodSelector, fromPath.Child("podSelector"))...) } - if f.NamespaceSelector != nil { - if numFroms > 0 { - allErrs = append(allErrs, field.Forbidden(fldPath, "may not specify more than 1 from type")) - } else { - numFroms++ - allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(f.NamespaceSelector, fldPath.Child("namespaces"))...) - } + if from.NamespaceSelector != nil { + numFroms++ + allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(from.NamespaceSelector, fromPath.Child("namespaceSelector"))...) } if numFroms == 0 { - // At least one of PodSelector and NamespaceSelector must be defined. - allErrs = append(allErrs, field.Required(fldPath, "must specify a from type")) + allErrs = append(allErrs, field.Required(fromPath, "must specify a from type")) + } else if numFroms > 1 { + allErrs = append(allErrs, field.Forbidden(fromPath, "may not specify more than 1 from type")) } } }