SecurityPolicy: per-mode service instances for T1/VPC mixed-mode

Replace the single SecurityPolicyService singleton with a per-mode map
keyed by VPCMode (bool). Each SecurityPolicyReconciler now carries an
isVPCMode field that determines which CRD it watches and which service
instance it uses. In mixed-mode clusters, two independent reconcilers
are registered — one for T1 namespaces, one for VPC namespaces.

Author: heypnus

cmd/main.go

@@ -250,7 +250,12 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 	}
 
 	// Add controllers which can run in non-VPC mode
-	reconcilerList = append(reconcilerList, securitypolicycontroller.NewSecurityPolicyReconciler(mgr, commonService, vpcService))
+	if config.HasT1Namespaces() {
+		reconcilerList = append(reconcilerList, securitypolicycontroller.NewSecurityPolicyReconciler(mgr, commonService, vpcService, false))
+	}
+	if config.HasVPCNamespaces() {
+		reconcilerList = append(reconcilerList, securitypolicycontroller.NewSecurityPolicyReconciler(mgr, commonService, vpcService, true))
+	}
 
 	// Add the NSXServiceAccount controller.
 	if cf.EnableAntreaNSXInterworking {

pkg/clean/clean.go

@@ -130,7 +130,7 @@ func InitializeCleanupService(cf *config.NSXOperatorConfig, nsxClient *nsx.Clien
 	}
 	wrapInitializeSecurityPolicy := func(service common.Service) cleanupFunc {
 		return func() (interface{}, error) {
-			return securitypolicy.InitializeSecurityPolicy(service, vpcService, true)
+			return securitypolicy.InitializeSecurityPolicy(service, vpcService, true, true)
 		}
 	}
 	wrapInitializeVPC := func(service common.Service) cleanupFunc {

pkg/controllers/common/namespace_filter.go

@@ -67,3 +67,51 @@ func VPCNamespacePredicate(c client.Reader) predicate.Funcs {
 		},
 	}
 }
+
+// isT1NamespaceByName fetches the Namespace by name and returns true if the namespace
+// is NOT a VPC namespace (i.e. it is a T1/legacy namespace).
+// Returns true when the namespace cannot be fetched (transient error or already
+// gone) so the Reconcile loop can decide what to do.
+func isT1NamespaceByName(c client.Reader, ns string) bool {
+	namespace := &corev1.Namespace{}
+	if err := c.Get(context.Background(), types.NamespacedName{Name: ns}, namespace); err != nil {
+		if !apierrors.IsNotFound(err) {
+			log.Error(err, "Failed to get Namespace for T1 predicate; allowing event through", "namespace", ns)
+		}
+		return true
+	}
+	return !config.IsVPCNamespace(namespace)
+}
+
+// T1NamespacePredicate returns a predicate that filters events for T1-only
+// controllers. Events are passed when the resource's namespace is NOT a VPC namespace.
+// Behaviour by event type:
+//   - Create / Update / Generic: allowed only for T1 namespaces.
+//   - Delete: always allowed so the controller can clean up any existing NSX
+//     resources even if the namespace is already gone.
+//
+// The namespace check is skipped for cluster-scoped resources (empty namespace),
+// which are always allowed through.
+func T1NamespacePredicate(c client.Reader) predicate.Funcs {
+	isT1Ns := func(ns string) bool {
+		if ns == "" {
+			return true
+		}
+		return isT1NamespaceByName(c, ns)
+	}
+
+	return predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return isT1Ns(e.Object.GetNamespace())
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return isT1Ns(e.ObjectNew.GetNamespace())
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return true
+		},
+		GenericFunc: func(e event.GenericEvent) bool {
+			return isT1Ns(e.Object.GetNamespace())
+		},
+	}
+}

pkg/controllers/networkpolicy/networkpolicy_controller.go

@@ -309,7 +309,7 @@ func NewNetworkPolicyReconciler(mgr ctrl.Manager, commonService servicecommon.Se
 		Scheme:   mgr.GetScheme(),
 		Recorder: mgr.GetEventRecorderFor("networkpolicy-controller"),
 	}
-	networkPolicyReconcile.Service = securitypolicy.GetSecurityService(commonService, vpcService)
+	networkPolicyReconcile.Service = securitypolicy.GetSecurityService(commonService, vpcService, true)
 	networkPolicyReconcile.StatusUpdater = common.NewStatusUpdater(networkPolicyReconcile.Client, networkPolicyReconcile.Service.NSXConfig, networkPolicyReconcile.Recorder, MetricResType, "NetworkPolicy", "NetworkPolicy")
 	return networkPolicyReconcile
 }

pkg/controllers/networkpolicy/networkpolicy_controller_test.go

@@ -111,6 +111,7 @@ func fakeService() *securitypolicy.SecurityPolicyService {
 				},
 			},
 		},
+		VPCMode: true,
 	}
 	return service
 }
@@ -559,7 +560,7 @@ func TestStartNetworkPolicyController(t *testing.T) {
 				patches.ApplyFunc(os.Exit, func(code int) {
 					assert.FailNow(t, "os.Exit should not be called")
 				})
-				patches.ApplyFunc(securitypolicy.GetSecurityService, func(service common.Service, vpcService common.VPCServiceProvider) *securitypolicy.SecurityPolicyService {
+				patches.ApplyFunc(securitypolicy.GetSecurityService, func(service common.Service, vpcService common.VPCServiceProvider, vpcMode bool) *securitypolicy.SecurityPolicyService {
 					return fakeService()
 				})
 				patches.ApplyMethod(reflect.TypeOf(&NetworkPolicyReconciler{}), "Start", func(_ *NetworkPolicyReconciler, r ctrl.Manager) error {
@@ -574,7 +575,7 @@ func TestStartNetworkPolicyController(t *testing.T) {
 			patches: func() *gomonkey.Patches {
 				patches := gomonkey.ApplyFunc(ctrcommon.GenericGarbageCollector, func(cancel chan bool, timeout time.Duration, f func(ctx context.Context) error) {
 				})
-				patches.ApplyFunc(securitypolicy.GetSecurityService, func(service common.Service, vpcService common.VPCServiceProvider) *securitypolicy.SecurityPolicyService {
+				patches.ApplyFunc(securitypolicy.GetSecurityService, func(service common.Service, vpcService common.VPCServiceProvider, vpcMode bool) *securitypolicy.SecurityPolicyService {
 					return fakeService()
 				})
 				patches.ApplyPrivateMethod(reflect.TypeOf(&NetworkPolicyReconciler{}), "setupWithManager", func(_ *NetworkPolicyReconciler, mgr ctrl.Manager) error {

pkg/controllers/networkpolicy/pod_handler.go

@@ -14,7 +14,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/securitypolicy"
 	"github.com/vmware-tanzu/nsx-operator/pkg/util"
 )
 
@@ -59,7 +58,7 @@ func (e *EnqueueRequestForPod) Raw(evt interface{}, q workqueue.TypedRateLimitin
 	}
 
 	pod := obj.(*v1.Pod)
-	vpcMode := securitypolicy.IsVPCEnabled(e.NetworkPolicyReconciler.Service)
+	vpcMode := e.NetworkPolicyReconciler.Service.VPCMode
 	if isInSysNs, err := util.IsSystemNamespace(e.Client, pod.Namespace, nil, vpcMode); err != nil {
 		log.Error(err, "Failed to fetch namespace", "namespace", pod.Namespace)
 		return

pkg/controllers/networkpolicy/pod_handler_test.go

@@ -20,7 +20,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/securitypolicy"
 	"github.com/vmware-tanzu/nsx-operator/pkg/util"
 )
 
@@ -148,10 +147,7 @@ func TestEnqueueRequestForPod_Raw(t *testing.T) {
 			}
 
 			// Mock util.IsSystemNamespace
-			patches := gomonkey.ApplyFunc(securitypolicy.IsVPCEnabled, func(_ interface{}) bool {
-				return false
-			})
-			patches.ApplyFunc(util.IsSystemNamespace, func(client.Client, string, *v1.Namespace) (bool, error) {
+			patches := gomonkey.ApplyFunc(util.IsSystemNamespace, func(client.Client, string, *v1.Namespace) (bool, error) {
 				return tc.isSystemNs, tc.isSystemNsErr
 			})
 			// Mock reconcileNetworkPolicy to avoid actual reconciliation

pkg/controllers/securitypolicy/namespace_handler.go

@@ -14,7 +14,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/securitypolicy"
 	"github.com/vmware-tanzu/nsx-operator/pkg/util"
 )
 
@@ -41,7 +40,7 @@ func (e *EnqueueRequestForNamespace) Generic(_ context.Context, _ event.GenericE
 
 func (e *EnqueueRequestForNamespace) Update(_ context.Context, updateEvent event.UpdateEvent, l workqueue.TypedRateLimitingInterface[reconcile.Request]) {
 	obj := updateEvent.ObjectNew.(*v1.Namespace)
-	vpcMode := securitypolicy.IsVPCEnabled(e.SecurityPolicyReconciler.Service)
+	vpcMode := e.SecurityPolicyReconciler.isVPCMode
 	if isInSysNs, err := util.IsSystemNamespace(nil, "", obj, vpcMode); err != nil {
 		log.Error(err, "Failed to fetch namespace", "namespace", obj.Name)
 		return

pkg/controllers/securitypolicy/namespace_handler_test.go

@@ -18,7 +18,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	mock_client "github.com/vmware-tanzu/nsx-operator/pkg/mock/controller-runtime/client"
-	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/securitypolicy"
 	"github.com/vmware-tanzu/nsx-operator/pkg/util"
 )
 
@@ -139,9 +138,6 @@ func TestEnqueueRequestForNamespace_Update(t *testing.T) {
 	) error {
 		return nil
 	})
-	patches.ApplyFunc(securitypolicy.IsVPCEnabled, func(_ interface{}) bool {
-		return false
-	})
 	patches.ApplyFunc(util.CheckPodHasNamedPort, func(pod v1.Pod, reason string) bool {
 		return true
 	})

pkg/controllers/securitypolicy/pod_handler.go

@@ -15,7 +15,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/securitypolicy"
 	"github.com/vmware-tanzu/nsx-operator/pkg/util"
 )
 
@@ -65,7 +64,7 @@ func (e *EnqueueRequestForPod) Raw(evt interface{}, q workqueue.TypedRateLimitin
 	}
 
 	pod := obj.(*v1.Pod)
-	vpcMode := securitypolicy.IsVPCEnabled(e.SecurityPolicyReconciler.Service)
+	vpcMode := e.SecurityPolicyReconciler.isVPCMode
 	if isInSysNs, err := util.IsSystemNamespace(e.Client, pod.Namespace, nil, vpcMode); err != nil {
 		log.Error(err, "Failed to fetch namespace", "namespace", pod.Namespace)
 		return