PASS verdict broken for non-consecutive tiers and with default-allow

[TheBeeZee]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.18.6 and lower than v1.19.0

What happened?

There are two issues with the newly implemented policy rule priorities and pass verdict for policies:

1. When a PASS and ALLOW/DENY rule exist for the same identity at non-consecutive tiers (e.g. tier 0 and tier 2), the policy engine throws an error (endpoint policy direction has more than 2^24 distinct priorities)

2. When a PASS rule exists for a specific identity at a higher tier with a wildcard ALLOW rule at a lower tier, the policy engine incorrectly retains the PASS rule as an invalid rule, which throws off the policy evaluation. The wildcard ALLOW is never added for the affected identity.

How can we reproduce the issue?

See the added test cases in the PR.

Cilium Version

1.19

Kernel Version

N/A

Kubernetes Version

N/A

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheBeeZee]

I believe this was fixed by #43893.

[TheBeeZee]

It turns out that issue #1 is not fixed by #43893, just the symptom changes from obvious failure (endpoint policy direction has more than 2^24 distinct priorities) to incorrect verdict (deny vs allow). I have updated #43917 with the fix.