policy: Allow to specify L4/L7 policy which depend on L3 sources#1064
Closed
policy: Allow to specify L4/L7 policy which depend on L3 sources#1064
Conversation
netperf was invoked with `docker run [...] netperf [...]` which will cause netperf to be started while the labels and policy is being rlicesolved for that endpoint in parallel. This can cause to random test failyure if the policy is not put in place in time before netperf's control TCP connection gives up retrying. Fixes: #1059 Signed-off-by: Thomas Graf <thomas@cilium.io>
Reserve the right to support L4/L7 policies which depend on L3 matching in the future when the datapath supports this. For now, reject any such rules but document that this will be supported in the future. Signed-off-by: Thomas Graf <thomas@cilium.io>
- Reject k8s NetworkPolicy rules with combined L3/L4 policy rules. - Don't generate api.Rule with with combined L3/L4 policy rules. Signed-off-by: Thomas Graf <thomas@cilium.io>
This does not change behaviour, it only reflects the new policy syntax to allow to specify combined policies at a later stage. Signed-off-by: Thomas Graf <thomas@cilium.io>
- Do not run testsuite against DaemonSet, policy and demo yaml of git master. Use the local checked out git tree instead. - Be less verbose when running test Signed-off-by: Thomas Graf <thomas@cilium.io>
If HAVE_L4_POLICY is set, the policy map will be looked up with the destination port and protocol set. Allows to establish L4 policies which are tied to a particular source identity. Signed-off-by: Thomas Graf <thomas@cilium.io>
bd7fcf4 to
5f64ae0
Compare
houndci-bot
reviewed
Jul 3, 2017
| func (key *policyKey) String() string { | ||
| if key.DestPort != 0 { | ||
| return fmt.Sprintf("%d %d/%d", key.Identity, key.DestPort, key.Nexthdr) | ||
| } else { |
There was a problem hiding this comment.
if block ends with a return statement, so drop this else and outdent its block
houndci-bot
reviewed
Jul 3, 2017
| func (key *policyKey) String() string { | ||
| if key.DestPort != 0 { | ||
| return fmt.Sprintf("%d %d/%d", key.Identity, key.DestPort, key.Nexthdr) | ||
| } else { |
There was a problem hiding this comment.
if block ends with a return statement, so drop this else and outdent its block
Contributor
Author
|
Obsoleted by #1599 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reserve the right to support L4/L7 policies which depend on L3 matching in the future when the datapath supports this. For now, reject any such rules but document that this will be supported in the future.
Reject combined policies for now as the datapath does not support them yet.
Adjust the tests and examples to use decoupled policies.