policy: Add Port Range Support for Policies Part 2/3#32675
Merged
nathanjsweet merged 3 commits intomainfrom May 29, 2024
Merged
policy: Add Port Range Support for Policies Part 2/3#32675nathanjsweet merged 3 commits intomainfrom
nathanjsweet merged 3 commits intomainfrom
Conversation
d65985c to
bf32472
Compare
bf32472 to
d16e24a
Compare
Member
Author
|
/test |
tommyp1ckles
approved these changes
May 23, 2024
Contributor
tommyp1ckles
left a comment
There was a problem hiding this comment.
endpoint changes lgtm
doniacld
reviewed
May 28, 2024
pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml
Outdated
Show resolved
Hide resolved
doniacld
approved these changes
May 28, 2024
8e8ff17 to
2ea1f3a
Compare
- Add PortMask to MapKey structure, to make "0" the default value. - Use PortRangeToMaskedPorts when creating keys for toMapState in L4 policies. - Update maps/policy to account for mask. - Introduce range logic into mapstate. - Fix minor IsSupersetOf test issues. - Add range unit tests to distillery tests. Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
Deny insertion has, heretofore, handled duplicate deny entries by only checking for wildcard port protocol entries as a way to prevent duplicate deny entries or by ignoring them completely as duplicate deny entries did not cause any problems. This does not work with the more precise de-duplication logic required by port ranges, because overlapping ranges is a new dimension of de-duplication that has to be enforced. Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
2ea1f3a to
665f290
Compare
Member
Author
|
/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR prepares the policy engine for adding port ranges
by enabling the underlying userspace cache to calculate
insertion, deletion, and lookups with port ranges, as well
as adding unit tests to ensure that the logic works. It does
not add support for adding policy port ranges at the API
level that will be addressed in the final PR.
The Policy CRD is modified by this PR without
supporting port ranges at the policy repository level
(this will be added in the final PR). This has to be done
because the "PortProtocol" struct is shared by both
the CRD (aka the API level) and the L4Filter struct
(aka the cache level).
See commits for details.