Policy Tiers: feature-flagging, add fuzzer, fix corner cases#43893
Merged
jrajahalme merged 11 commits intomainfrom Feb 6, 2026
Merged
Policy Tiers: feature-flagging, add fuzzer, fix corner cases#43893jrajahalme merged 11 commits intomainfrom
jrajahalme merged 11 commits intomainfrom
Conversation
6e592b0 to
dfb9fde
Compare
squeed
reviewed
Jan 22, 2026
squeed
reviewed
Jan 22, 2026
squeed
approved these changes
Jan 22, 2026
dfb9fde to
96ba262
Compare
96ba262 to
0f8c888
Compare
Member
Author
|
/test |
0f8c888 to
d1385c4
Compare
Member
Author
|
/test |
Member
Author
|
Re-running |
squeed
reviewed
Feb 2, 2026
squeed
reviewed
Feb 2, 2026
This generates random policy corpuses and compares MapState-based policy calculation with the iterative simulator. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
Avoid using *testing.F for the logger as then any log within the fuzz test would fail. Fix the order of expected and actual for require.Equal. Add more debugging. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Hide precedence details from the policymap package. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add optional mapState indexing by identity to support incremental removal of generated keys. This is only needed for deletion pass entries, so the index is only used if the policy has pass verdicts. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Proper processing of pass verdicts requires the default deny rule to be explicitly added to the mapstate so that it can be seen by pass verdict entries. The default rule is added to the next tier if any non-default tiers or priorities are in use, of if the traffic direction has any pass rules. This way the pass rule can pass to the added default deny (or allow) rule. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Deny takes precedence over allow and pass, allow takes precedence over pass. Define new HasPrecedenceOver() to handle this instead of using just IsDeny() like before. Would be simpler if Allow was not the zero value, but changing that would require changing all unit testing code that uses it as the default. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Fix tier base priority calculation. When figuring out the priority range for each tier, the full range of the remaining tiers must be included to add enough space for pass verdicts on higher tiers. Then, when setting the base priotity of each tier, this has to be reversed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Commit fuzzer cases found during development. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
A pass of a specific identity to a lower tier rule with wildcard identity
should pass the given identity only and keep the wildcard entry at the
original precedence to take care of traffic with other identities. Since
the original entry needs to be kept, a new generated entry with the
identity from the pass entry and the L4 from the passed to entry must be
added.
We missed this case earlier due to BroaderOrEqualKeys only iterating
wildcard identity entries when the new key is a wildcard entry. Entries
that have a broader or equal L4 but more specific L3 are not as a whole
"broader or equal". To handle the need for generated entries for the pass
verdict processing "BroaderOrEqualKeys" is changed to also iterate all
specific L3 keys if the L4 is broader or equal and the given key has the
wildcard identity. The old behavior is retained with
CoveringBroaderOrEqualKeys(). Similarly, NarrowerOrEqualKeys() is renamed
as CoveringNarrowerOrEqualKeys() while NarrowerOrEqualKeys() now also
iterates keys with the wildcard identity when the given key has a
specific identity.
The addition of generated entries requires these entries to be deleted
when that identity is incrementally deleted. Since selector cache is
transactional we can delete all keys with the deleted identity, when the
first key with that identity is deleted. To make this efficient we use
the new id index.
To add support for pass verdicts at multiple tiers, the pass metadata is
now stored as a slice. Overhead to non-pass entries is reduced by storing
the slice via a pointer ('passes'), as most mapStateEntries would not
have any pass metadata.
If 'passes' is non-nil, then the pointed-to slice must have at least
one element, and all elements must have non-zero 'passPrecedence'.
When merging pass metadata we clone the slice to be mutated so that the
same slice can safely be used in multiple entries.
Split insertWithPasses() from insertWithChanges(); insertWithPasses() is
only calling it if the policy has any pass verdicts. This reduces the
chance of regressions for non-pass policies.
Log a warning if a policy with pass verdicts is also using auth
requirements, as this combination has not been implemented. Adjust a test
to not claim all features when that is not the case.
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
86a4270 to
f8c128b
Compare
Member
Author
|
/test |
1 similar comment
Member
Author
|
/test |
squeed
approved these changes
Feb 6, 2026
Contributor
squeed
left a comment
There was a problem hiding this comment.
amazing work. really love the extensive comments.
Member
Author
|
main merge is failing/flaking for quay authentication failures, retrying merge. |
1 task
3 tasks
joestringer
reviewed
Feb 9, 2026
Comment on lines
+46
to
+48
| // PreviousMapState returns an empty policy.MapState with preallocated map sizes from the current one. | ||
| func (e *Endpoint) PreviousMapState() *policy.MapState { | ||
| return e.desiredPolicy.GetMapState() |
Member
There was a problem hiding this comment.
Does it really return an empty policy.MapState? The implementation seems to do return &desiredPolicy.policyMapState which seems decidedly like it's returning a pointer to map state currently in use.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds an automated fuzzer for detecting logic errors in the Tier support logic. It also fixes any bugs found.
In doing so, it adds support for multiple tiers.
Additionally, this PR does a better job of compartmentalizing the Tier and non-Tier codepaths, When Tiering is not enabled, then the original logic remains. This protects against any possible regressions.