Skip to content

policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks#43917

Merged
jrajahalme merged 1 commit intocilium:mainfrom
TheBeeZee:pr-fix-priorities
Feb 11, 2026
Merged

policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks#43917
jrajahalme merged 1 commit intocilium:mainfrom
TheBeeZee:pr-fix-priorities

Conversation

@TheBeeZee
Copy link
Copy Markdown
Contributor

@TheBeeZee TheBeeZee commented Jan 21, 2026
edited
Loading

Fixes errors when PASSing over tiers (e.g., Tier 0 to Tier 2)

Fixes: #43916

@TheBeeZee TheBeeZee requested a review from a team as a code owner January 21, 2026 22:49
@TheBeeZee TheBeeZee requested a review from fristonio January 21, 2026 22:49
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 21, 2026
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Jan 21, 2026
@TheBeeZee
Copy link
Copy Markdown
Contributor Author

TheBeeZee commented Jan 21, 2026

/test

1 similar comment
@TheBeeZee
Copy link
Copy Markdown
Contributor Author

TheBeeZee commented Jan 26, 2026

/test

@TheBeeZee TheBeeZee force-pushed the pr-fix-priorities branch 4 times, most recently from c2c3aa3 to ecabc60 Compare January 28, 2026 18:47
@TheBeeZee TheBeeZee changed the title fix(policy): Improve PASS handling for non-consecutive tiers and wildcard fallbacks policy: Improve PASS handling for non-consecutive tiers and wildcard fallbacks Jan 28, 2026
@TheBeeZee TheBeeZee force-pushed the pr-fix-priorities branch 3 times, most recently from b780e34 to 5847464 Compare January 28, 2026 22:29
@fristonio fristonio requested a review from jrajahalme February 5, 2026 15:05
@fristonio fristonio added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Feb 5, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2026
@TheBeeZee TheBeeZee mentioned this pull request Feb 9, 2026
Closed
3 tasks
@squeed
Copy link
Copy Markdown
Contributor

squeed commented Feb 10, 2026

/test

jrajahalme
jrajahalme reviewed Feb 10, 2026
View reviewed changes
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 10, 2026
jrajahalme
jrajahalme requested changes Feb 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jrajahalme jrajahalme left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out the flaw was due to uninitialized (left at 0) tier base priorities for the skipped tiers, which led to an incorrect tierMinPrecedence for the pass entry on higher tier to the skipped tier.

@maintainer-s-little-helper maintainer-s-little-helper bot removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 10, 2026
@TheBeeZee
policy: Fix PASS verdict for non-consecutive tiers
252dd85 
Signed-off-by: Blaz Zupan <blaz@google.com>
@TheBeeZee TheBeeZee requested a review from jrajahalme February 10, 2026 19:48
@jrajahalme
Copy link
Copy Markdown
Member

jrajahalme commented Feb 11, 2026

/test

@jrajahalme jrajahalme enabled auto-merge February 11, 2026 10:18
@jrajahalme jrajahalme added the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Feb 11, 2026
@jrajahalme jrajahalme added this pull request to the merge queue Feb 11, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 11, 2026
Merged via the queue into cilium:main with commit 0e989be Feb 11, 2026
78 checks passed
@glrf glrf mentioned this pull request Feb 17, 2026
Merged
12 tasks
@glrf
Copy link
Copy Markdown
Contributor

glrf commented Feb 17, 2026

I had some trouble backporting this to v1.19. The code in v1.19 is slightly different and I don't want to do something wrong for policy relevant code. Marking this as backport/author

@glrf glrf added the backport/author The backport will be carried out by the author of the PR. label Feb 17, 2026
@jrajahalme jrajahalme self-assigned this Feb 17, 2026
@squeed
Copy link
Copy Markdown
Contributor

squeed commented Feb 17, 2026

@glrf thanks for the attempt. @jrajahalme will do the backport.

@jrajahalme jrajahalme mentioned this pull request Feb 18, 2026
Merged
1 task
@jrajahalme jrajahalme added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 18, 2026
@jrajahalme jrajahalme removed their assignment Feb 18, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrajahalme jrajahalme jrajahalme approved these changes

@fristonio fristonio fristonio approved these changes

Assignees

No one assigned

Labels

backport/author The backport will be carried out by the author of the PR. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PASS verdict broken for non-consecutive tiers and with default-allow

5 participants

@TheBeeZee @squeed @jrajahalme @glrf @fristonio