Skip to content

Policy: Fix rule origin for ordered policies#44178

Merged
jrajahalme merged 3 commits intocilium:mainfrom
jrajahalme:policy-fix-rule-origin
Feb 5, 2026
Merged

Policy: Fix rule origin for ordered policies#44178
jrajahalme merged 3 commits intocilium:mainfrom
jrajahalme:policy-fix-rule-origin

Conversation

@jrajahalme
Copy link
Copy Markdown
Member

@jrajahalme jrajahalme commented Feb 4, 2026

Fix RuleOrigin merging for L4Filter's skipped due to priority override.

Add RuleOrigin verification to policy unit tests, rename local variables for clarity.

@jrajahalme jrajahalme requested a review from a team as a code owner February 4, 2026 09:49
@jrajahalme jrajahalme added the kind/bug This is a bug in the Cilium logic. label Feb 4, 2026
@jrajahalme jrajahalme requested a review from derailed February 4, 2026 09:49
@jrajahalme jrajahalme added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 4, 2026
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Feb 4, 2026

/test

@jrajahalme jrajahalme force-pushed the policy-fix-rule-origin branch from a08141d to 0f78bac Compare February 4, 2026 10:08
@jrajahalme
policy: Verify rule origin in policy unit tests
e305e66 
Verify RuleOrigin values of computed policies against the expected ones
in policy unit tests.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Fix rule origin merging for ordered rules
552ced5 
Higher precedence rules override lower precedence ones, but we still
merged the rule origin metadata regardless. Move rule origin merging to
L4Filter.mergePortProto() so that the rule priority overrides can
considered also for rule origin updates.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Rename PerSelectorPolicy local variables
664f87a 
PerSelectorPolicy is not just for L7 rules any more, it is high time to
reflect this in the local variable names used. 'newPerSelectorPolicy'
would be a a bit long, so use just 'newPolicy' and 'existingPolicy' with
comments that make it obvious that these are PerSelectorPolicies.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-fix-rule-origin branch from 0f78bac to 664f87a Compare February 4, 2026 10:25
@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Feb 4, 2026

Fixed Go import order

@jrajahalme
Copy link
Copy Markdown
Member Author

jrajahalme commented Feb 4, 2026

/test

derailed
derailed approved these changes Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jrajahalme Nice work!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 4, 2026
@jrajahalme jrajahalme added this pull request to the merge queue Feb 5, 2026
Merged via the queue into cilium:main with commit d88b6bb Feb 5, 2026
76 checks passed
@jrajahalme jrajahalme deleted the policy-fix-rule-origin branch February 5, 2026 10:05
@jrajahalme jrajahalme mentioned this pull request Feb 9, 2026
Merged
1 task
@Artyop Artyop mentioned this pull request Feb 10, 2026
Merged
6 tasks
@Artyop Artyop added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 10, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@derailed derailed derailed approved these changes

Assignees

No one assigned

Labels

backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jrajahalme @derailed @msune @Artyop