[v1.19] pkg/policy author backports 02-09-2026#44267
Merged
jrajahalme merged 11 commits intocilium:v1.19from Feb 17, 2026
Merged
[v1.19] pkg/policy author backports 02-09-2026#44267jrajahalme merged 11 commits intocilium:v1.19from
jrajahalme merged 11 commits intocilium:v1.19from
Conversation
Member
Author
|
/test |
squeed
approved these changes
Feb 16, 2026
Member
|
@jrajahalme heads-up, needs a rebase |
[ upstream commit 880f676 ] A subsequent commit will include an alternate policy iteration system, so it will be nice to move the types to policy/types. This also removes the now-useless Decision type, as it's not used anywhere in the codebase. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
[ upstream commit fe7d650 ] This is a simple userspace tool that executes rules step-by-step. It's purpose will be to validate more complex policy scenarios, ideally by fuzzing. To ensure it's output matches that of the existing policy engine, it matches the LookupFlow method signature, and existing tests validate that the simulation engine returns the same verdict. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
[ upstream commit 77bfddc ] This generates random policy corpuses and compares MapState-based policy calculation with the iterative simulator. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
[ upstream commit 679ef53 ] Avoid using *testing.F for the logger as then any log within the fuzz test would fail. Fix the order of expected and actual for require.Equal. Add more debugging. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 491782a ] Hide precedence details from the policymap package. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 1c4121c ] Add optional mapState indexing by identity to support incremental removal of generated keys. This is only needed for deletion pass entries, so the index is only used if the policy has pass verdicts. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit e5e2885 ] Proper processing of pass verdicts requires the default deny rule to be explicitly added to the mapstate so that it can be seen by pass verdict entries. The default rule is added to the next tier if any non-default tiers or priorities are in use, of if the traffic direction has any pass rules. This way the pass rule can pass to the added default deny (or allow) rule. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit b5ba771 ] Deny takes precedence over allow and pass, allow takes precedence over pass. Define new HasPrecedenceOver() to handle this instead of using just IsDeny() like before. Would be simpler if Allow was not the zero value, but changing that would require changing all unit testing code that uses it as the default. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 292b050 ] Fix tier base priority calculation. When figuring out the priority range for each tier, the full range of the remaining tiers must be included to add enough space for pass verdicts on higher tiers. Then, when setting the base priotity of each tier, this has to be reversed. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit b6b6f69 ] Commit fuzzer cases found during development. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
[ upstream commit 6bc370b ] A pass of a specific identity to a lower tier rule with wildcard identity should pass the given identity only and keep the wildcard entry at the original precedence to take care of traffic with other identities. Since the original entry needs to be kept, a new generated entry with the identity from the pass entry and the L4 from the passed to entry must be added. We missed this case earlier due to BroaderOrEqualKeys only iterating wildcard identity entries when the new key is a wildcard entry. Entries that have a broader or equal L4 but more specific L3 are not as a whole "broader or equal". To handle the need for generated entries for the pass verdict processing "BroaderOrEqualKeys" is changed to also iterate all specific L3 keys if the L4 is broader or equal and the given key has the wildcard identity. The old behavior is retained with CoveringBroaderOrEqualKeys(). Similarly, NarrowerOrEqualKeys() is renamed as CoveringNarrowerOrEqualKeys() while NarrowerOrEqualKeys() now also iterates keys with the wildcard identity when the given key has a specific identity. The addition of generated entries requires these entries to be deleted when that identity is incrementally deleted. Since selector cache is transactional we can delete all keys with the deleted identity, when the first key with that identity is deleted. To make this efficient we use the new id index. To add support for pass verdicts at multiple tiers, the pass metadata is now stored as a slice. Overhead to non-pass entries is reduced by storing the slice via a pointer ('passes'), as most mapStateEntries would not have any pass metadata. If 'passes' is non-nil, then the pointed-to slice must have at least one element, and all elements must have non-zero 'passPrecedence'. When merging pass metadata we clone the slice to be mutated so that the same slice can safely be used in multiple entries. Split insertWithPasses() from insertWithChanges(); insertWithPasses() is only calling it if the policy has any pass verdicts. This reduces the chance of regressions for non-pass policies. Log a warning if a policy with pass verdicts is also using auth requirements, as this combination has not been implemented. Adjust a test to not claim all features when that is not the case. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
bf53acb to
51e97fe
Compare
Member
Author
|
/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: