-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make sure that policies with no valid peers are enforced #65
Conversation
If a policy rule has a `from` (or `to`) selector that matches no pods, the subject pod has to not be reached by (or has to not reach) any pods. The following example helps clarify the reasons behind these: Given a scenario with 3 pods (A, B, C) and a rule like: ``` podSelector: matchLabels: name: A ingress: - from: - podSelector: matchLabels: name: B policyTypes: - Ingress ``` Pod A can be reached only by pod B. Pod C can't reach A, and this has to be ensured even if pod B is deleted. Add an end-to-end test case to validate this scenario and adjust unit tests accordingly. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
Pull Request Test Coverage Report for Build 9993738204Details
💛 - Coveralls |
@@ -280,7 +280,6 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI | |||
writeLine(ipt.policyIndex, "-A", fmt.Sprintf("MULTI-%d-INGRESS", pIndex), "-j", chainName) | |||
|
|||
s.podMap.Update(s.podChanges) | |||
validPeers := 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems to me that you don't need to count. This could be a boolean and switches to true when there is at least one valid peer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I completely removed that variable, as in my idea there is no need to check if there is at least one valid peer. Does it sound good?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, I did not see it correctly
/assign bpickard22 |
LGTM |
@pliurh @bpickard22 can I somehow help to move this forward? |
If a policy rule has a
from
(orto
) selector that matches no pods, the subject pod has to not be reached by (or has to not reach) any pods.The following example helps clarify the reasons behind these: Given a scenario with 3 pods (A, B, C) and a rule like:
Pod A can be reached only by pod B. Pod C can't reach A, and this has to be ensured even if pod B is deleted.
Add an end-to-end test case to validate this scenario and adjust unit tests accordingly.
cc @pliurh @s1061123