New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: Create derivative policy for EgressDeny rules #23927
Conversation
This PR is to generate derivative policy when `egressDeny` including `toGroups` rules. Fixes: cilium#23829 Signed-off-by: Rocky Chen <rocky.chen@outlook.com>
Commit 72c34e85f2c66a6e269662eade4851c00b67acad does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Signed-off-by: Rocky Chen <rocky.chen@outlook.com>
72c34e8
to
a834ad1
Compare
Thanks for the PR @rockc2020, I'm off tomorrow, but I'll take a thorough look at this on Monday. |
/test |
hi @nathanjsweet as 1 check failed with my PR https://github.com/cilium/cilium/actions/runs/4238946330/jobs/7379640730. after I had a run on my local, it seems some errors of |
|
This PR is to create derivative policy when
egressDeny
includingtoGroups
rules.With issue #23829, there is no derivative policy created when
egressDeny
includingtoGroups
rules.This fix includes following changes:
EgressDeny
in methodRequiresDerivative()
EgressDenyRule
in methodCreateDerivative()
I also built an image with this change from my local and deployed in my EKS cluster. Then, I created a ccnp:
Then, a derivative policy was created successfully:
Fixes: #23829