New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIDRGroup reference metric will not count nonexistent CIDRGroups #26133
Conversation
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your PR. 🙏
Could you please explain in more detail in which case you ended up with rule.CIDR
and rule.CIDRGroupRef
both empty?
Given the kubebuilder validation that should not be possible:
Lines 39 to 49 in fb48741
// CIDR is a CIDR prefix / IP Block. | |
// | |
// +kubebuilder:validation:OneOf | |
Cidr CIDR `json:"cidr,omitempty"` | |
// CIDRGroupRef is a reference to a CiliumCIDRGroup object. | |
// A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to | |
// the rule, can (Ingress) or cannot (IngressDeny) receive connections from. | |
// | |
// +kubebuilder:validation:OneOf | |
CIDRGroupRef CIDRGroupRef `json:"cidrGroupRef,omitempty"` |
In fact, trying to apply this:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "cidr-group-ref-cnp"
spec:
endpointSelector:
matchLabels:
run: app
ingress:
- fromCIDRSet:
- cidrGroupRef: ""
is failing as expected:
The CiliumNetworkPolicy "cidr-group-ref-cnp" is invalid: spec.ingress[0].fromCIDRSet[0].cidrGroupRef: Invalid value: "": spec.ingress[0].fromCIDRSet[0].cidrGroupRef in body should match '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
And a null
value:
spec:
endpointSelector:
matchLabels:
run: app
ingress:
- fromCIDRSet:
- cidrGroupRef: null
is leading to a validation error, too.
@pippolo84 I think the case is when the user applies a policy with a ref that doesn't exist, like
the metric is still incremented. |
If I'm not mistaken the proposed change is just checking the length of |
Hi @pippolo84, probably I misunderstood the issue. What I understand from the conversation above is that we can add a particular groupRef, even though the object itself does not exist and we need to check this existence to resolve the issue. What I suggest is we can use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the current approach is the correct one, thanks! I've left a suggestion to improve the comment.
Could you please squash this last commit into the previous one?
Also, you need to use your real name for the Signed-off-by
line. I suggest to read the Cilium Contribution Guidelines and the Developer's Certificate of Origin section.
@akstron Looks like your second commit overwrites the first, please squash. |
3ace902
to
6857b4c
Compare
It's likely that the test failures could be resolved by rebasing against the tip of the main branch. |
6857b4c
to
9753fc3
Compare
…pRefs Signed-off-by: Alok Kumar Singh <alokaks601@gmail.com>
9753fc3
to
f9bbe5f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! 🚀
/test |
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXX
line if the commit addresses a particularGitHub issue.
Fixes: <commit-id>
tag, thenplease add the commit author[s] as reviewer[s] to this issue.
Fixes: #25022
Added a check on CIDRGroupRef to make sure that the reference is valid.
Signed-off-by: Alok Kumar Singh alokaks601@gmail.com