New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
k8s: Invalidate Policies that Support "EndPort" #28704
k8s: Invalidate Policies that Support "EndPort" #28704
Conversation
I think the subtle question here is exactly what behaviour we want on upgrade. Currently the policy with endport will put endpoints into default deny and therefore lock down the endpoints. If we reject the policy completely, that could mean the policy is ineffective and opens up the endpoints completely if that's the only policy. It may be safer to accept but log, given this is long-standing behaviour (?) |
Cilium does not currently support port ranges in network policies. Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
7c5f4d6
to
a69aee3
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes sense, it's hard for me to argue for something better for the short term and the existing stable releases. I know the support for this feature is making some progress soon so hopefully we won't need a better solution to communicating this problem in the end. 👍
Cilium does not currently support port ranges in
network policies.