New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix small CRD issue with toGroups #12440
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, can you add a Fixes: f0049da61f4f ("pkg/k8s: fix all structural issues with CNP validation")
to your commit?
Fixes: f0049da ("pkg/k8s: fix all structural issues with CNP validation") Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com>
f9b33fd
to
d23446c
Compare
test-me-please |
test flake was fixed in upstream merging |
Possible upgrade implication with schema version, please take a look at the v1.6 backports. We will need to come to a shared understanding of that version and consistently backport to other branches based on it. |
@joestringer it worked fine from 1.8.1 to master but I haven't tested with earlier versions. Is validation enabled before 1.8? Because if it is it means toGroups has been broken for a while |
The related code for the schema has been around since v1.6, Not sure which versions that the schema validation is enabled for, but I seem to recall some upgrade notes early in v1.7 cycle around this. Thinking this through, my take is that this PR tightens the CRD validation and should only affect users who currently run policies that would not pass the new validation. If they follow the upgrade instructions (specifically the preflight check) to validate their policies prior to upgrade, then they will not hit any issues. |
Fixes: f0049da ("pkg/k8s: fix all structural issues with CNP validation")
In 1.8.1, the CNP CRD uses the following for egress toGroups rules:
However the rule expects toGroups to be an array. From the doc example:
This commit modifies the CRD to be consistent with the rule spec to avoid validation errors from Kubernetes.