-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
k8s: Decouple CNP embedding inside CCNP #14557
k8s: Decouple CNP embedding inside CCNP #14557
Conversation
test-me-please |
93ffc20
to
ba83b6c
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes looks good to me. Thanks for the Pull Request 🙏 🚀
There is some documentation around ClusterwideNetworkPolicies
that needs an update. For example here - https://github.com/cilium/cilium/blob/master/Documentation/concepts/kubernetes/policy.rst#ciliumclusterwidenetworkpolicy
Due to cilium#14526, we should test against full YAMLs representing CNPs and CCNPs for more realistic results. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Previously, embedding CNP inside the CCNP object was meant to simplify the code as a CCNP is an identical structure to CNP. However, due to a bug reported by a user (cilium#14526), we've uncovered that CCNP validation in the preflight command was completely broken. Upon further investigation, it was due to an unmarshalling issue with the CCNP object (that embeds a CNP). Throughout the code, we have instances where we must treat the CCNP object with special care to avoid this unmarshalling issue (see b5c04ee and c813a15). In the above reported issue, yet again we can apply the same workarounds as the aforementioned commits do. However, we should avoid papering over this again with the same workaround, because in the future someone may not be aware of this gotcha when they make a new change. It is better to simply move away from embedding CNP inside CCNP and deal with the code duplication that results from it, than to rely on the mental energy and worst of all, waste time trying to debug very unintuitive errors within K8s infrastructure code. This commit moves away from embedding CNP inside CCNP. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Following the previous commit, update the references in the docs for CCNP. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Bring this up-to-date with what's currently in the codebase. Signed-off-by: Chris Tarazi <chris@isovalent.com>
b680840
to
89eab48
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀 💯
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good as far as I can tell.
|
||
// Status is the status of the Cilium policy rule. | ||
// | ||
// The reason this field exists in this structure is due a bug in the k8s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// The reason this field exists in this structure is due a bug in the k8s | |
// The reason this field exists in this structure is due to a bug in the k8s |
test-gke |
See commit msgs.
Fixes: #14526