Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policy: expand "world" entity selector to select all address families #29958

Merged
merged 1 commit into from
Dec 18, 2023
Merged

policy: expand "world" entity selector to select all address families #29958

merged 1 commit into from
Dec 18, 2023

Conversation

squeed
Copy link
Contributor

@squeed squeed commented Dec 18, 2023
edited

Previously, we had a single label, reserved:world, applied to all CIDR (non-cluster) identities. With #22625, this is no longer the case; CIDR identities get either reserved:world-ipv4 or reserved:world-ipv6 labels in dual stack clusters.

This PR updates the toEntities: world selector to select all world labels, as it worked previously. It does so by expanding the set of selectors underlying the world entity. No other magic in the SelectorCache or policy engine is required.

Fixes: #29666
Fixes: a94fa56

@squeed
policy: expand "world" entity selector to select all address families
516612b 
Previously, we had a single label, `reserved:world`, applied to all CIDR
(non-cluster) identities. With cilium#22625, this is no longer the case; CIDR
identities get either `reserved:world-ipv4` or `reserved:world-ipv6`
labels **in dual stack clusters**.

This PR updates the `toEntities: world` selector to select *all* world
entities, as it worked previously. It does so by expanding the set of
selectors underlying the `world` entity. No other magic in the
SelectorCache or policy engine is required.

Fixes: cilium#29666
Fixes: a94fa56

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed squeed added kind/bug This is a bug in the Cilium logic. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. release-blocker/1.15 This issue will prevent the release of the next version of Cilium. affects/v1.15 This issue affects v1.15 branch needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Dec 18, 2023
@squeed squeed requested review from a team as code owners December 18, 2023 12:56
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Dec 18, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in v1.15.0-rc.1 Dec 18, 2023
@squeed squeed mentioned this pull request Dec 18, 2023
Closed
@squeed squeed added the release-note/misc This PR makes changes that have no direct user impact. label Dec 18, 2023
@squeed squeed mentioned this pull request Dec 18, 2023
Merged
@squeed squeed removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Dec 18, 2023
@squeed
Copy link
Contributor Author

squeed commented Dec 18, 2023

/test

@squeed
Copy link
Contributor Author

squeed commented Dec 18, 2023

the ipsec upgrade test is still failing, because it downgrades to v1.15 which still has this bug.

@squeed
Copy link
Contributor Author

squeed commented Dec 18, 2023

This PR is green, except ci-ipsec-upgrade, which is not going to pass until this PR is backported. Marking as ready-to-merge.

@squeed squeed added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 18, 2023
@gandro gandro disabled auto-merge December 18, 2023 14:29
@gandro gandro merged commit 1288473 into cilium:main Dec 18, 2023
62 of 63 checks passed
@squeed squeed mentioned this pull request Dec 18, 2023
Merged
1 task
@squeed squeed added the backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. label Dec 18, 2023
@joestringer joestringer removed backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch labels Dec 18, 2023
@joestringer joestringer added the backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. label Dec 18, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport done to v1.15 in v1.15.0-rc.1 Dec 18, 2023
@pchaigno pchaigno mentioned this pull request Dec 18, 2023
Closed
2 tasks
@giorio94 giorio94 mentioned this pull request Dec 19, 2023
Closed
@aanm aanm mentioned this pull request Jan 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@nbusseneau nbusseneau nbusseneau approved these changes

Assignees
No one assigned
Labels
affects/v1.15 This issue affects v1.15 branch backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. kind/bug This is a bug in the Cilium logic. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.15 This issue will prevent the release of the next version of Cilium. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
No open projects
v1.15.0-rc.1
Backport done to v1.15
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

To world traffic incorrectly denied by network policy when enabling DNS observability
5 participants
@squeed @nathanjsweet @nbusseneau @gandro @joestringer