-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Normal policy support for host-* endpoints #2228
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lmm I think the shape of this is looking pretty good. I've made one specific comment. Apart from that, my concern is just to be sure about what we decided in the spec about:
- defaults
- ordering (applying workload policy before WHEP policy, for traffic from a workload to its own host, and meshing with the existing hardcoded rules)
- optionally deduplication (in the case where the same policy applies to the workload and the WHEP)
and then obviously making sure that the code reflects that, ideally with copious tests.
Not to cali-th-any-interface-at-all. (And similarly for the From direction.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few questions from me. Also, this will need thorough tests in the FV framework
- toEndForwardRules was updated with wrong rules - in the `fromOnly` case (for pre-DNAT) we use HostFromEndpointPfx not HostFromEndpointForwardPfx, so the end rules passed to the dispatch chain builder were incorrect.
1c342e7
to
068aad0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed the AoF case on slack so I think we got to the bottom of that (test is failing due to AoF policy applying at workload egress for WHEPs, but not HEPs).
Good emphasis on testing in this PR; with lots of test being upgraded to cover the new case. Well worth that effort, I think!
Found a few nits in the tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
*
hostendpoints currently only support pre-DNAT global network policy. This PR will (eventually) add normal policy support for*
hostendpoints.Some notes on semantics:
*
hostendpoint and a "named" (e.g.eth0
) hostendpoint exist, the named hostendpoint will be used. (This is existing behaviour and isn't changing here.)Todos
Release Note