Skip to content

labelsfilter: Ensure entity relevant labels are always applied #31178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 15, 2024
Merged

labelsfilter: Ensure entity relevant labels are always applied #31178

merged 1 commit into from
Mar 15, 2024

Conversation

soggiest
Copy link
Contributor

@soggiest soggiest commented Mar 5, 2024
edited
Loading

Entities are special selectors used by network policies. The Cluster entity relies on the io.cilium.k8s.policy.cluster label to select endpoints which is removed by Cilium if a strict identity label configuration is applied. This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test.

Fixes: #18878

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!
labelsfilter: Always apply Cluster entity specific identity-relevant label

@soggiest soggiest requested a review from a team as a code owner March 5, 2024 23:27
@soggiest soggiest requested a review from squeed March 5, 2024 23:27
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 5, 2024
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Mar 5, 2024
@joestringer joestringer added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Mar 7, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 7, 2024
@joestringer
Copy link
Member

/test

@soggiest
labelsfilter: Ensure entity relevant labels are always applied
be5a244 
Entities are special selectors used by network policies. The Cluster entity relies on the `io.cilium.k8s.policy.cluster` label which is removed by Cilium if a strict identity label configuration is applied.
This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test file.

Fixes: cilium#18878

Signed-off-by: soggiest <nicholas@isovalent.com>
@soggiest soggiest force-pushed the pr/soggy/endpoint_labels branch from 9361d6e to be5a244 Compare March 7, 2024 23:47
@soggiest
Copy link
Contributor Author

soggiest commented Mar 7, 2024

I realized my previous commit contained an extra label that wasn't actually used by as a selector for entities, so I removed it from this PR.

squeed
squeed approved these changes Mar 11, 2024
View reviewed changes
Copy link
Contributor

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! My only request would be a slightly more descriptive release note. But, I like it.

@squeed
Copy link
Contributor

squeed commented Mar 11, 2024

/test

@soggiest
Copy link
Contributor Author

Would someone mind kicking off another test, the errors I'm seeing from the EKS and Ginkgo tests don't seem related to my change. I'm wondering if these are flakes.

Tangent question: Why is this network policy file named client-egress-to-echo-named-port-deny.yaml but the name used inside the network policy spec is name: client-ingress-to-echo-named-port-deny and is used by an ingress test?

@joestringer
Copy link
Member

Tangent looks like a bug. May be worth filing an issue and/or PR and/or use git blame to track down the author of the test or those lines to follow up.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 15, 2024
@julianwiedmann julianwiedmann added this pull request to the merge queue Mar 15, 2024
Merged via the queue into cilium:main with commit e929947 Mar 15, 2024
@liyihuang liyihuang mentioned this pull request Jun 7, 2024
Closed
marseel added a commit to marseel/cilium that referenced this pull request Oct 17, 2024
@marseel
docs: update default identity label filters
6f3ef97 
PR cilium#31178 added "io.cilium.k8s.policy.cluster" label to default ones
that are propagated even when strict filters are applied.

Fixes: cilium#31178

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
@marseel marseel mentioned this pull request Oct 17, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Oct 21, 2024
@marseel @aanm
docs: update default identity label filters
d3dc7e8 
PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones
that are propagated even when strict filters are applied.

Fixes: #31178

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
tklauser pushed a commit that referenced this pull request Oct 22, 2024
@marseel @tklauser
docs: update default identity label filters
d5935cf 
[ upstream commit d3dc7e8 ]

[ backporter's note: added `any:` prefix as with other labels because
  commit fee6107 ("metrics: add lower-cardinality metrics for node
  connectivity") which removes these prefixes across all docs wasn't
  backported. ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones
that are propagated even when strict filters are applied.

Fixes: #31178

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
tklauser pushed a commit that referenced this pull request Oct 22, 2024
@marseel @tklauser
docs: update default identity label filters
82864ee 
[ upstream commit d3dc7e8 ]

[ backporter's note: added `any:` prefix as with other labels because
  commit fee6107 ("metrics: add lower-cardinality metrics for node
  connectivity") which removed these prefixes across all docs wasn't
  backported to v1.16. ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones
that are propagated even when strict filters are applied.

Fixes: #31178

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
tklauser pushed a commit that referenced this pull request Oct 22, 2024
@marseel @tklauser
docs: update default identity label filters
297ce19 
[ upstream commit d3dc7e8 ]

[ backporter's note: added `any:` prefix as with other labels because
  commit 1918908 ("Improve identity-relevant-labels.rst page")
  which removed these prefixes across all docs wasn't backported to
  v1.16. ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones
that are propagated even when strict filters are applied.

Fixes: #31178

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Oct 22, 2024
@marseel @tklauser
docs: update default identity label filters
158b632 
[ upstream commit d3dc7e8 ]

[ backporter's note: added `any:` prefix as with other labels because
  commit 1918908 ("Improve identity-relevant-labels.rst page")
  which removed these prefixes across all docs wasn't backported to
  v1.16. ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones
that are propagated even when strict filters are applied.

Fixes: #31178

Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
liyihuang added a commit to liyihuang/cilium that referenced this pull request Dec 12, 2024
@liyihuang
Update the default identity label in the example
dc489c5 
PR cilium#31178 added "io.cilium.k8s.policy.cluster" label to default ones but
didn't update the doc

PR cilium#35422 added the label in the doc but didn't update the example

Fixes: cilium#31178

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
@liyihuang liyihuang mentioned this pull request Dec 12, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Dec 13, 2024
@liyihuang @qmonnet
Update the default identity label in the example
4b4f45e 
PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones but
didn't update the doc

PR #35422 added the label in the doc but didn't update the example

Fixes: #31178

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
pippolo84 pushed a commit that referenced this pull request Dec 16, 2024
@liyihuang @pippolo84
Update the default identity label in the example
78b5718 
[ upstream commit 4b4f45e ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones but
didn't update the doc

PR #35422 added the label in the doc but didn't update the example

Fixes: #31178

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84 pushed a commit that referenced this pull request Dec 19, 2024
@liyihuang @pippolo84
Update the default identity label in the example
60fe6e7 
[ upstream commit 4b4f45e ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones but
didn't update the doc

PR #35422 added the label in the doc but didn't update the example

Fixes: #31178

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
pippolo84 pushed a commit that referenced this pull request Dec 19, 2024
@liyihuang @pippolo84
Update the default identity label in the example
26b000c 
[ upstream commit 4b4f45e ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones but
didn't update the doc

PR #35422 added the label in the doc but didn't update the example

Fixes: #31178

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
github-merge-queue bot pushed a commit that referenced this pull request Dec 23, 2024
@liyihuang @julianwiedmann
Update the default identity label in the example
729c1cd 
[ upstream commit 4b4f45e ]

PR #31178 added "io.cilium.k8s.policy.cluster" label to default ones but
didn't update the doc

PR #35422 added the label in the doc but didn't update the example

Fixes: #31178

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@liyihuang liyihuang mentioned this pull request Jan 9, 2025
Closed
@liyihuang liyihuang mentioned this pull request Mar 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

Assignees
No one assigned
Labels
kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Limiting Identity-Relevant Labels breaks CiliumNetworkPolicies
4 participants
@soggiest @joestringer @squeed @julianwiedmann