Skip to content

Policy track derived from rules better #34437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 28, 2024
Merged

Policy track derived from rules better #34437

merged 4 commits into from
Aug 28, 2024

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Aug 18, 2024
edited
Loading

MapStateEntry metadata was improperly merged when an allow entry and deny entry were merged. Fix this by only merging entries when they both are either allow or deny entries.

Add identical keys also when the entries are different regarding all other fields than just the owners. This way DerivedFromRules labels get merged also if the owning CachedSelectors happen to be the same but are used in rules with different labels.

When inserting an allow entry as a deny due to covering deny rule, DerivedFromRules was based on the allow rule, when it should be a combination of all the covering deny rules instead.

Add MapStateEntry.DatapathAndDerivedFromEqual to be used in testing via mapState.Equal and mapState.Diff. This will help find bugs in properly tracking the DerivedFromRules field, which has so far been ignored in testing when using mapsState.Equal and mapState.Diff.

Without these changes the resulting DerivedFromRules labels depended on the insertion order of MapState entries, causing intermittent test flakes due to essentially random iteration order of Go maps when test code was changed to care about the resulting DerivedFromRules labels by the 1st commit.

Policy rule labels are tracked more accurately in endpoint policy maps.

@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Aug 18, 2024
@jrajahalme jrajahalme requested a review from a team as a code owner August 18, 2024 11:55
@jrajahalme jrajahalme requested a review from derailed August 18, 2024 11:55
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 18, 2024
@jrajahalme jrajahalme added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Aug 18, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 18, 2024
@jrajahalme jrajahalme added needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Aug 18, 2024
@jrajahalme
Copy link
Member Author

/test

@jrajahalme
policy: Add DatapathAndDerivedFromEqual
a82814f 
Add MapStateEntry.DatapathAndDerivedFromEqual to be used in testing via
mapState.Equal and mapState.Diff. This will help find bugs in properly
tracking the DerivedFromRules field, which has so far been ignored in
testing when using mapsState.Equal and mapState.Diff.

Fix endpoint/redirect_test.go to expect only the contributing rule
labels, as they are now tested for.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Propertly generate CIDR labels for world IP, expect all labels
c9ce991 
lblWorldIP was not generated properly, it was missing the world label and
hence it was not selected by the world selector. Use labels.GetCIDRLabels
to get the full CIDR labels.

Now that mapState.Equal cares about DerivedFromRules labels we need to
expect them.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-track-derived-from-rules-better branch from 0e626b3 to d27026f Compare August 19, 2024 08:10
@jrajahalme jrajahalme requested a review from a team as a code owner August 19, 2024 08:10
@jrajahalme jrajahalme requested a review from squeed August 19, 2024 08:10
@jrajahalme
Copy link
Member Author

/test

squeed
squeed reviewed Aug 21, 2024
View reviewed changes
squeed
squeed reviewed Aug 21, 2024
View reviewed changes
squeed
squeed reviewed Aug 21, 2024
View reviewed changes
@squeed
Copy link
Contributor

squeed commented Aug 21, 2024

Looks basically good. This makes the logic just a hair simpler, which I always appreciate.

AFAICT we have all the cases covered, but a few more comments would be useful.

@jrajahalme
policy: Use logfields for stacktrace logging
cb83ddd 
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme
policy: Fix tests by tracking DerivedFromRules properly
bb3e933 
MapStateEntry metadata was improperly merged when an allow entry and deny
entry were merged. Fix this by only merging entries when they both are
either allow or deny entries.

Add identical keys also when the entries are different regarding all
other fields than just the owners. This way DerivedFromRules labels get
merged also if the owning CachedSelectors happen to be the same but are
used in rules with different labels.

When inserting an allow entry as a deny due to covering deny rule,
DerivedFromRules was based on the allow rule, when it should be a
combination of all the covering deny rules instead.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-track-derived-from-rules-better branch from d27026f to bb3e933 Compare August 21, 2024 15:43
@jrajahalme jrajahalme requested a review from a team as a code owner August 21, 2024 15:43
@jrajahalme jrajahalme requested a review from squeed August 21, 2024 15:44
@jrajahalme
Copy link
Member Author

/test

derailed
derailed approved these changes Aug 22, 2024
View reviewed changes
Copy link
Contributor

@derailed derailed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jrajahalme Nice work!

@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Aug 22, 2024
@ldelossa ldelossa enabled auto-merge August 23, 2024 13:50
@ldelossa ldelossa added this pull request to the merge queue Aug 28, 2024
Merged via the queue into cilium:main with commit 1f1d654 Aug 28, 2024
71 of 72 checks passed
@jrajahalme jrajahalme mentioned this pull request Sep 30, 2024
Merged
@jrajahalme jrajahalme mentioned this pull request Oct 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derailed derailed derailed approved these changes

@squeed squeed squeed approved these changes

Assignees
No one assigned
Labels
kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jrajahalme @squeed @derailed @ldelossa