Skip to content

policy: Use 'insertOldIfNotExists() in addDependentOnEntry() #35109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 2, 2024
Merged

policy: Use 'insertOldIfNotExists() in addDependentOnEntry() #35109

merged 1 commit into from
Oct 2, 2024

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Sep 30, 2024
edited
Loading

Keep the oldest changed value in 'addDependentOnEntry()' by using 'insertOldIfNotExists()' rather than modifying 'changes.Old' directly. Changes in tests are due to the way 'insertOldIfNotExists()' filters out new entries (not adding an 'old' entry if the key exists in 'changes.Adds'). Test changes are in the 'deletes' field due to the test internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to this fix that revert may have produced incorrect results.

Backporter note: Release branches need unit test changes due to visibility policy tests in pkg/policy/mapstate_test.go. Main branch is not affected due to the deprecated visibility annotation code and tests having been removed.

Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected.

@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels Sep 30, 2024
@jrajahalme jrajahalme requested a review from a team as a code owner September 30, 2024 10:37
@jrajahalme jrajahalme requested a review from doniacld September 30, 2024 10:37
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 30, 2024
@jrajahalme jrajahalme added needs-backport/1.14 needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch release-note/bug This PR fixes an issue in a previous release of Cilium. labels Sep 30, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 30, 2024
@jrajahalme jrajahalme force-pushed the policy-track-oldest-change branch from 7aec9e3 to 137abf7 Compare October 2, 2024 14:36
@jrajahalme
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
71a810b 
Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-track-oldest-change branch from 137abf7 to 71a810b Compare October 2, 2024 14:40
@jrajahalme
Copy link
Member Author

jrajahalme commented Oct 2, 2024
edited
Loading

Resolved merge conflict due to visibility annotation removal.

@jrajahalme
Copy link
Member Author

/test

@jrajahalme
Copy link
Member Author

/ci-ginkgo

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 2, 2024
@jrajahalme jrajahalme added this pull request to the merge queue Oct 2, 2024
Merged via the queue into cilium:main with commit 3aad3f8 Oct 2, 2024
62 of 63 checks passed
@jrajahalme jrajahalme deleted the policy-track-oldest-change branch October 2, 2024 17:37
@giorio94 giorio94 mentioned this pull request Oct 7, 2024
Merged
15 tasks
@giorio94 giorio94 added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 7, 2024
@giorio94 giorio94 mentioned this pull request Oct 7, 2024
Merged
9 tasks
@giorio94 giorio94 added backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. and removed needs-backport/1.15 labels Oct 7, 2024
@giorio94 giorio94 mentioned this pull request Oct 7, 2024
Merged
5 tasks
@giorio94 giorio94 added the backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. label Oct 7, 2024
giorio94 pushed a commit that referenced this pull request Oct 7, 2024
@jrajahalme @giorio94
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
4f9b8bf 
[ upstream commit 3aad3f8 ]

[ backporter's notes: hit minor conflict due to different surrounding
  context; accepted combination. Additionally updated the
  TestMapState_AccumulateMapChangesOnVisibilityKeys test, which has
  been removed in the meanwhile on main, applying the changes
  originally part of 137abf7b4b6a (from #35109). ]

Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94 pushed a commit that referenced this pull request Oct 7, 2024
@jrajahalme @giorio94
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
61aaa30 
[ upstream commit 3aad3f8 ]

[ backporter's notes: hit minor conflict due to different surrounding
  context; accepted combination. Additionally updated the
  TestMapState_AccumulateMapChangesOnVisibilityKeys test, which has
  been removed in the meanwhile on main, applying the changes
  originally part of 137abf7b4b6a (from #35109). ]

Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
giorio94 pushed a commit that referenced this pull request Oct 7, 2024
@jrajahalme @giorio94
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
85c483f 
[ upstream commit 3aad3f8 ]

[ backporter's notes: hit minor conflict due to different surrounding
  context; accepted combination. Additionally updated the
  TestMapState_AccumulateMapChangesOnVisibilityKeys test, which has
  been removed in the meanwhile on main, applying the changes
  originally part of 137abf7b4b6a (from #35109). ]

Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
aanm pushed a commit that referenced this pull request Oct 8, 2024
@jrajahalme @aanm
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
3ee7ab7 
[ upstream commit 3aad3f8 ]

[ backporter's notes: hit minor conflict due to different surrounding
  context; accepted combination. Additionally updated the
  TestMapState_AccumulateMapChangesOnVisibilityKeys test, which has
  been removed in the meanwhile on main, applying the changes
  originally part of 137abf7b4b6a (from #35109). ]

Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
aanm pushed a commit that referenced this pull request Oct 8, 2024
@jrajahalme @aanm
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
5519765 
[ upstream commit 3aad3f8 ]

[ backporter's notes: hit minor conflict due to different surrounding
  context; accepted combination. Additionally updated the
  TestMapState_AccumulateMapChangesOnVisibilityKeys test, which has
  been removed in the meanwhile on main, applying the changes
  originally part of 137abf7b4b6a (from #35109). ]

Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@github-actions github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. backport-pending/1.15 The backport for Cilium 1.15.x for this PR is in progress. labels Oct 8, 2024
github-merge-queue bot pushed a commit that referenced this pull request Oct 8, 2024
@jrajahalme @aanm
policy: Use 'insertOldIfNotExists() in addDependentOnEntry()
cc75797 
[ upstream commit 3aad3f8 ]

[ backporter's notes: hit minor conflict due to different surrounding
  context; accepted combination. Additionally updated the
  TestMapState_AccumulateMapChangesOnVisibilityKeys test, which has
  been removed in the meanwhile on main, applying the changes
  originally part of 137abf7b4b6a (from #35109). ]

Keep the oldest changed value in 'addDependentOnEntry()' by using
'insertOldIfNotExists()' rather than modifying 'changes.Old'
directly. Changes in tests are due to the way 'insertOldIfNotExists()'
filters out new entries (not adding an 'old' entry if the key exists in
'changes.Adds'). Test changes are in the 'deletes' field due to the test
internally setting a 'deletes' key for each key in 'changes.Old'.

Old key values are used when reverting a failed endpoint update, prior to
this fix that revert may have produced incorrect results.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Oct 8, 2024
@thorn3r thorn3r mentioned this pull request Oct 8, 2024
Merged
This was referenced Oct 8, 2024
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@doniacld doniacld doniacld approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrajahalme @doniacld @giorio94