Skip to content

fix net pod policy #1232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 24, 2025
Merged

fix net pod policy #1232

merged 1 commit into from
Jul 24, 2025

Conversation

klinch0
Copy link
Contributor

@klinch0 klinch0 commented Jul 22, 2025
edited by coderabbitai bot
Loading

What this PR does

Release note

- fix net pod policy

Summary by CodeRabbit

  • Chores

    • Updated tenant application version to 1.11.2.
    • Updated version mapping to reflect the new release.

  • New Features

    • Extended network policy to allow traffic to additional tenant-related services across namespace hierarchies.

@klinch0 klinch0 requested review from kvaps and lllamnyp as code owners July 22, 2025 19:06
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Jul 22, 2025
edited
Loading

Walkthrough

The changes increment the tenant application's version from 1.11.1 to 1.11.2, update the corresponding version mapping by fixing 1.11.1 to a commit hash and pointing 1.11.2 to HEAD, and extend the egress rules in the CiliumClusterwideNetworkPolicy by adding conditional blocks that allow traffic to pods labeled "vminsert" and "etcd" in namespaces derived from the release namespace hierarchy.

Changes

Files/Paths Change Summary
packages/apps/tenant/Chart.yaml Bumped version from 1.11.1 to 1.11.2
packages/apps/tenant/templates/networkpolicy.yaml Added conditional egress rules to allow traffic to "vminsert" and "etcd" pods in namespaces derived from release namespace hierarchy
packages/apps/versions_map Updated tenant version mapping: fixed 1.11.1 to commit hash; added 1.11.2 pointing to HEAD

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Helm Chart
    participant NetworkPolicy

    User->>Helm Chart: Deploy tenant app (v1.11.2)
    Helm Chart->>NetworkPolicy: Apply updated egress rules
    NetworkPolicy->>NetworkPolicy: Allow egress to "vminsert" and "etcd" pods in derived namespaces
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Suggested labels

bug, size:XS

Suggested reviewers

  • lllamnyp

Poem

A bunny hopped through YAML fields,
Updating numbers, sealing deals.
New paths to pods, egress flows,
The tenant’s reach now wider grows.
With every hop, the code refines—
Version bumped, and all aligns!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch bugfix-fix-net-pod-policy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai generate unit tests to generate unit tests for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 22, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @klinch0, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on fixing the network pod policy for the tenant application. It achieves this by simplifying the existing Cilium Network Policy definition, removing a set of rules that were likely causing issues or were no longer required. This change is accompanied by a standard version update for the tenant application.

Highlights

  • Network Policy Simplification: The core change involves removing a significant block of toEndpoints rules from the tenant application's networkpolicy.yaml. This simplification likely addresses an issue with the previous policy's behavior or necessity, streamlining network access for tenant pods.
  • Version Increment: The tenant application's Helm chart version has been bumped from 1.11.1 to 1.11.2, indicating a new release incorporating this network policy fix.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 22, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to fix a network policy for tenant pods. The main change involves removing a broad egress rule from the CiliumClusterwideNetworkPolicy that allowed pods in a child tenant to communicate with its parent tenant's namespace. While this appears to be a security hardening measure, it potentially contradicts the documented behavior where child tenants can use services from their parent. I've raised a critical issue requesting clarification on this point to ensure no functionality is unintentionally broken. The PR also includes corresponding version bumps for the tenant chart.

@kvaps kvaps added the backport Should change be backported on previus release label Jul 22, 2025
@klinch0
fix net pod policy
6598213 
Signed-off-by: kklinch0 <kklinch0@gmail.com>
@klinch0 klinch0 force-pushed the bugfix-fix-net-pod-policy branch from 2c73e17 to 6598213 Compare July 24, 2025 14:28
coderabbitai[bot]
coderabbitai bot reviewed Jul 24, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🔭 Outside diff range comments (1)
packages/apps/tenant/templates/networkpolicy.yaml (1)

57-69: Consolidate duplicated hierarchy loop into a helper template

The second block for etcd is an almost-verbatim copy of the vminsert rule, differing only in one label key/value. This duplication:

  • inflates the template,
  • makes future edits error-prone,
  • and hides the intent of “allow egress to hierarchical tenant services”.

Extract a small helper (e.g. _hierarchicalToEndpoints) that accepts the service label key/value and emits the looped matchLabels list. Both blocks then become one-liners that call the helper with "app.kubernetes.io/name", "vminsert" and "app.kubernetes.io/instance", "etcd" respectively.

Refactoring keeps the policy DRY and easier to reason about.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c73e17 and 6598213.

📒 Files selected for processing (3)
  • packages/apps/tenant/Chart.yaml (1 hunks)
  • packages/apps/tenant/templates/networkpolicy.yaml (1 hunks)
  • packages/apps/versions_map (1 hunks)
✅ Files skipped from review due to trivial changes (1)
  • packages/apps/versions_map
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/apps/tenant/Chart.yaml
🧰 Additional context used
🪛 YAMLlint (1.37.1)
packages/apps/tenant/templates/networkpolicy.yaml

[error] 56-56: trailing spaces

(trailing-spaces)

kvaps
kvaps approved these changes Jul 24, 2025
View reviewed changes
Copy link
Member

@kvaps kvaps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kvaps kvaps merged commit 084be87 into main Jul 24, 2025
19 checks passed
@kvaps kvaps deleted the bugfix-fix-net-pod-policy branch July 24, 2025 15:25
@github-actions GitHub Actions
Copy link

Successfully created backport PR for release-0.34:

@github-actions github-actions bot mentioned this pull request Jul 24, 2025
Merged
kvaps added a commit that referenced this pull request Jul 24, 2025
@kvaps
[Backport release-0.34] fix net pod policy (#1272)
9584e5f 
# Description
Backport of #1232 to `release-0.34`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@kvaps kvaps kvaps approved these changes

@lllamnyp lllamnyp Awaiting requested review from lllamnyp lllamnyp is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport Should change be backported on previus release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@klinch0 @kvaps