cilium-cli icon indicating copy to clipboard operation
cilium-cli copied to clipboard
verified publisher icon cilium

connectivity: Add connectivity with deny policies

Open sayboras opened this issue 3 years ago • 3 comments

Description

Please refer to individual commits for more details.

sayboras avatar Aug 09 '22 14:08 sayboras

Commit e62b469880746cee4a0134658178bd33b7080ee3 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

maintainer-s-little-helper[bot] avatar Aug 10 '22 08:08 maintainer-s-little-helper[bot]

Commit e62b469880746cee4a0134658178bd33b7080ee3 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

maintainer-s-little-helper[bot] avatar Aug 10 '22 08:08 maintainer-s-little-helper[bot]

@joestringer @jrajahalme can you also take a 2nd pair of :eyes: into this PR just to make sure the results of the tests are the ones that we should expect?

aanm avatar Aug 15 '22 22:08 aanm

Thanks all for your detailed review, I have added additional policy for deny tests, so that default deny can be avoided. Extra policies could be a little permissive, but should be good enough to verify behavior under test.

sayboras avatar Aug 22 '22 06:08 sayboras

Seems like my review message got lost somehow, so repeating it here:

To me it looks like this PR is now introducing quite a bit more than just deny policy tests, e.g. also tests for named ports and matched expressions. I think this should at least be mentioned in the PR title (so it shows up in the release notes) and maybe also briefly summarized in the PR description rather than just the commit messages.

tklauser avatar Aug 25 '22 11:08 tklauser

To me it looks like this PR is now introducing quite a bit more than just deny policy tests, e.g. also tests for named ports and matched expressions. I think this should at least be mentioned in the PR title (so it shows up in the release notes) and maybe also briefly summarized in the PR description rather than just the commit messages.

Good point 💯, let me update the PR description

sayboras avatar Aug 25 '22 11:08 sayboras

:wave: @sayboras I noticed that this only specifies the endpoint selector for which pod to apply the policy with the serviceaccount, but it doesn't use the serviceaccount in the ingress / egress policy statements. Was that intentional?

joestringer avatar Apr 04 '23 17:04 joestringer

👋 @sayboras I noticed that this only specifies the endpoint selector for which pod to apply the policy with the serviceaccount, but it doesn't use the serviceaccount in the ingress / egress policy statements. Was that intentional?

It's not :(, let me double-check and do a follow-up on this.

sayboras avatar Apr 04 '23 21:04 sayboras

This PR should cover the gap from the above comment

https://github.com/cilium/cilium-cli/pull/1532

sayboras avatar Apr 29 '23 10:04 sayboras