Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy matching subset dimensions #8155

Closed
jakubdyszkiewicz opened this issue Oct 26, 2023 · 6 comments
Closed

Policy matching subset dimensions #8155

jakubdyszkiewicz opened this issue Oct 26, 2023 · 6 comments
Labels
kind/bug A bug triage/duplicated already exists

Comments

@jakubdyszkiewicz
Copy link
Contributor

What happened?

			PEntry("n dimensions rules and n-1 dimensions subsets", testCase{
				rules: core_rules.Rules{
					{
						Subset: []core_rules.Tag{
							{Key: "key1", Value: "val1"},
							{Key: "key2", Value: "val1", Not: true},
						},
						Conf: meshtrafficpermission_api.Conf{
							Action: "Allow",
						},
					},
				},
				subset: []core_rules.Tag{
					{Key: "key1", Value: "val1"},
				},
				confYAML: []byte(`action: Allow`),
			}),

This test fails for Compute. I expected this to pass.

@lobkovilya for details how to fix this. We talked offline and the current idea is to

  • Introduce function like IsSubset, such as it ignores not tags
  • Change Compute to use this new function
@jakubdyszkiewicz jakubdyszkiewicz added triage/pending This issue will be looked at on the next triage meeting kind/bug A bug triage/accepted The issue was reviewed and is complete enough to start working on it and removed triage/pending This issue will be looked at on the next triage meeting labels Oct 26, 2023
@jakubdyszkiewicz jakubdyszkiewicz mentioned this issue Jan 2, 2024
Open
@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Jan 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@jakubdyszkiewicz jakubdyszkiewicz removed the triage/stale Inactive for some time. It will be triaged again label Jan 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Apr 29, 2024
@jakubdyszkiewicz jakubdyszkiewicz removed the triage/stale Inactive for some time. It will be triaged again label Apr 29, 2024
@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Jul 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@lobkovilya lobkovilya removed the triage/stale Inactive for some time. It will be triaged again label Aug 5, 2024
@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Nov 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 4, 2024

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@lukidzi lukidzi removed the triage/stale Inactive for some time. It will be triaged again label Nov 12, 2024
@lobkovilya lobkovilya mentioned this issue Dec 16, 2024
Closed
@lahabana
Copy link
Contributor

Duplicate of #12273

@lahabana lahabana marked this as a duplicate of #12273 Dec 17, 2024
@lahabana lahabana closed this as not planned Won't fix, can't repro, duplicate, stale Dec 17, 2024
@lahabana lahabana added triage/duplicated already exists and removed triage/accepted The issue was reviewed and is complete enough to start working on it labels Dec 17, 2024
@Icarus9913
Copy link
Contributor

More detail case:

I have one MTP:

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: mtp-allow-kuma-one
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        k8s.kuma.io/namespace: kuma-one
    default:
      action: Allow
  - targetRef:
      kind: MeshSubset
      tags:
        app: demo
        k8s.kuma.io/namespace: kuma-one
    default:
      action: Deny

And the detail rules:

rule: rules.Rule{Subset:rules.Subset{rules.Tag{Key:"app", Not:false, Value:"demo"}, 
                                      rules.Tag{Key:"k8s.kuma.io/namespace", Not:false, Value:"kuma-one"}}, 
                                      Conf:v1alpha1.Conf{Action:"Deny"}} 

rule: rules.Rule{Subset:rules.Subset{rules.Tag{Key:"app", Not:true, Value:"demo"}, 
                                      rules.Tag{Key:"k8s.kuma.io/namespace", Not:false, Value:"kuma-one"}}, 
                                      Conf:v1alpha1.Conf{Action:"Allow"}}

Then, my DataplaneTags:

 k8s.kuma.io/namespace: kuma-one

So, this should get Allow action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A bug triage/duplicated already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lahabana @jakubdyszkiewicz @lobkovilya @lukidzi @Icarus9913