Rule merging alghoritm is not sorting lexographically on MeshTrafficPermission #8484
Comments
samm-git
added
kind/bug
|
I indeed see the same problem by writing a simple test. I you want I made it work this way with a single policy: # The first entry in from is then overridden by the following ones
type: MeshTrafficPermission
mesh: default
name: default-demo-app
spec:
targetRef:
kind: MeshSubset
tags:
k8s.kuma.io/service-name: demo-app
from:
- default:
action: Deny
targetRef:
kind: Mesh
- default:
action: Allow
targetRef:
kind: MeshSubset
tags:
app.kubernetes.io/name: ui
- default:
action: Allow
targetRef:
kind: MeshSubset
tags:
app.kubernetes.io/name: service-order
- default:
action: Allow
targetRef:
kind: MeshSubset
tags:
app.kubernetes.io/name: service-paymentGive me the rules: Rules:
127.0.0.1:80:
- Conf:
action: Allow
Origin:
- mesh: default
name: default-demo-app
type: MeshTrafficPermission
Subset:
- Key: app.kubernetes.io/name
Not: false
Value: ui
- Conf:
action: Allow
Origin:
- mesh: default
name: default-demo-app
type: MeshTrafficPermission
Subset:
- Key: app.kubernetes.io/name
Not: false
Value: service-payment
- Conf:
action: Allow
Origin:
- mesh: default
name: default-demo-app
type: MeshTrafficPermission
Subset:
- Key: app.kubernetes.io/name
Not: false
Value: service-order
- Conf:
action: Deny
Origin:
- mesh: default
name: default-demo-app
type: MeshTrafficPermission
Subset:
- Key: app.kubernetes.io/name
Not: true
Value: service-order
- Key: app.kubernetes.io/name
Not: true
Value: service-payment
- Key: app.kubernetes.io/name
Not: true
Value: uiI think this is what you are trying to do: "Deny everyone except these 3 apps" |
Add some tests including one as pending which is the repro Fix kumahq#8484 Signed-off-by: Charly Molter <[email protected]>
|
I see what's the problem here https://go.dev/play/p/RvxA2xLrXo6, we have to check the order without |
|
@lahabana thank you for the tip and solution, it works well. I feel that there is some inconsistency in the doc (or I just misunderstood something). I was thinking that rules inside one Probably documentation is not entirely correct or I am looking in the wrong place. Could you please tell me where exactly logic is described? |
|
It's possible that the docs are not super clear. The main docs for targetRef policies is: https://kuma.io/docs/2.5.x/policies/targetref/#merging-configuration Do you think an example to explain what happens when there's multiple rules in a policy would help? |
|
@lahabana yes, I think multiple rules in a policy would make it clearer. Also now I understand that rules inside the object are merged from first to last, and the resulting set is applied to traffic, but it was not that obvious from the beginning. |
Do you have any idea how we can work around this? Seems like the labels we've been talking about could be helpful here no? |
- Add some tests to the policy matching algo - Add possibility to add a test as pending in test.EntriesForFolder Ref #8484
jakubdyszkiewicz
added
triage/accepted
What happened?
My intention is to create a
MeshTrafficPermissionset of rules that will allow connectivity from some services and ShadowDeny (or Deny) everything else.To achieve that i did a 2
MeshTrafficPermissionobjects, both onMeshSubsettargetRef level.This setup works fine if naming is like
myrulefor allow set andmyrule-afor denyset. I see in UI that rules are applied in correct order:My tests also shows that traffic works as expected
However, when I try to use names like
rule-aandrule-border is opposite to expected and tests also failing.I am not sure how sorting is working, but looks like that not according to doc which state that
2. At the same level we use lexicographic order on name.The text was updated successfully, but these errors were encountered: