Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add overriding condition to BackendTrafficPolicy and SecurityPolicy #2684

Conversation

zhaohuabing
Copy link
Member

fix #2055

@zhaohuabing zhaohuabing requested a review from a team as a code owner February 23, 2024 12:14
@zhaohuabing zhaohuabing requested a review from arkodg February 23, 2024 12:14
@zhaohuabing zhaohuabing changed the title add overriding condition to backendtrafficpolicy add overriding condition to BackendTrafficPolicy Feb 23, 2024
Copy link

codecov bot commented Feb 23, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.50%. Comparing base (6d8337e) to head (1bf5654).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2684      +/-   ##
==========================================
+ Coverage   63.34%   63.50%   +0.16%     
==========================================
  Files         123      123              
  Lines       19979    20056      +77     
==========================================
+ Hits        12655    12736      +81     
+ Misses       6513     6510       -3     
+ Partials      811      810       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing force-pushed the backendtrafficpolicy-overriding-condition branch from f7cff0c to 17c4d9f Compare February 23, 2024 12:25
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the backendtrafficpolicy-overriding-condition branch from 17c4d9f to bdae89f Compare February 24, 2024 00:41
@zhaohuabing zhaohuabing enabled auto-merge (squash) February 24, 2024 02:32
@zhaohuabing zhaohuabing disabled auto-merge February 24, 2024 02:32
@arkodg
Copy link
Contributor

arkodg commented Feb 27, 2024

thanks for picking this one up @zhaohuabing

  • can the PR also apply the same logic for SecurityPolicy ?
  • as part of this PR can we also fix the logic here
    for _, r := range http.Routes {

    as pointed out by you earlier, its adoping Merge semantics, when this should be a Replace i.e. if that route has an existing policy attached (maybe computed using the routeMap, we should skip applying any setting, rather than checking which is nil)

Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
Copy link
Member Author

zhaohuabing commented Feb 27, 2024

can the PR also apply the same logic for SecurityPolicy ?

Yes, I originally planned to apply this to SecurityPolicy when this one is approved. But since you already mentioned this, I'm going to do it in this PR.

as pointed out by you earlier, its adoping Merge semantics, when this should be a Replace i.e. if that route has an existing policy attached (maybe computed using the routeMap, we should skip applying any setting, rather than checking which is nil)

I thought it was intentional. For example, a default global config can be defined at the Gateway level, and app developers can fine-tune the configurations at the route level.

The benefit of having a global config on the top is that the app developers don't have to redefine every setting at the roue level, but only these they really want to modify. The downside is that it's difficult to figure out wich setting comes form which policy.

@arkodg
Copy link
Contributor

arkodg commented Feb 27, 2024

I thought it was intentional. For example, a default global config can be defined at the Gateway level, and app developers can fine-tune the configurations at the route level.
The benefit of having a global config on the top is that the app developers don't have to redefine every setting at the roue level, but only these they really want to modify. The downside is that it's difficult to figure out wich setting comes from which policy.

@zhaohuabing Replace by the most specific resource is the default https://gateway.envoyproxy.io/v0.6.0/design/security-policy/#design-decisions , and support for Merge will hopefully be tackled in the near future with #1934

@zhaohuabing zhaohuabing changed the title add overriding condition to BackendTrafficPolicy add overriding condition to BackendTrafficPolicy and SecurityPolicy Feb 28, 2024
@zhaohuabing zhaohuabing requested a review from arkodg February 28, 2024 03:36
@zhaohuabing
Copy link
Member Author

@zhaohuabing Replace by the most specific resource is the default https://gateway.envoyproxy.io/v0.6.0/design/security-policy/#design-decisions , and support for Merge will hopefully be tackled in the near future with #1934

@arkodg Got it! Do you mind if I fix this in a separate PR?

@arkodg
Copy link
Contributor

arkodg commented Feb 28, 2024

@zhaohuabing Replace by the most specific resource is the default https://gateway.envoyproxy.io/v0.6.0/design/security-policy/#design-decisions , and support for Merge will hopefully be tackled in the near future with #1934

@arkodg Got it! Do you mind if I fix this in a separate PR?

Sure sgtm !

Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@arkodg arkodg requested review from a team February 29, 2024 01:43
@zhaohuabing zhaohuabing merged commit 5015061 into envoyproxy:main Mar 1, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add Overridden condition in the BackendTrafficPolicy status
2 participants