-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy: Do not share same policy for multiple cached selectors #24788
Conversation
Do not share the same PerSelectorPolicy object between multiple cached selectors. This makes sure that when rules are merged only the rules for the intended selectors are effected. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
/test |
/test-1.16-4.19 |
Is there any user impact or is it more about simplifying the code? Label says it's the former, while the release note seems to say it's the latter. |
ci-eks is known to be broken (#24774), so please disregard that :-) |
Yes, there is user impact when using policies of specific form as demonstrated by the added unit test. |
@pchaigno Made the release note more explicit. |
@liyihuang Marked this as a release blocker. |
Thanks! It's now clear it's a bugfix but it's still hard to understand what is the impact for users. Does this lead to a policy bypass, to packet drops, to unnecessary proxy redirections, to a failure to apply the policy, etc.? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Release note needs to be fixed.
@jrajahalme This does not apply cleanly to any stable branches. I was able to fix it on v1.13, but the difference to 1.12 and 1.11 are larger. You will have to do the backport for 1.12 and 1.11 manually. |
Do not share the same PerSelectorPolicy object between multiple cached selectors. This makes sure that when rules are merged only the rules for the intended selectors are affected by the merging process.
Fixes: #9486