Skip to content

Commit

Permalink
Another fix in handling system default connections
Browse files Browse the repository at this point in the history
  • Loading branch information
@tanyaveksler
tanyaveksler committed Nov 11, 2024
1 parent feca3a3 commit 010a007
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions pkg/netpol/eval/check.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -618,9 +618,10 @@ func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool)
}
}
}
if res.IsEmpty() { // banp rules didn't capture xgress conn between src and dst, return system-default: allow-all
res.AllowedConns = common.MakeConnectionSet(true)
res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress)
}
// if banp rules didn't capture xgress conn between src and dst, return system-default: allow-all;
// if banp rule captured xgress conn, only DeniedConns should be impacted by banp rule,
// whenever AllowedConns should anyway be system-default: allow-all
res.AllowedConns = common.MakeConnectionSet(true)
res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress)
return res, nil
}

0 comments on commit 010a007

Please sign in to comment.