Better handling explainability data for system default

np-guard · Nov 11, 2024 · feca3a3 · feca3a3
1 parent 9c0ab85
commit feca3a3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go
@@ -620,6 +620,7 @@ func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool)
 	}
 	if res.IsEmpty() { // banp rules didn't capture xgress conn between src and dst, return system-default: allow-all
 		res.AllowedConns = common.MakeConnectionSet(true)
+		res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress)
 	}
 	return res, nil
 }
diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go
@@ -122,8 +122,9 @@ func (pc *PolicyConnections) CollectConnsFromBANP(banpConns *PolicyConnections)
 	// Pass Conns which are allowed or not captured by BANP, will be handled now with all other conns.
 	//  pc.PassConns is not relevant anymore.
 	// the allowed conns are "all conns - the denied conns"
-	// since all conns that are not determined by the ANP and BANP are allowed by default
-	pc.AllowedConns = common.MakeConnectionSet(true)
+	// all conns that are not determined by the ANP and BANP are allowed by default,
+	// and are kept in banpConns.AllowedConns (were returned by getXgressDefaultConns)
+	pc.AllowedConns = banpConns.AllowedConns
 	pc.AllowedConns.Subtract(pc.DeniedConns)
 }