Skip to content

Commit aeceb9b

Browse files
fasaxcfasaxc
authored
Merge pull request #524 from fasaxc/permissive-ingress-egress
Make validation of policy types more permissive.
2 parents 6d51f61 + 23e4711 commit aeceb9b

File tree

2 files changed

+10
-21
lines changed

2 files changed

+10
-21
lines changed

lib/validator/validator.go

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -552,21 +552,4 @@ func validatePolicySpec(v *validator.Validate, structLevel *validator.StructLeve
552552
mp[t] = true
553553
}
554554
}
555-
556-
// When Types is explicitly specified:
557-
if len(m.Types) > 0 {
558-
var exists bool
559-
// 'ingress' type must be there if Policy has any ingress rules.
560-
_, exists = mp[api.PolicyTypeIngress]
561-
if len(m.IngressRules) > 0 && !exists {
562-
structLevel.ReportError(reflect.ValueOf(m.Types),
563-
"PolicySpec.Types", "", reason("'ingress' must be specified when policy has ingress rules"))
564-
}
565-
// 'egress' type must be there if Policy has any egress rules.
566-
_, exists = mp[api.PolicyTypeEgress]
567-
if len(m.EgressRules) > 0 && !exists {
568-
structLevel.ReportError(reflect.ValueOf(m.Types),
569-
"PolicySpec.Types", "", reason("'egress' must be specified when policy has egress rules"))
570-
}
571-
}
572555
}

lib/validator/validator_test.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -674,16 +674,22 @@ func init() {
674674
Entry("allow ingress+egress Types", api.PolicySpec{Types: []api.PolicyType{api.PolicyTypeIngress, api.PolicyTypeEgress}}, true),
675675
Entry("disallow repeated egress Types", api.PolicySpec{Types: []api.PolicyType{api.PolicyTypeEgress, api.PolicyTypeEgress}}, false),
676676
Entry("disallow unexpected value", api.PolicySpec{Types: []api.PolicyType{"unexpected"}}, false),
677-
Entry("disallow Types without ingress when IngressRules present",
677+
678+
// In the initial implementation, we validated against the following two cases but we found
679+
// that prevented us from doing a smooth upgrade from type-less to typed policy since we
680+
// couldn't write a policy that would work for back-level Felix instances while also
681+
// specifying the type for up-level Felix instances.
682+
Entry("allow Types without ingress when IngressRules present",
678683
api.PolicySpec{
679684
IngressRules: []api.Rule{{Action: "allow"}},
680685
Types: []api.PolicyType{api.PolicyTypeEgress},
681-
}, false),
682-
Entry("disallow Types without egress when EgressRules present",
686+
}, true),
687+
Entry("allow Types without egress when EgressRules present",
683688
api.PolicySpec{
684689
EgressRules: []api.Rule{{Action: "allow"}},
685690
Types: []api.PolicyType{api.PolicyTypeIngress},
686-
}, false),
691+
}, true),
692+
687693
Entry("allow Types with ingress when IngressRules present",
688694
api.PolicySpec{
689695
IngressRules: []api.Rule{{Action: "allow"}},

0 commit comments

Comments
 (0)