Skip to content

Commit 0164b8b

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #252 from fasaxc/fail-closed
Explicitly explain "fail closed".
2 parents cda7003 + c93ddbd commit 0164b8b

7 files changed

+107
-38
lines changed

apis/v1alpha1/adminnetworkpolicy_types.go

+10-3
Original file line numberDiff line numberDiff line change
@@ -222,9 +222,16 @@ type AdminNetworkPolicyEgressRule struct {
222222
type AdminNetworkPolicyRuleAction string
223223

224224
// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
225-
// Exactly one of the selector pointers must be set for a given peer. If a
226-
// consumer observes none of its fields are set, they must assume an unknown
227-
// option has been specified and fail closed.
225+
//
226+
// Exactly one of the fields must be set for a given peer and this is enforced
227+
// by the validation rules on the CRD. If an implementation sees no fields are
228+
// set then it can infer that the deployed CRD is of an incompatible version
229+
// with an unknown field. In that case it should fail closed.
230+
//
231+
// For "Allow" rules, "fail closed" means: "treat the rule as matching no
232+
// traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
233+
// as a 'Deny all' rule".
234+
//
228235
// +kubebuilder:validation:MaxProperties=1
229236
// +kubebuilder:validation:MinProperties=1
230237
type AdminNetworkPolicyEgressPeer struct {

apis/v1alpha1/baselineadminnetworkpolicy_types.go

+10-3
Original file line numberDiff line numberDiff line change
@@ -197,9 +197,16 @@ type BaselineAdminNetworkPolicyEgressRule struct {
197197
type BaselineAdminNetworkPolicyRuleAction string
198198

199199
// BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
200-
// Exactly one of the selector pointers must be set for a given peer. If a
201-
// consumer observes none of its fields are set, they must assume an unknown
202-
// option has been specified and fail closed.
200+
//
201+
// Exactly one of the fields must be set for a given peer and this is enforced
202+
// by the validation rules on the CRD. If an implementation sees no fields are
203+
// set then it can infer that the deployed CRD is of an incompatible version
204+
// with an unknown field. In that case it should fail closed.
205+
//
206+
// For "Allow" rules, "fail closed" means: "treat the rule as matching no
207+
// traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
208+
// as a 'Deny all' rule".
209+
//
203210
// +kubebuilder:validation:MaxProperties=1
204211
// +kubebuilder:validation:MinProperties=1
205212
type BaselineAdminNetworkPolicyEgressPeer struct {

apis/v1alpha1/shared_types.go

+11-4
Original file line numberDiff line numberDiff line change
@@ -122,10 +122,17 @@ type PortRange struct {
122122
End int32 `json:"end"`
123123
}
124124

125-
// AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
126-
// Exactly one of the selector pointers must be set for a given peer. If a
127-
// consumer observes none of its fields are set, they must assume an unknown
128-
// option has been specified and fail closed.
125+
// AdminNetworkPolicyIngressPeer defines a peer to allow traffic to.
126+
//
127+
// Exactly one of the fields must be set for a given peer and this is enforced
128+
// by the validation rules on the CRD. If an implementation sees no fields are
129+
// set then it can infer that the deployed CRD is of an incompatible version
130+
// with an unknown field. In that case it should fail closed.
131+
//
132+
// For "Allow" rules, "fail closed" means: "treat the rule as matching no
133+
// traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
134+
// as a 'Deny all' rule".
135+
//
129136
// +kubebuilder:validation:MaxProperties=1
130137
// +kubebuilder:validation:MinProperties=1
131138
type AdminNetworkPolicyIngressPeer struct {

config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml

+19-7
Original file line numberDiff line numberDiff line change
@@ -200,9 +200,15 @@ spec:
200200
items:
201201
description: |-
202202
AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
203-
Exactly one of the selector pointers must be set for a given peer. If a
204-
consumer observes none of its fields are set, they must assume an unknown
205-
option has been specified and fail closed.
203+
204+
Exactly one of the fields must be set for a given peer and this is enforced
205+
by the validation rules on the CRD. If an implementation sees no fields are
206+
set then it can infer that the deployed CRD is of an incompatible version
207+
with an unknown field. In that case it should fail closed.
208+
209+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
210+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
211+
as a 'Deny all' rule".
206212
maxProperties: 1
207213
minProperties: 1
208214
properties:
@@ -551,10 +557,16 @@ spec:
551557
Support: Core
552558
items:
553559
description: |-
554-
AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
555-
Exactly one of the selector pointers must be set for a given peer. If a
556-
consumer observes none of its fields are set, they must assume an unknown
557-
option has been specified and fail closed.
560+
AdminNetworkPolicyIngressPeer defines a peer to allow traffic to.
561+
562+
Exactly one of the fields must be set for a given peer and this is enforced
563+
by the validation rules on the CRD. If an implementation sees no fields are
564+
set then it can infer that the deployed CRD is of an incompatible version
565+
with an unknown field. In that case it should fail closed.
566+
567+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
568+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
569+
as a 'Deny all' rule".
558570
maxProperties: 1
559571
minProperties: 1
560572
properties:

config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml

+19-7
Original file line numberDiff line numberDiff line change
@@ -191,9 +191,15 @@ spec:
191191
items:
192192
description: |-
193193
BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
194-
Exactly one of the selector pointers must be set for a given peer. If a
195-
consumer observes none of its fields are set, they must assume an unknown
196-
option has been specified and fail closed.
194+
195+
Exactly one of the fields must be set for a given peer and this is enforced
196+
by the validation rules on the CRD. If an implementation sees no fields are
197+
set then it can infer that the deployed CRD is of an incompatible version
198+
with an unknown field. In that case it should fail closed.
199+
200+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
201+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
202+
as a 'Deny all' rule".
197203
maxProperties: 1
198204
minProperties: 1
199205
properties:
@@ -498,10 +504,16 @@ spec:
498504
Support: Core
499505
items:
500506
description: |-
501-
AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
502-
Exactly one of the selector pointers must be set for a given peer. If a
503-
consumer observes none of its fields are set, they must assume an unknown
504-
option has been specified and fail closed.
507+
AdminNetworkPolicyIngressPeer defines a peer to allow traffic to.
508+
509+
Exactly one of the fields must be set for a given peer and this is enforced
510+
by the validation rules on the CRD. If an implementation sees no fields are
511+
set then it can infer that the deployed CRD is of an incompatible version
512+
with an unknown field. In that case it should fail closed.
513+
514+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
515+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
516+
as a 'Deny all' rule".
505517
maxProperties: 1
506518
minProperties: 1
507519
properties:

config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml

+19-7
Original file line numberDiff line numberDiff line change
@@ -192,9 +192,15 @@ spec:
192192
items:
193193
description: |-
194194
AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
195-
Exactly one of the selector pointers must be set for a given peer. If a
196-
consumer observes none of its fields are set, they must assume an unknown
197-
option has been specified and fail closed.
195+
196+
Exactly one of the fields must be set for a given peer and this is enforced
197+
by the validation rules on the CRD. If an implementation sees no fields are
198+
set then it can infer that the deployed CRD is of an incompatible version
199+
with an unknown field. In that case it should fail closed.
200+
201+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
202+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
203+
as a 'Deny all' rule".
198204
maxProperties: 1
199205
minProperties: 1
200206
properties:
@@ -412,10 +418,16 @@ spec:
412418
Support: Core
413419
items:
414420
description: |-
415-
AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
416-
Exactly one of the selector pointers must be set for a given peer. If a
417-
consumer observes none of its fields are set, they must assume an unknown
418-
option has been specified and fail closed.
421+
AdminNetworkPolicyIngressPeer defines a peer to allow traffic to.
422+
423+
Exactly one of the fields must be set for a given peer and this is enforced
424+
by the validation rules on the CRD. If an implementation sees no fields are
425+
set then it can infer that the deployed CRD is of an incompatible version
426+
with an unknown field. In that case it should fail closed.
427+
428+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
429+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
430+
as a 'Deny all' rule".
419431
maxProperties: 1
420432
minProperties: 1
421433
properties:

config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml

+19-7
Original file line numberDiff line numberDiff line change
@@ -183,9 +183,15 @@ spec:
183183
items:
184184
description: |-
185185
BaselineAdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
186-
Exactly one of the selector pointers must be set for a given peer. If a
187-
consumer observes none of its fields are set, they must assume an unknown
188-
option has been specified and fail closed.
186+
187+
Exactly one of the fields must be set for a given peer and this is enforced
188+
by the validation rules on the CRD. If an implementation sees no fields are
189+
set then it can infer that the deployed CRD is of an incompatible version
190+
with an unknown field. In that case it should fail closed.
191+
192+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
193+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
194+
as a 'Deny all' rule".
189195
maxProperties: 1
190196
minProperties: 1
191197
properties:
@@ -399,10 +405,16 @@ spec:
399405
Support: Core
400406
items:
401407
description: |-
402-
AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
403-
Exactly one of the selector pointers must be set for a given peer. If a
404-
consumer observes none of its fields are set, they must assume an unknown
405-
option has been specified and fail closed.
408+
AdminNetworkPolicyIngressPeer defines a peer to allow traffic to.
409+
410+
Exactly one of the fields must be set for a given peer and this is enforced
411+
by the validation rules on the CRD. If an implementation sees no fields are
412+
set then it can infer that the deployed CRD is of an incompatible version
413+
with an unknown field. In that case it should fail closed.
414+
415+
For "Allow" rules, "fail closed" means: "treat the rule as matching no
416+
traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule
417+
as a 'Deny all' rule".
406418
maxProperties: 1
407419
minProperties: 1
408420
properties:

0 commit comments

Comments
 (0)