Skip to content

Enforce static tier default action #11468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mazdakn wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Enforce static tier default action #11468

mazdakn wants to merge 3 commits into from
+88 −49

Conversation

@mazdakn
Copy link
Member

@mazdakn mazdakn commented Dec 2, 2025

Description

Related issues/PRs

Todos

  • Tests
  • Documentation
  • Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@mazdakn mazdakn requested a review from a team as a code owner December 2, 2025 00:54
Copilot AI review requested due to automatic review settings December 2, 2025 00:54
@mazdakn mazdakn added the docs-not-required Docs not required for this change label Dec 2, 2025
@marvin-tigera marvin-tigera added this to the Calico v3.32.0 milestone Dec 2, 2025
@marvin-tigera marvin-tigera added the release-note-required Change has user-facing impact (no matter how small) label Dec 2, 2025
@mazdakn mazdakn added release-note-not-required Change has no user-facing impact and removed release-note-required Change has user-facing impact (no matter how small) labels Dec 2, 2025
Copilot finished reviewing on behalf of mazdakn December 2, 2025 00:56
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds validation to enforce that static Calico tiers (default, kube-admin, and kube-baseline) have the correct default action values in addition to their existing order validation. The default tier must use Deny, while kube-admin and kube-baseline tiers must use Pass.

Key Changes:

  • Refactored tier validation to use a helper function validateTierSpec that validates both order and default action
  • Added validation logic to enforce specific default action values for static tiers
  • Expanded test coverage to include default action validation scenarios for all three static tiers

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
libcalico-go/lib/validator/v3/validator.go Refactored tier validation logic to validate both order and default action for static tiers using a new helper function; added redundant import
libcalico-go/lib/validator/v3/validator_test.go Added comprehensive test cases for default action validation on all static tiers; reorganized variable declarations
Comments suppressed due to low confidence (1)

libcalico-go/lib/validator/v3/validator.go:26

  • This import is redundant. The package github.com/projectcalico/api/pkg/apis/projectcalico/v3 is already imported on line 25 with the alias api. You can use api.DefaultTierOrder, api.Deny, etc. instead of importing it again as v3. Remove this line and replace v3. references in the code below with api..
	"github.com/projectcalico/api/pkg/lib/numorstring"

libcalico-go/lib/validator/v3/validator.go
Comment on lines 1720 to +1726
)
}
}

if tier.Name == names.KubeAdminTierName {
if tier.Spec.Order == nil || *tier.Spec.Order != api.KubeAdminTierOrder {
tierDefaultActionMatched := false
tierDefaultActionStr := "nil"
if tier.Spec.DefaultAction != nil {
tierDefaultActionStr = fmt.Sprintf("%v", *tier.Spec.DefaultAction)
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first argument to ReportError should be the actual field value (wrapped in reflect.ValueOf() if needed), not its string representation. Currently, tierOrderStr is being passed, which is a string representation of the order value or "nil". This should be:

structLevel.ReportError(
    reflect.ValueOf(tier.Spec.Order),
    "TierSpec.Order",
    "",
    reason(fmt.Sprintf("%v tier order must be %v", tier.Name, expectedOrder)),
    "",
)

This matches the pattern used in the original code (lines 1684-1690) and ensures proper error reporting.

Copilot uses AI. Check for mistakes.
libcalico-go/lib/validator/v3/validator.go
Comment on lines 1735 to 1741
"",
reason(fmt.Sprintf("kube-admin tier order must be %v", api.KubeAdminTierOrder)),
reason(fmt.Sprintf("%v tier default action must be %v", tier.Name, expectedDefaultAction)),
"",
)
}
}

Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first argument to ReportError should be the actual field value (wrapped in reflect.ValueOf() if needed), not its string representation. Currently, tierDefaultActionStr is being passed, which is a string representation of the default action value or "nil". This should be:

structLevel.ReportError(
    reflect.ValueOf(tier.Spec.DefaultAction),
    "TierSpec.DefaultAction",
    "",
    reason(fmt.Sprintf("%v tier default action must be %v", tier.Name, expectedDefaultAction)),
    "",
)

This ensures consistency with how other validation errors are reported in this file.

Copilot uses AI. Check for mistakes.
libcalico-go/lib/validator/v3/validator_test.go
DefaultAction: &defaultActionDeny,
}}, false),
Entry("Tier: allow default tier with the predefined order", &api.Tier{
Entry("Tier: disallow default tier with an invalid default action", &api.Tier{
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing test coverage for static tiers with nil DefaultAction. The validator code would reject static tiers (default, kube-admin, kube-baseline) when DefaultAction is nil, but there are no explicit test cases for this scenario. Consider adding test cases like:

Entry("Tier: disallow default tier with nil default action", &api.Tier{
    ObjectMeta: v1.ObjectMeta{Name: names.DefaultTierName},
    Spec: api.TierSpec{
        Order: &defaultTierOrder,
    }}, false),

Similar test cases should be added for kube-admin and kube-baseline tiers to explicitly verify this validation requirement.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-not-required Docs not required for this change release-note-not-required Change has no user-facing impact

Projects

None yet

Milestone

Calico v3.32.0

Development

Successfully merging this pull request may close these issues.

2 participants

@mazdakn @marvin-tigera