more feedback

Signed-off-by: Zahari Dichev <[email protected]>

policy-controller/k8s/index/src/outbound/index.rs

@@ -385,7 +385,7 @@ impl kubert::index::IndexNamespacedResource<linkerd_k8s_api::EgressNetwork> for
             .insert(egress_net_ref, egress_network_info);
 
         self.reindex_resources();
-        self.reinitialize_egress_watches(ns.clone());
+        self.reinitialize_egress_watches(&ns);
         self.reinitialize_fallback_watches()
     }
 
@@ -399,7 +399,7 @@ impl kubert::index::IndexNamespacedResource<linkerd_k8s_api::EgressNetwork> for
         self.egress_networks_by_ref.remove(&egress_net_ref);
 
         self.reindex_resources();
-        self.reinitialize_egress_watches(Arc::new(egress_net_ref.namespace.clone()));
+        self.reinitialize_egress_watches(&egress_net_ref.namespace);
         self.reinitialize_fallback_watches()
     }
 }
@@ -652,9 +652,9 @@ impl Index {
         }
     }
 
-    fn reinitialize_egress_watches(&mut self, namespace: Arc<String>) {
+    fn reinitialize_egress_watches(&mut self, namespace: &str) {
         for ns in self.namespaces.by_ns.values_mut() {
-            if namespace == self.global_egress_network_namespace || namespace == ns.namespace {
+            if namespace == &*self.global_egress_network_namespace || namespace == &*ns.namespace {
                 ns.reinitialize_egress_watches()
             }
         }

policy-test/src/lib.rs

@@ -349,6 +349,11 @@ impl Resource {
 
     pub fn ip(&self) -> String {
         match self {
+            // For EgressNetwork, we can just return a non-private
+            // IP address as our default cluster setup dictates that
+            // all non-private networks are considered egress. Since
+            // we do not modify this setting in tests for the time being,
+            // returning 1.1.1.1 is fine.
             Self::EgressNetwork(_) => "1.1.1.1".to_string(),
             Self::Service(s) => s
                 .spec

policy-test/tests/e2e_egress_network.rs

@@ -0,0 +1,53 @@
+use linkerd_policy_controller_k8s_api as k8s;
+use linkerd_policy_test::{
+    await_condition, create, create_ready_pod, curl, endpoints_ready, update, web, with_temp_ns,
+    LinkerdInject,
+};
+
+#[tokio::test(flavor = "current_thread")]
+async fn default_traffic_policy() {
+    with_temp_ns(|client, ns| async move {
+        let mut egress_net = create(
+            &client,
+            k8s::policy::EgressNetwork {
+                metadata: k8s::ObjectMeta {
+                    namespace: Some(ns.clone()),
+                    name: Some("all-egress".to_string()),
+                    ..Default::default()
+                },
+                spec: k8s::policy::EgressNetworkSpec {
+                    networks: None,
+                    traffic_policy: k8s::policy::TrafficPolicy::Allow,
+                },
+                status: None,
+            },
+        )
+        .await;
+
+        let curl = curl::Runner::init(&client, &ns).await;
+
+        let allowed = curl
+            .run(
+                "curl-allowed",
+                "http://httpbin.org/get",
+                LinkerdInject::Enabled,
+            )
+            .await;
+        let allowed_status = allowed.http_status_code().await;
+        assert_eq!(allowed_status, 200, "request must be allowed");
+
+        egress_net.spec.traffic_policy = k8s::policy::TrafficPolicy::Deny;
+        update(&client, egress_net).await;
+
+        let not_allowed = curl
+            .run(
+                "curl-not-allowed",
+                "http://httpbin.org/get",
+                LinkerdInject::Enabled,
+            )
+            .await;
+        let not_allowed_status = not_allowed.http_status_code().await;
+        assert_eq!(not_allowed_status, 403, "request must be blocked");
+    })
+    .await;
+}