Skip to content

fix: correct DLQ runbook CEL null-check guidance#213

Closed
ecv wants to merge 1 commit into
mainfrom
fix/dlq-gateway-summary-cel-null-safe-212
Closed

fix: correct DLQ runbook CEL null-check guidance#213
ecv wants to merge 1 commit into
mainfrom
fix/dlq-gateway-summary-cel-null-safe-212

Conversation

@ecv

@ecv ecv commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

What

Correct the cel_summary remediation in docs/runbooks/dlq/policy-dlq-errors.md.
The documented null check guarded only the root object
(has(audit.responseObject)), which does not prevent no such key: name when
responseObject is present but metadata.name is absent (DELETE, status
subresource, error/forbidden responses). Guard the full leaf path instead.

Why

Surfaced by a prod DLQSlowLeak on gateway.networking.k8s.io-gateway
(~120 Gateway audit events/6h to the DLQ). The runbook's suggested fix would
not have resolved it. See #212 for the full investigation.

Changes

  • has(audit.responseObject.metadata.name) instead of has(audit.responseObject)
  • Same leaf-path guard applied to the spec.type DELETE example

Scope / does NOT fix prod

Docs only. The live leak is a standalone ActivityPolicy CR
(gateway.networking.k8s.io-gateway) that is not version-controlled in this
repo — see #212. Stopping the prod leak requires correcting that CR's rule 0
summary CEL; merging this PR does not do that on its own.

Refs #212

The documented remediation for cel_summary DLQ errors guarded only the root
object (`has(audit.responseObject)`), which does not prevent
`no such key: name` when responseObject is present but metadata.name is
absent (DELETE, status subresource, and error/forbidden responses). Guard the
full leaf path instead so the example actually fixes the failure it claims to.

Refs #212

Key changes:
- has(audit.responseObject.metadata.name) instead of has(audit.responseObject)
- apply the same leaf-path guard to the spec.type DELETE example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant