Skip to content

Fix inconsistent wildcard behavior in outbound network policy rules#676

Draft
Copilot wants to merge 2 commits into
masterfrom
copilot/fix-wildcard-application-behaviour
Draft

Fix inconsistent wildcard behavior in outbound network policy rules#676
Copilot wants to merge 2 commits into
masterfrom
copilot/fix-wildcard-application-behaviour

Conversation

Copilot AI commented May 20, 2026

Copy link
Copy Markdown
Contributor

application: '*' in outbound access policy rules was silently skipped, while the same wildcard in inbound rules correctly produced an empty podSelector (match all). This meant the two configs below had different runtime behavior despite appearing equivalent in the NAIS console.

Changes

  • networkpolicy.go: Remove the outbound.Application == "*" skip condition in egressRulesFromAccessPolicy. Apply the same wildcard handling as inbound: * → empty LabelSelector for both application and namespace fields.
  • accesspolicy_max.yaml: Update existing test (which already had application: '*', namespace: t2 in outbound) to assert the expected wildcard egress rule is now generated.
  • accesspolicy_egress_allow_all.yaml: New golden file test covering application: '*', namespace: '*' outbound, producing egress with empty podSelector: {} and namespaceSelector: {}.

Before / After

accessPolicy:
  outbound:
    rules:
      - application: '*'
        namespace: some-ns  # was: skipped entirely
                            # now: egress to podSelector: {}, namespaceSelector: {some-ns}

Copilot AI changed the title [WIP] Fix inconsistent application wildcard behaviour in ingress/egress Fix inconsistent wildcard behavior in outbound network policy rules May 20, 2026
Copilot AI requested a review from Starefossen May 20, 2026 11:12
@Starefossen Starefossen requested a review from Muni10 May 20, 2026 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Inconsistent application wildcard behaviour in internal ingress/egress

2 participants