Skip to content

fix(activity-policies): gate create rules on 2xx outcome#241

Open
ecv wants to merge 1 commit into
mainfrom
fix/activity-policy-2xx-gate
Open

fix(activity-policies): gate create rules on 2xx outcome#241
ecv wants to merge 1 commit into
mainfrom
fix/activity-policy-2xx-gate

Conversation

@ecv

@ecv ecv commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Failed create requests (e.g. a 403) return a metav1.Status object as the audit responseObject, not the created resource. ActivityPolicy summary templates that dereference audit.responseObject.metadata.name therefore threw on those payloads, routing the events to the DLQ (DLQSlowLeak). Ungated create rules also emitted false "created" activities for attempts that actually failed.

This gates every create rule on the request outcome by appending audit.responseStatus.code >= 200 && audit.responseStatus.code < 300 to the match expression, so failed attempts produce no activity. This matches the pattern milo standardized on in commit 2b82751.

Changes

All 8 policies in config/milo/activity/policies/ — both create rules (the primary create + the no-spec create-fallback) are gated in each:

  • domain-policy.yaml
  • httpproxy-policy.yaml
  • httproute-policy.yaml
  • gateway-policy.yaml
  • connector-policy.yaml — the policy named in the issue; its create summary derefs audit.responseObject.metadata.name, which was the DLQ trigger
  • connectoradvertisement-policy.yaml
  • trafficprotectionpolicy-policy.yaml
  • backendtlspolicy-policy.yaml

16 create-rule match expressions updated total. Create rules with existing trailing has(...)/size(...) clauses keep those clauses; the outcome guard is appended after them. Delete/update/patch rules are untouched.

Policies ship as raw YAML referenced directly by kustomization.yaml; no generate/bundle step applies.

Tracks milo-os/activity#215.

🤖 Generated with Claude Code

Failed creates (e.g. 403) return a metav1.Status as responseObject, so
summary templates dereferencing audit.responseObject.metadata.name threw
and routed events to the DLQ (DLQSlowLeak). Guard every create rule on
audit.responseStatus.code in [200,300) so failed attempts produce no
activity, matching the pattern milo standardized on in 2b82751.

Tracks milo-os/activity#215.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant