Skip to content

fix: flag inverted TrafficProtectionPolicy paranoia levels via status condition#252

Draft
ecv wants to merge 1 commit into
mainfrom
fix/250-paranoia-status-condition
Draft

fix: flag inverted TrafficProtectionPolicy paranoia levels via status condition#252
ecv wants to merge 1 commit into
mainfrom
fix/250-paranoia-status-condition

Conversation

@ecv

@ecv ecv commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses #250 via option 3 (controller status condition, defense-in-depth) from the issue's root-cause comment.

A TrafficProtectionPolicy whose OWASP CRS detection paranoia level is below its blocking paranoia level is illegal: CRS rule 901500 fails closed and denies every request at phase 1 with HTTP 500 before any attack evaluation. Such a policy silently 500s 100% of traffic with no signal to the tenant about why.

Change

Reject the policy during reconciliation:

  • Set Accepted=False with reason Invalid on the affected ancestor.
  • Skip attachment so the broken directives are never emitted to the data plane.
  • Also surfaces already-persisted policies carrying the inverted configuration.

Test

  • TestParanoiaLevelsResolveError — guard, 4 cases (equal / higher detection / inverted / defaulted inverted).
  • inverted-paranoia case added to both TestProcessTrafficProtectionPolicyForHTTPRoute and TestProcessTrafficProtectionPolicyForGateway, asserting Accepted=False/Invalid and no attachment.

Companion PR

Companion to #251, which implements option 1 (CEL admission validation, the preferred fail-closed fix). CEL only validates on write; this guard catches policies already stored with the bad config and gives tenants an actionable Accepted=False reason. The two are complementary and can merge independently.

A TrafficProtectionPolicy whose OWASP CRS detection paranoia level is
below its blocking paranoia level is an illegal configuration: CRS rule
901500 fails closed and denies every request at phase 1 with HTTP 500
before any attack evaluation. Such a policy silently 500s 100% of traffic
to the protected route with no signal to the tenant about why.

Reject the policy during reconciliation: set Accepted=False with reason
Invalid on the affected ancestor and skip attachment so the broken
directives are never emitted to the data plane. This also surfaces
already-persisted policies that carry the inverted configuration.

Key changes:
- add paranoiaLevelsResolveError guard in the TPP reconciler
- set Accepted=False/Invalid and skip attach for HTTPRoute and Gateway
  targets when detection < blocking
- add unit coverage for the guard and both process paths
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant