Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c881c4c899
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // Allow DNS (cluster resolvers are usually local). | ||
| netpol.add_egress_rule(NetworkPolicyEgressRule { | ||
| to: vec
NetworkPolicy::new defaults to policy_types: ["Ingress"], so previously components with no egress_from_consumers or egress_to_router ended up with no egress rules and therefore retained unrestricted egress. With this change, every component always gets DNS + “internet” egress rules and an ipBlock that excludes LOCAL_NETWORK_CIDRS, which implicitly enables Egress policy for all pods and blocks private/VPC/cluster ranges even when the component has no explicit egress bindings. That is a behavior change from the previous gating and will break workloads that rely on reaching private endpoints (e.g., databases or cluster services not represented in Amber bindings). Consider re‑introducing the conditional so these rules are only added when egress restrictions are intended.
Useful? React with 👍 / 👎.
nhynes
force-pushed
the
nhynes/unblock-egress
branch
from
c881c4c to
23b22f6
Compare
1 participant
This fixes an issue with the docker-compose reporter (and possibly the k8s reporter) where internet egress was mistakenly disallowed