Describe the bug
Aviatrix FirewallPolicy incorrectly includes both permit and deny rules. Despite explicitly allowing certain domains, a deny-all-external rule is still added, which is unexpected given the configuration. The policy should only include the allow rule in this scenario.
PreReq - Have CRD for Aviatrix FirewallPolicy created in the cluster.
Obot installed with -set config.OBOT_SERVER_MCPNETWORK_POLICY_PROVIDER_CHART_REPO="https://charts.obot.ai" --set config.OBOT_SERVER_MCPNETWORK_POLICY_PROVIDER_CHART_NAME="aviatrix-network-policy-controller" --set config.OBOT_SERVER_MCPNETWORK_POLICY_PROVIDER_CHART_VERSION="v0.0.1" --set config.OBOT_SERVER_MCPDEFAULT_DENY_ALL_EGRESS=true
To Reproduce
Steps to reproduce the behavior:
- Create an. MCP server entry and configure
Egress Domain to allow for couple of domains
- Connect to this MCP server.
Notice that the firewall policy created for this MCP server has both permit and deny action.
spec:
rules:
- action: permit
destinationSmartGroups:
- name: any-destination
logging: true
name: allow-approved-egress
port: 443
protocol: tcp
selector:
matchLabels:
app: ms14bqzs
webGroups:
- name: obot-ms14bqzs-approved-domains
- action: deny
destinationSmartGroups:
- name: any-destination
logging: true
name: deny-all-external
protocol: any
selector:
matchLabels:
app: ms14bqzs
smartGroups:
- name: obot-ms14bqzs-pods
selectors:
- k8sNamespace: obot-mcp
tags:
app: ms14bqzs
type: k8s
- name: any-destination
selectors:
- cidr: 0.0.0.0/0
webGroups:
- domains:
- '*.san.com'
- sangee.com
name: obot-ms14bqzs-approved-domains
Expected behavior
The firewall policy should not include the deny action in this case.
Describe the bug
Aviatrix FirewallPolicy incorrectly includes both permit and deny rules. Despite explicitly allowing certain domains, a deny-all-external rule is still added, which is unexpected given the configuration. The policy should only include the allow rule in this scenario.
PreReq - Have CRD for Aviatrix FirewallPolicy created in the cluster.
Obot installed with
-set config.OBOT_SERVER_MCPNETWORK_POLICY_PROVIDER_CHART_REPO="https://charts.obot.ai" --set config.OBOT_SERVER_MCPNETWORK_POLICY_PROVIDER_CHART_NAME="aviatrix-network-policy-controller" --set config.OBOT_SERVER_MCPNETWORK_POLICY_PROVIDER_CHART_VERSION="v0.0.1" --set config.OBOT_SERVER_MCPDEFAULT_DENY_ALL_EGRESS=trueTo Reproduce
Steps to reproduce the behavior:
Egress Domainto allow for couple of domainsNotice that the firewall policy created for this MCP server has both
permitanddenyaction.Expected behavior
The firewall policy should not include the
denyaction in this case.