fix(egress): allow credential vault bindings with defaultAction allow#1066
Conversation
When the network policy uses defaultAction: allow, credential vault bindings no longer require explicit egress allow rules for each host. The host is still validated against pol.Evaluate() so explicit deny rules remain enforced. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…e only pol.Evaluate already combines defaultAction with explicit rules, so the separate explicitAllowRuleMatches check was redundant. Remove it along with the now-unused hostMatchesPattern helper. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…idate The per-binding validateBindingPolicy → explicitAllowCoversHost path already rejects nil policy and uncovered hosts. The early len(Egress) guard was redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2895e27f95
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…date error message The blank name check in validateCandidate was redundant — all code paths already go through normalizeCredential which rejects blank names. Also updated the binding host error message to reflect that the check is now policy-based, not explicit-rule-based. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 735992fe97
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
jwx0925
left a comment
jwx0925
left a comment
There was a problem hiding this comment.
Reviewed the change set. Ignoring the wildcard sampling concern discussed separately, the core behavior looks correct: credential vault bindings now follow the effective egress policy evaluation, allowing defaultAction=allow while still respecting explicit denies.
2 participants
Summary
defaultAction: allow, credential vault bindings no longer require explicit egress allow rules for each binding host.pol.Evaluate()— explicit deny rules remain enforced.defaultAction: allowpass-through and deny rule enforcement.Test plan
TestCredentialVaultAllowsDefaultAllowWithoutExplicitRules— vault create succeeds withdefaultAction: allow+ empty egressTestCredentialVaultDefaultAllowRespectsExplicitDenyRule— vault create rejected when host hit by explicit deny rulego test ./...)🤖 Generated with Claude Code