Skip to content

feat: add GlobalPodSecurity config plumbing#4319

Open
alam-tahmid wants to merge 1 commit intoAzure:masterfrom
alam-tahmid:tahmidalam/gps-config-plumbing
Open

feat: add GlobalPodSecurity config plumbing#4319
alam-tahmid wants to merge 1 commit intoAzure:masterfrom
alam-tahmid:tahmidalam/gps-config-plumbing

Conversation

@alam-tahmid
Copy link
Copy Markdown
Contributor

@alam-tahmid alam-tahmid commented Apr 7, 2026

Reason for Change:
Add GlobalPodSecurity config plumbing to support forcing same-VM pod-to-pod traffic through Azure
VFP for NSG evaluation. This is the first of 3 PRs — it adds the config field, endpoint struct wiring, and default
conflist entries.

Issue Fixed:

Requirements:

Notes:
This is PR 1 of 3 for the GlobalPodSecurity feature:

  1. This PR — Config plumbing (NetworkConfig → EndpointInfo → endpoint)
  2. PR 2 — Linux iptables + policy routing implementation
  3. PR 3 — Windows /32 host route implementation

The field defaults to false (no behavioral change until explicitly enabled).

Copilot AI review requested due to automatic review settings April 7, 2026 16:52
@alam-tahmid alam-tahmid requested review from a team as code owners April 7, 2026 16:52
@alam-tahmid alam-tahmid requested a review from jpayne3506 April 7, 2026 16:52
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces GlobalPodSecurity configuration plumbing to carry a new boolean knob from CNI network config into endpoint metadata, and updates default CNI conflists to surface the option (defaulting to false).

Changes:

  • Added globalPodSecurity to CNI NetworkConfig (JSON) and plumbed it into network.EndpointInfo.
  • Extended network endpoint-related structs to carry GlobalPodSecurity.
  • Added unit tests for config unmarshalling and createEpInfo propagation, and updated default Linux/Windows conflists to include the flag (set to false).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
network/endpoint.go Adds GlobalPodSecurity fields to endpoint and EndpointInfo structs.
cni/network/network.go Wires NetworkConfig.GlobalPodSecurity into generated EndpointInfo.
cni/network/network_test.go Adds coverage to ensure createEpInfo propagates the flag into EndpointInfo.
cni/netconfig.go Adds GlobalPodSecurity to CNI JSON config (globalPodSecurity).
cni/netconfig_test.go Adds JSON unmarshal tests for globalPodSecurity defaulting/values.
cni/azure-windows.conflist Adds "globalPodSecurity": false to default Windows conflist.
cni/azure-linux.conflist Adds "globalPodSecurity": false to default Linux conflist.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@alam-tahmid alam-tahmid force-pushed the tahmidalam/gps-config-plumbing branch from b7af504 to 0d1ce9f Compare April 7, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jpayne3506 jpayne3506 Awaiting requested review from jpayne3506 jpayne3506 is a code owner automatically assigned from Azure/acn-cni-reviewers

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alam-tahmid