@adleong's feedback

linkerd · Jul 23, 2024 · a9caff0 · a9caff0
1 parent c05a671
commit a9caff0
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 19 deletions.
diff --git a/policy-controller/k8s/index/src/defaults.rs b/policy-controller/k8s/index/src/defaults.rs
@@ -85,15 +85,29 @@ impl DefaultPolicy {
         config: &ClusterInfo,
     ) -> HashMap<AuthorizationRef, ClientAuthorization> {
         let mut authzs = HashMap::default();
-        let (authenticated_only, cluster_only) = match self {
-            DefaultPolicy::Allow {
-                authenticated_only,
-                cluster_only,
-            } => (authenticated_only, cluster_only),
-            DefaultPolicy::Deny => return authzs,
-            DefaultPolicy::Audit => (false, false),
-        };
+        let auth_ref = AuthorizationRef::Default(self.as_str());
+
+        if let DefaultPolicy::Allow {
+            authenticated_only,
+            cluster_only,
+        } = self
+        {
+            authzs.insert(
+                auth_ref,
+                Self::default_client_authz(config, authenticated_only, cluster_only),
+            );
+        } else if let DefaultPolicy::Audit = self {
+            authzs.insert(auth_ref, Self::default_client_authz(config, false, false));
+        }
+
+        authzs
+    }
 
+    fn default_client_authz(
+        config: &ClusterInfo,
+        authenticated_only: bool,
+        cluster_only: bool,
+    ) -> ClientAuthorization {
         let authentication = if authenticated_only {
             ClientAuthentication::TlsAuthenticated(vec![IdentityMatch::Suffix(vec![])])
         } else {
@@ -107,14 +121,11 @@ impl DefaultPolicy {
                 "::/0".parse::<IpNet>().unwrap().into(),
             ]
         };
-        authzs.insert(
-            AuthorizationRef::Default(self.as_str()),
-            ClientAuthorization {
-                authentication,
-                networks,
-            },
-        );
-        authzs
+
+        ClientAuthorization {
+            authentication,
+            networks,
+        }
     }
 }
 

diff --git a/policy-controller/k8s/index/src/inbound/index.rs b/policy-controller/k8s/index/src/inbound/index.rs
@@ -1753,9 +1753,7 @@ impl PolicyIndex {
             authzs.insert(reference, authz);
         }
 
-        if let Some(p @ DefaultPolicy::Allow { .. }) | Some(p @ DefaultPolicy::Audit) =
-            server.access_policy
-        {
+        if let Some(p) = server.access_policy {
             authzs.extend(p.default_authzs(&self.cluster_info));
         }