Skip to content

fix(activity-policies): gate create rules on 2xx outcome#241

Merged
ecv merged 1 commit into
fix/gateway-activitypolicy-create-summary-dlqfrom
fix/activity-policy-2xx-gate
Jul 13, 2026
Merged

fix(activity-policies): gate create rules on 2xx outcome#241
ecv merged 1 commit into
fix/gateway-activitypolicy-create-summary-dlqfrom
fix/activity-policy-2xx-gate

Conversation

@ecv

@ecv ecv commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Failed create requests (e.g. a 403) return a metav1.Status object as the audit responseObject, not the created resource. ActivityPolicy summary templates that dereference audit.responseObject.metadata.name therefore threw on those payloads, routing the events to the DLQ (DLQSlowLeak). Ungated create rules also emitted false "created" activities for attempts that actually failed.

This gates every create rule on the request outcome by appending audit.responseStatus.code >= 200 && audit.responseStatus.code < 300 to the match expression, so failed attempts produce no activity. This matches the pattern milo standardized on in commit 2b82751.

Changes

All 8 policies in config/milo/activity/policies/ — both create rules (the primary create + the no-spec create-fallback) are gated in each:

  • domain-policy.yaml
  • httpproxy-policy.yaml
  • httproute-policy.yaml
  • gateway-policy.yaml
  • connector-policy.yaml — the policy named in the issue; its create summary derefs audit.responseObject.metadata.name, which was the DLQ trigger
  • connectoradvertisement-policy.yaml
  • trafficprotectionpolicy-policy.yaml
  • backendtlspolicy-policy.yaml

16 create-rule match expressions updated total. Create rules with existing trailing has(...)/size(...) clauses keep those clauses; the outcome guard is appended after them. Delete/update/patch rules are untouched.

Policies ship as raw YAML referenced directly by kustomization.yaml; no generate/bundle step applies.

Tracks milo-os/activity#215.

🤖 Generated with Claude Code

@ecv

ecv commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

this holds until e2e tests are all stable.

@ecv
ecv marked this pull request as draft July 13, 2026 18:54
auto-merge was automatically disabled July 13, 2026 18:54

Pull request was converted to draft

Failed creates (e.g. 403) return a metav1.Status as responseObject, so
summary templates dereferencing audit.responseObject.metadata.name threw
and routed events to the DLQ (DLQSlowLeak). Guard every create rule on
audit.responseStatus.code in [200,300) so failed attempts produce no
activity, matching the pattern milo standardized on in 2b82751.

Tracks milo-os/activity#215.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ecv
ecv force-pushed the fix/activity-policy-2xx-gate branch from ac6953f to 9c80849 Compare July 13, 2026 20:38
@ecv
ecv changed the base branch from main to fix/gateway-activitypolicy-create-summary-dlq July 13, 2026 20:50
@ecv
ecv marked this pull request as ready for review July 13, 2026 20:50
@ecv
ecv merged commit c2145cc into fix/gateway-activitypolicy-create-summary-dlq Jul 13, 2026
10 of 11 checks passed
@ecv
ecv deleted the fix/activity-policy-2xx-gate branch July 13, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant