policy: Fix pass precedence test

jrajahalme · jrajahalme · commit 974b051fe5a0 · 2026-05-23T22:32:47.000+02:00
Leave enough space after the pass verdict for all the passed rules to fit
in before the following rules on the same tier. This is the requirement
of the current API for correct behavior.

Signed-off-by: Jarno Rajahalme &lt;jarno@isovalent.com&gt;
diff --git a/tests/cilium_network_policy_test.cc b/tests/cilium_network_policy_test.cc
@@ -1928,7 +1928,7 @@ TEST_F(CiliumNetworkPolicyTest, Precedence) {
       remote_policies: [ 42 ]
   - port: 80
     rules:
-    - precedence: 850
+    - precedence: 750
       deny: true
     - precedence: 600
       remote_policies: [ 41, 42, 43 ]
@@ -1947,10 +1947,16 @@ TEST_F(CiliumNetworkPolicyTest, Precedence) {
     - rules:
       - remotes: [41]
         deny: true
-        precedence: 1150
+        precedence: 1050
+      - remotes: [42]
+        precedence: 800
+        http_rules:
+        - headers:
+          - name: ":path"
+            value: "/multi-tier"
       - remotes: []
         deny: true
-        precedence: 850
+        precedence: 750
 egress:
   rules: []
 )EOF";
@@ -1959,8 +1965,8 @@ TEST_F(CiliumNetworkPolicyTest, Precedence) {
 
   // Remote 41 hits the promoted deny from tier 1.
   EXPECT_FALSE(ingressAllowed("10.1.2.3", 41, 80, {{":path", "/multi-tier"}}));
-  // Remote 42 is promoted by the lower wildcard tier, but remains below deny.
-  EXPECT_FALSE(ingressAllowed("10.1.2.3", 42, 80, {{":path", "/multi-tier"}}));
+  // Remote 42 is promoted by the lower wildcard tier
+  EXPECT_TRUE(ingressAllowed("10.1.2.3", 42, 80, {{":path", "/multi-tier"}}));
   // Remote 43 is not promoted and is denied.
   EXPECT_FALSE(ingressAllowed("10.1.2.3", 43, 80, {{":path", "/multi-tier"}}));
 
@@ -1998,10 +2004,10 @@ TEST_F(CiliumNetworkPolicyTest, Precedence) {
                             EnvoyException,
                             "PortNetworkPolicy: Inconsistent pass precedence 600 != 700");
 
-  // Failed update must leave policy unchanged from version 10.
+  // Failed update must leave policy unchanged from version 14.
   EXPECT_TRUE(validate("10.1.2.3", expected14));
   EXPECT_FALSE(ingressAllowed("10.1.2.3", 41, 80, {{":path", "/multi-tier"}}));
-  EXPECT_FALSE(ingressAllowed("10.1.2.3", 42, 80, {{":path", "/multi-tier"}}));
+  EXPECT_TRUE(ingressAllowed("10.1.2.3", 42, 80, {{":path", "/multi-tier"}}));
 
   //
   // 16th update: inherited wildcard pass skips remaining rules on that tier
