fix(kuma-cp): allow empty 'to' override by Automaat · Pull Request #16212 · kumahq/kuma

Automaat · 2026-04-10T09:16:11Z

Motivation

Several policy validators reject empty to lists, which blocks users
from using a narrow-scope policy to disable rules inherited from a
broader policy. Example that currently fails validation:

apiVersion: kuma.io/v1alpha1
kind: MeshHealthCheck
metadata:
  name: disable-for-web
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: web
  to: []

Changelog: fix(policies): allow empty 'to' override

Implementation information

Relaxes the len(to) == 0 check in:

MeshLoadBalancingStrategy validator
MeshRetry validator

The merge layer (pkg/plugins/policies/core/rules/merge/merge.go) already
supports this override semantic: it uses RFC 7396 JSON Merge Patch and
replaces (not appends) slice fields. So a narrower policy with to: []
overwrites the inherited to: [...] for matched Dataplanes, resulting
in no rules applied (Envoy defaults take over). Only the validators
were blocking the UX; no merge logic changes required.

Policies not touched:

MeshRateLimit — already permits empty to on gateway scope
MeshHealthCheck / MeshHTTPRoute / MeshTCPRoute — no explicit
length check, already allowed
MeshAccessLog / MeshCircuitBreaker / MeshFaultInjection /
MeshTimeout — require at least one of from/to/rules, which
is the right rule for policies that support the rules format

Tests updated:

meshloadbalancingstrategy/api/v1alpha1/validator_test.go: drop the
"needs at least one item" expectation; add a valid case for empty
to override
meshretry/api/v1alpha1/validator_test.go: convert the empty to
error case to a valid case; add an explicit override entry

Supporting documentation

Issue: Verify whether validators that allow an empty list of to are correct #13294
Merge semantics: pkg/plugins/policies/core/rules/merge/merge.go

Relax validators on MeshLoadBalancingStrategy and MeshRetry to permit empty 'to' lists. This enables narrow-scope policies to disable rules inherited from broader policies via merge (RFC 7396 replaces 'to: [...]' with 'to: []' for that Dataplane). Signed-off-by: Marcin Skalski <skalskimarcin33@gmail.com>

Copilot

Pull request overview

Relaxes validation in Kuma policy APIs to allow to: [] as an explicit override, enabling narrow-scope policies (e.g., per-Dataplane) to disable rules inherited from broader-scope policies—consistent with the existing merge semantics (slice replacement via RFC 7396 JSON Merge Patch).

Changes:

Remove the “needs at least one item” validation constraint for empty to in MeshRetry and MeshLoadBalancingStrategy.
Update validator tests to treat empty to as a valid override case and drop the previous “empty to is invalid” expectations.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
pkg/plugins/policies/meshretry/api/v1alpha1/validator.go	Removes the `len(to)==0` violation so empty `to` can pass validation.
pkg/plugins/policies/meshretry/api/v1alpha1/validator_test.go	Updates test cases to assert empty `to` is valid (override use-case).
pkg/plugins/policies/meshloadbalancingstrategy/api/v1alpha1/validator.go	Removes the `len(to)==0` violation so empty `to` can pass validation.
pkg/plugins/policies/meshloadbalancingstrategy/api/v1alpha1/validator_test.go	Drops the “needs at least one item” expectation and adds a valid empty-`to` override case.

github-actions · 2026-04-10T22:09:14Z

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
IPv6 is taken into account (.e.g: no string concatenation of host port)
Tests (Unit test, E2E tests, manual test on universal and k8s)
- Don't forget ci/ labels to run additional/fewer tests
Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

## Motivation Closes #13294. Several policy validators reject empty `to` lists, which blocks users from using a narrow-scope policy to disable rules inherited from a broader policy. Example that currently fails validation: ```yaml apiVersion: kuma.io/v1alpha1 kind: MeshHealthCheck metadata: name: disable-for-web spec: targetRef: kind: Dataplane labels: app: web to: [] ``` > Changelog: fix(policies): allow empty 'to' override ## Implementation information Relaxes the `len(to) == 0` check in: - `MeshLoadBalancingStrategy` validator - `MeshRetry` validator The merge layer (`pkg/plugins/policies/core/rules/merge/merge.go`) already supports this override semantic: it uses RFC 7396 JSON Merge Patch and replaces (not appends) slice fields. So a narrower policy with `to: []` overwrites the inherited `to: [...]` for matched Dataplanes, resulting in no rules applied (Envoy defaults take over). Only the validators were blocking the UX; no merge logic changes required. Policies not touched: - `MeshRateLimit` — already permits empty `to` on gateway scope - `MeshHealthCheck` / `MeshHTTPRoute` / `MeshTCPRoute` — no explicit length check, already allowed - `MeshAccessLog` / `MeshCircuitBreaker` / `MeshFaultInjection` / `MeshTimeout` — require at least one of `from`/`to`/`rules`, which is the right rule for policies that support the `rules` format Tests updated: - `meshloadbalancingstrategy/api/v1alpha1/validator_test.go`: drop the "needs at least one item" expectation; add a valid case for empty `to` override - `meshretry/api/v1alpha1/validator_test.go`: convert the empty `to` error case to a valid case; add an explicit override entry ## Supporting documentation - Issue: #13294 - Merge semantics: `pkg/plugins/policies/core/rules/merge/merge.go` Signed-off-by: Marcin Skalski <skalskimarcin33@gmail.com>

Automaat added the ci/skip-test PR: Don't run unit and e2e tests (maybe this is just a doc change) label Apr 10, 2026

Automaat requested a review from a team as a code owner April 10, 2026 09:16

Automaat requested review from bartsmykla, Copilot and slonka April 10, 2026 09:16

Copilot started reviewing on behalf of Automaat April 10, 2026 09:16 View session

Copilot AI reviewed Apr 10, 2026

View reviewed changes

Automaat changed the title ~~fix(policies): allow empty 'to' override~~ fix(kuma-cp): allow empty 'to' override Apr 10, 2026

bartsmykla approved these changes Apr 13, 2026

View reviewed changes

Automaat merged commit f466403 into kumahq:master Apr 13, 2026
18 of 19 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(kuma-cp): allow empty 'to' override#16212

fix(kuma-cp): allow empty 'to' override#16212
Automaat merged 1 commit intokumahq:masterfrom
Automaat:fix/validators-allow-empty-to

Automaat commented Apr 10, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

github-actions bot commented Apr 10, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Automaat commented Apr 10, 2026

Motivation

Implementation information

Supporting documentation

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

github-actions bot commented Apr 10, 2026

Reviewer Checklist

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants