fix(policy): race condition when listener state is switched from Ignored to Ready (backport of #16323) (#16341)

kumahq[bot] · web-flow · commit 365c8cd1c444 · 2026-04-22T15:29:57.000+02:00
Automatic cherry-pick of #16323 for branch release-2.12 Generated by [action](https://github.com/kumahq/kuma/actions/runs/24769454777) cherry-picked commit 39e1834 --------- Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
diff --git a/api/mesh/v1alpha1/dataplane_helpers.go b/api/mesh/v1alpha1/dataplane_helpers.go
@@ -297,9 +297,6 @@ func (n *Dataplane_Networking) GetInboundForPort(port uint32) *Dataplane_Network
 func (n *Dataplane_Networking) InboundsSelectedBySectionName(sectionName string) []InboundInterface {
 	var selectedInbounds []InboundInterface
 	for _, inbound := range n.Inbound {
-		if inbound.State == Dataplane_Networking_Inbound_Ignored {
-			continue
-		}
 		if sectionName == "" || inbound.GetSectionName() == sectionName {
 			selectedInbounds = append(selectedInbounds, n.ToInboundInterface(inbound))
 		}
diff --git a/api/mesh/v1alpha1/dataplane_helpers_test.go b/api/mesh/v1alpha1/dataplane_helpers_test.go
@@ -138,6 +138,71 @@ var _ = Describe("Dataplane_Networking", func() {
 		})
 	})
 
+	Describe("InboundsSelectedBySectionName()", func() {
+		type testCase struct {
+			sectionName string
+			expected    []InboundInterface
+		}
+
+		DescribeTable("should select inbounds regardless of their state",
+			func(given testCase) {
+				networking := &Dataplane_Networking{
+					Address: "192.168.0.1",
+					Inbound: []*Dataplane_Networking_Inbound{
+						{
+							Name:  "main-port",
+							Port:  80,
+							State: Dataplane_Networking_Inbound_Ignored,
+						},
+						{
+							Name:  "secondary-port",
+							Port:  443,
+							State: Dataplane_Networking_Inbound_Ready,
+						},
+					},
+				}
+
+				selectedInbounds := networking.InboundsSelectedBySectionName(given.sectionName)
+
+				Expect(selectedInbounds).To(ConsistOf(given.expected))
+			},
+			Entry("empty sectionName selects all inbounds", testCase{
+				expected: []InboundInterface{
+					{
+						DataplaneAdvertisedIP: "192.168.0.1",
+						DataplaneIP:           "192.168.0.1",
+						DataplanePort:         80,
+						WorkloadIP:            "192.168.0.1",
+						WorkloadPort:          80,
+					},
+					{
+						DataplaneAdvertisedIP: "192.168.0.1",
+						DataplaneIP:           "192.168.0.1",
+						DataplanePort:         443,
+						WorkloadIP:            "192.168.0.1",
+						WorkloadPort:          443,
+					},
+				},
+			}),
+			Entry("matching sectionName selects ignored inbound", testCase{
+				sectionName: "main-port",
+				expected: []InboundInterface{
+					{
+						DataplaneAdvertisedIP: "192.168.0.1",
+						DataplaneIP:           "192.168.0.1",
+						DataplanePort:         80,
+						WorkloadIP:            "192.168.0.1",
+						WorkloadPort:          80,
+					},
+				},
+			}),
+			Entry("non-matching sectionName selects no inbounds", testCase{
+				sectionName: "unknown-port",
+				expected:    []InboundInterface{},
+			}),
+		)
+	})
+
 	Describe("GetHealthyInbounds()", func() {
 		It("should return only healty inbounds", func() {
 			networking := &Dataplane_Networking{
diff --git a/pkg/plugins/policies/core/matchers/dataplane.go b/pkg/plugins/policies/core/matchers/dataplane.go
@@ -326,9 +326,6 @@ func isSupportedProxyType(supportedTypes []common_api.TargetRefProxyType, dppTyp
 func inboundsSelectedByTags(tagsSelector mesh_proto.TagSelector, dpp *core_mesh.DataplaneResource, gateway *core_mesh.MeshGatewayResource) ([]core_rules.InboundListener, []core_rules.InboundListenerHostname, bool) {
 	inbounds := []core_rules.InboundListener{}
 	for _, inbound := range dpp.Spec.GetNetworking().GetInbound() {
-		if inbound.State == mesh_proto.Dataplane_Networking_Inbound_Ignored {
-			continue
-		}
 		if tagsSelector.Matches(inbound.Tags) {
 			intf := dpp.Spec.GetNetworking().ToInboundInterface(inbound)
 			inbounds = append(inbounds, core_rules.InboundListener{
diff --git a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/07.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/07.golden.yaml
@@ -1,3 +1,19 @@
-items: []
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1
+  spec:
+    from:
+    - default:
+        action: Allow
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: MeshServiceSubset
+      name: web
+      tags:
+        version: v1
+  type: MeshTrafficPermission
 next: null
 total: 0
diff --git a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/07.policies.yaml b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/07.policies.yaml
@@ -1,4 +1,4 @@
-# 07. policies do not select anything because inbound is ignored
+# 07. policies select ignored inbounds by tags
 type: MeshTrafficPermission
 mesh: mesh-1
 name: mtp-1

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# 07. policies do not select anything because inbound is ignored`
	`1`	`+# 07. policies select ignored inbounds by tags`
`2`	`2`	`type: MeshTrafficPermission`
`3`	`3`	`mesh: mesh-1`
`4`	`4`	`name: mtp-1`