Condukt.Sandbox.NetworkPolicy.Decider behaviour (Condukt v1.5.0)

Copy Markdown View Source

Behaviour and runtime for the :decide rule on a Condukt.Sandbox.NetworkPolicy.

A decider receives a Condukt.Sandbox.NetworkPolicy.Context and a Condukt.Sandbox.NetworkPolicy.Request and returns :allow or {:deny, reason}. Four shapes are accepted as the rule's value:

  • A 2-arity function: fn ctx, req -> :allow end
  • {module, function} (both atoms): module.function(ctx, req)
  • A module atom alone: module.decide(ctx, req, [])
  • {module, opts} (a keyword list): module.decide(ctx, req, opts)

Use Condukt.Sandbox.NetworkPolicy.AgentDecider to wrap a Condukt agent module as a decider.

The knobs that govern invocation are scoped to the decide rule, not the policy. Pass the :decide value as a keyword list with the callable under :call plus any of :timeout, :cache, :context_messages, :context_metadata. A bare callable uses the defaults.

Runtime semantics

Decider invocations run in a separate process bounded by the rule's :timeout (default 5000ms). On timeout, an exception, or any non-:allow | {:deny, reason} return value, the request is denied with a structured reason and an entry surfaces in telemetry.

Decisions are cached per-session per-host when the rule's :cache is true (default). The cache is in-process and dies with the session.

Summary

Callbacks

decide(context, request, opts)

Functions

decide(policy, context, request, cache)

Runs the policy's decide rule (if any) and applies the per-session decision cache. Used by the K8s control bridge when the sidecar sends a decision_request. Returns {decision, updated_cache}.

invoke(decider, context, request, timeout)

Invokes a decider once, in an isolated process bounded by timeout milliseconds. Used directly by Condukt.Sandbox.NetworkPolicy's rule walker when a :decide rule fires.

policy_spec(network_policy)

Returns the spec for the policy's first :decide rule, or nil when the policy declares no decide rule.

spec(value)

Normalises a :decide rule value into a spec map with :call, :timeout, :cache, :context_messages, and :context_metadata.

Callbacks

decide(context, request, opts)

@callback decide(
  context :: Condukt.Sandbox.NetworkPolicy.Context.t(),
  request :: Condukt.Sandbox.NetworkPolicy.Request.t(),
  opts :: keyword()
) :: :allow | {:deny, term()}

Functions

decide(policy, context, request, cache)

Runs the policy's decide rule (if any) and applies the per-session decision cache. Used by the K8s control bridge when the sidecar sends a decision_request. Returns {decision, updated_cache}.

invoke(decider, context, request, timeout)

Invokes a decider once, in an isolated process bounded by timeout milliseconds. Used directly by Condukt.Sandbox.NetworkPolicy's rule walker when a :decide rule fires.

policy_spec(network_policy)

Returns the spec for the policy's first :decide rule, or nil when the policy declares no decide rule.

spec(value)

Normalises a :decide rule value into a spec map with :call, :timeout, :cache, :context_messages, and :context_metadata.

A keyword list is the configured form and must carry the callable under :call. Anything else (function, module, {module, function}, {module, opts}) is a bare callable that takes the defaults.