From abae6a2abd8c12816f8dd7df1c110cc2857bc2b6 Mon Sep 17 00:00:00 2001
From: Zahari Dichev <zaharidichev@gmail.com>
Date: Tue, 5 Nov 2024 09:13:33 +0000
Subject: [PATCH] policy: limit TCPRoute to one per policy response

Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
---
 policy-controller/grpc/src/outbound/tcp.rs | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/policy-controller/grpc/src/outbound/tcp.rs b/policy-controller/grpc/src/outbound/tcp.rs
index 50821364d9207..a1e169ce6e2ec 100644
--- a/policy-controller/grpc/src/outbound/tcp.rs
+++ b/policy-controller/grpc/src/outbound/tcp.rs
@@ -6,6 +6,9 @@ use linkerd_policy_controller_core::{
 };
 use std::net::SocketAddr;
 
+// Since there is no way to do real selection on a TCPRoute, we only allow 1
+const MAXIMUM_ALLOWED_TCP_ROUTES: usize = 1;
+
 pub(crate) fn protocol(
     default_backend: outbound::Backend,
     routes: impl Iterator<Item = (GroupKindNamespaceName, TcpRoute)>,
@@ -13,6 +16,7 @@ pub(crate) fn protocol(
     original_dst: Option<SocketAddr>,
 ) -> outbound::proxy_protocol::Kind {
     let mut routes = routes
+        .take(MAXIMUM_ALLOWED_TCP_ROUTES)
         .map(|(gknn, route)| {
             convert_outbound_route(
                 gknn,
@@ -24,11 +28,13 @@ pub(crate) fn protocol(
         })
         .collect::<Vec<_>>();
 
-    if let ParentInfo::EgressNetwork { traffic_policy, .. } = parent_info {
-        routes.push(default_outbound_egress_route(
-            default_backend,
-            traffic_policy,
-        ));
+    if routes.is_empty() {
+        if let ParentInfo::EgressNetwork { traffic_policy, .. } = parent_info {
+            routes.push(default_outbound_egress_route(
+                default_backend,
+                traffic_policy,
+            ));
+        }
     }
 
     outbound::proxy_protocol::Kind::Opaque(outbound::proxy_protocol::Opaque { routes })