policy: Fix enforcement status for host endpoint

Before this commit, host policy enforcement was reported as enabled as soon as policies were loaded for the host, even if the host firewall was disabled: ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 318 Enabled Enabled 1 reserved:host ready 3423 Disabled Disabled 4 reserved:health f00d::a0f:0:0:7ba4 10.16.0.148 ready With this commit, enforcement will remain as disabled as long as the host firewall is disabled: ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT 318 Disabled Disabled 1 reserved:host ready 3423 Disabled Disabled 4 reserved:health f00d::a0f:0:0:7ba4 10.16.0.148 ready Fixes: f9c205d ("pkg/policy: Host network policies") Signed-off-by: Paul Chaignon <paul@cilium.io>
cilium · May 28, 2020 · 5b9ae54 · 5b9ae54
1 parent 7561dec
commit 5b9ae54
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/policy/repository.go b/pkg/policy/repository.go
@@ -710,6 +710,10 @@ func (p *Repository) computePolicyEnforcementAndRules(securityIdentity *identity
 			return true, true, matchingRules
 		}
 
+		if lbls.Has(labels.IDNameHost) && !option.Config.EnableHostFirewall {
+			return false, false, matchingRules
+		}
+
 		// Default mode means that if rules contain labels that match this
 		// endpoint, then enable policy enforcement for this endpoint.
 		return ingress, egress, matchingRules