endpoint: refactor how default policy enforcement configuration is pe…

…rformed

Hide Endpoint locking semantics.

Signed-off by: Ian Vernon <ian@cilium.io>

daemon/state.go

@@ -31,7 +31,6 @@ import (
 	"github.com/cilium/cilium/pkg/maps/ctmap"
 	"github.com/cilium/cilium/pkg/maps/lxcmap"
 	"github.com/cilium/cilium/pkg/option"
-	"github.com/cilium/cilium/pkg/policy"
 	"github.com/cilium/cilium/pkg/workloads"
 
 	"github.com/sirupsen/logrus"
@@ -159,18 +158,10 @@ func (d *Daemon) restoreOldEndpoints(dir string, clean bool) (*endpointRestoreSt
 			continue
 		}
 
-		ep.UnconditionalLock()
 		scopedLog.Debug("Restoring endpoint")
-		ep.LogStatusOKLocked(endpoint.Other, "Restoring endpoint from previous cilium instance")
+		ep.LogStatusOK(endpoint.Other, "Restoring endpoint from previous cilium instance")
 
-		if !option.Config.KeepConfig {
-			ep.SetDefaultOpts(option.Config.Opts)
-			alwaysEnforce := policy.GetPolicyEnabled() == option.AlwaysEnforce
-			ep.SetDesiredIngressPolicyEnabledLocked(alwaysEnforce)
-			ep.SetDesiredEgressPolicyEnabledLocked(alwaysEnforce)
-		}
-
-		ep.Unlock()
+		ep.SetDefaultConfiguration(true)
 
 		ep.SkipStateClean()
 

pkg/endpoint/endpoint.go

@@ -337,35 +337,6 @@ func (e *Endpoint) GetEgressPolicyEnabledLocked() bool {
 	return e.desiredPolicy.EgressPolicyEnabled
 }
 
-// SetDesiredIngressPolicyEnabled sets Endpoint's ingress policy enforcement
-// configuration to the specified value. The endpoint's mutex must not be held.
-func (e *Endpoint) SetDesiredIngressPolicyEnabled(ingress bool) {
-	e.UnconditionalLock()
-	e.desiredPolicy.IngressPolicyEnabled = ingress
-	e.Unlock()
-
-}
-
-// SetDesiredEgressPolicyEnabled sets Endpoint's egress policy enforcement
-// configuration to the specified value. The endpoint's mutex must not be held.
-func (e *Endpoint) SetDesiredEgressPolicyEnabled(egress bool) {
-	e.UnconditionalLock()
-	e.desiredPolicy.EgressPolicyEnabled = egress
-	e.Unlock()
-}
-
-// SetDesiredIngressPolicyEnabledLocked sets Endpoint's ingress policy enforcement
-// configuration to the specified value. The endpoint's mutex must be held.
-func (e *Endpoint) SetDesiredIngressPolicyEnabledLocked(ingress bool) {
-	e.desiredPolicy.IngressPolicyEnabled = ingress
-}
-
-// SetDesiredEgressPolicyEnabledLocked sets Endpoint's egress policy enforcement
-// configuration to the specified value. The endpoint's mutex must be held.
-func (e *Endpoint) SetDesiredEgressPolicyEnabledLocked(egress bool) {
-	e.desiredPolicy.EgressPolicyEnabled = egress
-}
-
 // WaitForProxyCompletions blocks until all proxy changes have been completed.
 // Called with buildMutex held.
 func (e *Endpoint) WaitForProxyCompletions(proxyWaitGroup *completion.WaitGroup) error {
@@ -2007,3 +1978,23 @@ func (e *Endpoint) Delete(monitor monitorOwner, ipam ipReleaser, manager endpoin
 
 	return errs
 }
+
+// SetDefaultConfiguration sets the default configuration options for its
+// boolean configuration options and for policy enforcement based off of the
+// global policy enforcement configuration options.
+func (e *Endpoint) SetDefaultConfiguration(restore bool) {
+	e.UnconditionalLock()
+	defer e.Unlock()
+
+	if restore && option.Config.KeepConfig {
+		return
+	}
+	e.setDefaultPolicyConfig()
+}
+
+func (e *Endpoint) setDefaultPolicyConfig() {
+	e.SetDefaultOpts(option.Config.Opts)
+	alwaysEnforce := policy.GetPolicyEnabled() == option.AlwaysEnforce
+	e.desiredPolicy.IngressPolicyEnabled = alwaysEnforce
+	e.desiredPolicy.EgressPolicyEnabled = alwaysEnforce
+}

pkg/endpointmanager/manager.go

@@ -397,9 +397,7 @@ func (mgr *EndpointManager) GetPolicyEndpoints() map[policy.Endpoint]struct{} {
 
 // AddEndpoint takes the prepared endpoint object and starts managing it.
 func (mgr *EndpointManager) AddEndpoint(owner regeneration.Owner, ep *endpoint.Endpoint, reason string) (err error) {
-	alwaysEnforce := policy.GetPolicyEnabled() == option.AlwaysEnforce
-	ep.SetDesiredIngressPolicyEnabled(alwaysEnforce)
-	ep.SetDesiredEgressPolicyEnabled(alwaysEnforce)
+	ep.SetDefaultConfiguration(false)
 
 	if ep.ID != 0 {
 		return fmt.Errorf("Endpoint ID is already set to %d", ep.ID)