policy: Track source policy rules in MapStateEntry

This commit allows us to track the policies for which a certain policy map entry has been created. It is implemented by copying over the `DerivedFromRules` from the merged ingress/egress filters to the user-space representation of the policy map state. These entries are then moved over into the `realizedPolicy` of each endpoint when the policy maps are synced. Since the order of the `DerivedFromRules` rules is not deterministic, we create a sorted copy of each LabelArrayList. Default entries such as `AllowAnyIngress`, `AllowAnyEgress` and `AllowLocalHostIngress` are annotated with artificial labels (of label source `reserved`). Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
cilium · Mar 10, 2020 · a22bb4d · a22bb4d
1 parent c897ebd
commit a22bb4d
Show file tree

Hide file tree

Showing 6 changed files with 181 additions and 85 deletions.
diff --git a/pkg/endpoint/bpf.go b/pkg/endpoint/bpf.go
@@ -30,6 +30,7 @@ import (
 	"github.com/cilium/cilium/pkg/completion"
 	"github.com/cilium/cilium/pkg/controller"
 	"github.com/cilium/cilium/pkg/endpoint/regeneration"
+	"github.com/cilium/cilium/pkg/labels"
 	"github.com/cilium/cilium/pkg/loadinfo"
 	"github.com/cilium/cilium/pkg/logging/logfields"
 	"github.com/cilium/cilium/pkg/maps/ctmap"
@@ -224,7 +225,7 @@ func (e *Endpoint) addNewRedirectsFromDesiredPolicy(ingress bool, desiredRedirec
 				} else {
 					insertedDesiredMapState[keyFromFilter] = struct{}{}
 				}
-				if entry != policy.NoRedirectEntry {
+				if entry.IsRedirectEntry() {
 					entry.ProxyPort = redirectPort
 				}
 				e.desiredPolicy.PolicyMapState[keyFromFilter] = entry
@@ -334,10 +335,15 @@ func (e *Endpoint) addVisibilityRedirects(ingress bool, desiredRedirects map[str
 			TrafficDirection: direction.Uint8(),
 		}
 
-		e.desiredPolicy.PolicyMapState[newKey] = policy.MapStateEntry{
-			ProxyPort: redirectPort,
+		derivedFrom := labels.LabelArrayList{
+			labels.LabelArray{
+				labels.NewLabel(policy.LabelKeyPolicyDerivedFrom, policy.LabelVisibilityAnnotation, labels.LabelSourceReserved),
+			},
 		}
+		entry := policy.NewMapStateEntry(derivedFrom, true)
+		entry.ProxyPort = redirectPort
 
+		e.desiredPolicy.PolicyMapState[newKey] = entry
 		insertedDesiredMapState[newKey] = struct{}{}
 	}
 
@@ -1068,7 +1074,7 @@ func (e *Endpoint) applyPolicyMapChanges() (proxyChanges bool, err error) {
 
 	for keyToAdd, entry := range adds {
 		// Keep the existing proxy port, if any
-		if entry != policy.NoRedirectEntry {
+		if entry.IsRedirectEntry() {
 			entry.ProxyPort = e.realizedRedirects[policy.ProxyIDFromKey(e.ID, keyToAdd)]
 			if entry.ProxyPort != 0 {
 				proxyChanges = true
@@ -1143,7 +1149,7 @@ func (e *Endpoint) addPolicyMapDelta() error {
 	errors := 0
 
 	for keyToAdd, entry := range e.desiredPolicy.PolicyMapState {
-		if oldEntry, ok := e.realizedPolicy.PolicyMapState[keyToAdd]; !ok || oldEntry != entry {
+		if oldEntry, ok := e.realizedPolicy.PolicyMapState[keyToAdd]; !ok || !oldEntry.Equal(&entry) {
 			if !e.addPolicyKey(keyToAdd, entry, false) {
 				errors++
 			}