endpoint: Add GetRealizedPolicyRuleLabelsForKey

This function allows callers to get the list of policies which caused a
certain policy map entry to be added for a given endpoint.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>

pkg/endpoint/policy.go

@@ -751,3 +751,23 @@ func (e *Endpoint) UpdateVisibilityPolicy(annoCB AnnotationsResolverCB) {
 	}
 	<-ch
 }
+
+// GetRealizedPolicyRuleLabelsForKey returns the list of policy rule labels
+// which match a given flow key (in host byte-order). The returned
+// LabelArrayList must not be modified. This function is exported to be
+// accessed by code outside of the Cilium code base (e.g. Hubble).
+func (e *Endpoint) GetRealizedPolicyRuleLabelsForKey(key policy.Key) (
+	derivedFrom labels.LabelArrayList,
+	revision uint64,
+	ok bool,
+) {
+	e.mutex.RLock()
+	defer e.mutex.RUnlock()
+
+	entry, ok := e.realizedPolicy.PolicyMapState[key]
+	if !ok {
+		return nil, 0, false
+	}
+
+	return entry.DerivedFromRules, e.policyRevision, true
+}