Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policy: Fix enforcement status for host endpoint #11759

Merged
merged 1 commit into from Jun 2, 2020
Merged

policy: Fix enforcement status for host endpoint #11759

merged 1 commit into from Jun 2, 2020

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented May 28, 2020
edited

Before this commit, host policy enforcement was reported as "enabled" as soon as policies were loaded for the host, even if the host firewall was disabled:

ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                       IPv6                 IPv4          STATUS
           ENFORCEMENT        ENFORCEMENT
318        Enabled            Enabled           1          reserved:host                                                                        ready
3423       Disabled           Disabled          4          reserved:health                                   f00d::a0f:0:0:7ba4   10.16.0.148   ready

With this commit, enforcement will remain as "disabled" as long as the host firewall is disabled:

ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                       IPv6                 IPv4          STATUS
           ENFORCEMENT        ENFORCEMENT
318        Disabled           Disabled          1          reserved:host                                                                        ready
3423       Disabled           Disabled          4          reserved:health                                   f00d::a0f:0:0:7ba4   10.16.0.148   ready

Fixes: #11507

@pchaigno pchaigno added priority/release-blocker sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. labels May 28, 2020
@pchaigno pchaigno requested a review from a team May 28, 2020 19:39
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.8.0 May 28, 2020
@coveralls
Copy link

coveralls commented May 28, 2020
edited

Coverage Status

Coverage increased (+0.005%) to 36.883% when pulling ec3f873a411bf08b48f9d9590aab8d28501f2a6c on pr/pchaigno/fix-enforcement-status-host-firewall into d909b14 on master.

aanm
aanm reviewed May 28, 2020
View reviewed changes
pkg/policy/repository.go Outdated Show resolved Hide resolved
@pchaigno pchaigno force-pushed the pr/pchaigno/fix-enforcement-status-host-firewall branch from 5b9ae54 to ec3f873 Compare May 29, 2020 13:05
@pchaigno pchaigno requested a review from aanm May 29, 2020 13:07
@pchaigno
policy: Fix enforcement status for host endpoint
cd15279 
Before this commit, host policy enforcement was reported as enabled as
soon as policies were loaded for the host, even if the host firewall was
disabled:

    ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                       IPv6                 IPv4          STATUS
               ENFORCEMENT        ENFORCEMENT
    318        Enabled            Enabled           1          reserved:host                                                                        ready
    3423       Disabled           Disabled          4          reserved:health                                   f00d::a0f:0:0:7ba4   10.16.0.148   ready

With this commit, enforcement will remain as disabled as long as the
host firewall is disabled:

    ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                       IPv6                 IPv4          STATUS
               ENFORCEMENT        ENFORCEMENT
    318        Disabled           Disabled          1          reserved:host                                                                        ready
    3423       Disabled           Disabled          4          reserved:health                                   f00d::a0f:0:0:7ba4   10.16.0.148   ready

Fixes: f9c205d ("pkg/policy: Host network policies")
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the pr/pchaigno/fix-enforcement-status-host-firewall branch from ec3f873 to cd15279 Compare May 29, 2020 13:34
@pchaigno
Copy link
Member Author

test-me-please

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 30, 2020
@pchaigno pchaigno mentioned this pull request Jun 1, 2020
Closed
34 tasks
@aanm aanm merged commit 3a9a353 into master Jun 2, 2020
1.8.0 automation moved this from In progress to Merged Jun 2, 2020
@aanm aanm deleted the pr/pchaigno/fix-enforcement-status-host-firewall branch June 2, 2020 08:50
@tklauser tklauser mentioned this pull request Jun 3, 2020
Merged
@pchaigno pchaigno mentioned this pull request Jul 10, 2020
Merged
@pchaigno pchaigno added the area/host-firewall Impacts the host firewall or the host endpoint. label Jul 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
area/host-firewall Impacts the host firewall or the host endpoint. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
No open projects
1.8.0
  
Merged
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pchaigno @coveralls @aanm @tklauser