Adjust and expand eBPF policy map to redirect for visibility on the
port of the visibility annotation while still denying traffic on this
port for identities for which the traffic is denied.
Datapath lookup order is, from highest to lowest precedence:
1. L3/L4
2. L4-only (wildcard L3)
3. L3-only (wildcard L4)
4. Allow-all
This means that the L4-only allow visibility key can only be added if
there is an allow-all key, and all L3-only deny keys are expanded to
L3/L4 keys. If no L4-only key is added then also the L3-only allow
keys need to be expanded to L3/L4 keys for visibility redirection. In
addition the existing L3/L4 and L4-only allow keys need to be
redirected to the proxy port, if not already redirected.
The above can be accomplished by:
1. Change existing L4-only ALLOW key on matching port that does not already
redirect to redirect.
- e.g., 0:80=allow,0 -> 0:80=allow,<proxyport>
2. If allow-all key exists, add L4-only visibility redirect key if the L4-only
key does not already exist.
- e.g., 0:0=allow,0 -> add 0:80=allow,<proxyport> if 0:80 key does not exist
- this allows all traffic on port 80, but see step 5 below
3. Change all L3/L4 ALLOW keys on matching port that do not already redirect to
redirect.
- e.g, <ID1>:80=allow,0 -> <ID1>:80=allow,<proxyport>
4. For each L3-only ALLOW key add the corresponding L3/L4 ALLOW redirect if no
L3/L4 key already exists and no L4-only key already exists and one is not added.
- e.g., <ID2>:0=allow,0 -> add <ID2>:80=allow,<proxyport> if <ID2>:80
and 0:80 do not exist and 0:80 was not added
5. If a new L4-only key was added: For each L3-only DENY key add the
corresponding L3/L4 DENY key if no L3/L4 key already exists
- e.g., <ID3>:0=deny,0 -> add <ID3>:80=deny,0 if <ID3>:80 does not exist
With the above we only change/expand existing allow keys to redirect, and
expand existing drop keys to also drop on the port of interest, if a new
L4-only key allowing the port is added.
Adjust the unit test to mimic the real behavior a bit better by
regenerating endpoint policy after updating visibility policy. This is
needed due to the test using same port for HTTP and Kafka, and without
regenerating visibility redirects no longer overwrite existing
redirects.
Visibility redirects need to be re-applied after applying incremental
policy map changes. This is due to incremental changes possibly adding
keys for new identities that need visibility redirections or
additional deny keys as defined above.
Testing: New unit tests in policy package cover all the cases
described above.
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>