cilium · aditighag · Sep 2, 2021 · Aug 23, 2021 · Aug 23, 2021
diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
diff --git a/Documentation/gettingstarted/host-firewall.rst b/Documentation/gettingstarted/host-firewall.rst
@@ -6,21 +6,13 @@
 
 .. _host_firewall:
 
-******************************************
-Host Firewall (beta when using kube-proxy)
-******************************************
+*************
+Host Firewall
+*************
 
 This document serves as an introduction to Cilium's host firewall, to enforce
 security policies for Kubernetes nodes.
 
-.. note::
-
-    The host firewall is a beta feature when running without our kube-proxy
-    replacement. In particular, two bugs need to be addressed before we can
-    consider this feature stable: :gh-issue:`12205` and :gh-issue:`14859`.
-    Please provide feedback and file a GitHub issue if you experience any
-    problems.
-
 Enable the Host Firewall in Cilium
 ==================================
 
@@ -32,7 +24,7 @@ Deploy Cilium release via Helm:
 
     helm install cilium |CHART_RELEASE|        \\
       --namespace kube-system                  \\
-      --set hostFirewall=true                  \\
+      --set hostFirewall.enabled=true          \\
       --set devices='{ethX,ethY}'
 
 The ``devices`` flag refers to the network devices Cilium is configured on such

diff --git a/Documentation/operations/upgrade.rst b/Documentation/operations/upgrade.rst
@@ -343,6 +343,11 @@ New Options
   acceptable kvstore consecutive quorum errors before the agent assumes
   permanent failure.
 
+Helm Options
+~~~~~~~~~~~~
+
+* ``hostFirewall`` was renamed to ``hostFirewall.enabled``.
+
 .. _1.10_upgrade_notes:
 
 1.10 Upgrade Notes

diff --git a/Documentation/policy/language.rst b/Documentation/policy/language.rst
@@ -1228,7 +1228,7 @@ flags when installing Cilium:
 * ``--set devices='{interface}'`` where ``interface`` refers to the
   network device Cilium is configured on such as ``eth0``. Omitting this option
   leads Cilium to auto-detect what interface the host firewall applies to.
-* ``--set hostFirewall=true``
+* ``--set hostFirewall.enabled=true``
 
 The following policy will allow ingress traffic for any node with the label
 ``type=ingress-worker`` on TCP ports 22, 6443 (kube-apiserver), 2379 (etcd) and 4240

diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -617,7 +617,7 @@ func init() {
 	flags.Bool(option.EnableIdentityMark, true, "Enable setting identity mark for local traffic")
 	option.BindEnv(option.EnableIdentityMark)
 
-	flags.Bool(option.EnableHostFirewall, false, "Enable host network policies (beta when using kube-proxy)")
+	flags.Bool(option.EnableHostFirewall, false, "Enable host network policies")
 	option.BindEnv(option.EnableHostFirewall)
 
 	flags.String(option.NativeRoutingCIDR, "",

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -181,7 +181,8 @@ contributors across the globe, there is almost always someone available to help.
 | gke.enabled | bool | `false` | Enable Google Kubernetes Engine integration |
 | healthChecking | bool | `true` | Enable connectivity health checking. |
 | healthPort | int | `9876` | TCP port for the agent health API. This is not the port for cilium-health. |
-| hostFirewall | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. |
+| hostFirewall | object | `{"enabled":false}` | Configure the host firewall. |
+| hostFirewall.enabled | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. |
 | hostPort.enabled | bool | `false` | Enable hostPort service support. |
 | hostServices | object | `{"enabled":false,"protocols":"tcp,udp"}` | Configure ClusterIP service handling in the host namespace (the node). |
 | hostServices.enabled | bool | `false` | Enable host reachable services. |

diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -489,8 +489,8 @@ data:
   enable-ipv4-fragment-tracking: "false"
 {{- end }}
 
-{{- if .Values.hostFirewall }}
-  enable-host-firewall: {{ .Values.hostFirewall | quote }}
+{{- if and .Values.hostFirewall .Values.hostFirewall.enabled }}
+  enable-host-firewall: {{ .Values.hostFirewall.enabled | quote }}
 {{- end}}
 
 {{- if hasKey .Values "devices" }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -515,8 +515,10 @@ healthChecking: true
 # -- TCP port for the agent health API. This is not the port for cilium-health.
 healthPort: 9876
 
-# -- Enables the enforcement of host policies in the eBPF datapath.
-hostFirewall: false
+# -- Configure the host firewall.
+hostFirewall:
+  # -- Enables the enforcement of host policies in the eBPF datapath.
+  enabled: false
 
 hostPort:
   # -- Enable hostPort service support.

diff --git a/test/helpers/kubectl.go b/test/helpers/kubectl.go
@@ -142,7 +142,7 @@ var (
 		"gke.enabled":                 "true",
 		"loadBalancer.mode":           "snat",
 		"nativeRoutingCIDR":           GKENativeRoutingCIDR(),
-		"hostFirewall":                "false",
+		"hostFirewall.enabled":        "false",
 		"ipam.mode":                   "kubernetes",
 		"devices":                     "", // Override "eth0 eth0\neth0"
 	}
@@ -163,7 +163,7 @@ var (
 	}
 	kindHelmOverrides = map[string]string{
 		"ipv6.enabled":         "false",
-		"hostFirewall":         "false",
+		"hostFirewall.enabled": "false",
 		"nodeinit.enabled":     "true",
 		"kubeProxyReplacement": "partial",
 		"externalIPs.enabled":  "true",
@@ -2374,10 +2374,10 @@ func (kub *Kubectl) overwriteHelmOptions(options map[string]string) error {
 	}
 
 	if RunsWithHostFirewall() {
-		addIfNotOverwritten(options, "hostFirewall", "true")
+		addIfNotOverwritten(options, "hostFirewall.enabled", "true")
 	}
 
-	if RunsWithKubeProxyReplacement() || options["hostFirewall"] == "true" {
+	if RunsWithKubeProxyReplacement() || options["hostFirewall.enabled"] == "true" {
 		// Set devices
 		privateIface, err := kub.GetPrivateIface()
 		if err != nil {

diff --git a/test/k8sT/Conformance.go b/test/k8sT/Conformance.go
@@ -34,7 +34,7 @@ var _ = Describe("K8sConformance", func() {
 				// compatible with portmap chaining because traffic
 				// from pods to remote nodes goes through the tunnel.
 				// This issue is tracked at #12541.
-				"hostFirewall": "false",
+				"hostFirewall.enabled": "false",
 			}
 			ciliumFilename = helpers.TimestampFilename("cilium.yaml")
 			DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, deployOpts)

diff --git a/test/k8sT/DatapathConfiguration.go b/test/k8sT/DatapathConfiguration.go
@@ -88,7 +88,7 @@ var _ = Describe("K8sDatapathConfig", func() {
 				"bpf.monitorFlags":       "syn",
 				// Need to disable the host firewall for now due to complexity issue.
 				// See #14552 for details.
-				"hostFirewall": "false",
+				"hostFirewall.enabled": "false",
 			}, DeployCiliumOptionsAndDNS)
 
 			monitorRes, monitorCancel, targetIP := monitorConnectivityAcrossNodes(kubectl)
@@ -706,7 +706,7 @@ var _ = Describe("K8sDatapathConfig", func() {
 				"encryption.enabled":         "true",
 				"encryption.ipsec.interface": privateIface,
 				"devices":                    "",
-				"hostFirewall":               "false",
+				"hostFirewall.enabled":       "false",
 				"kubeProxyReplacement":       "disabled",
 			}, DeployCiliumOptionsAndDNS)
 			Expect(testPodConnectivityAcrossNodes(kubectl)).Should(BeTrue(), "Connectivity test between nodes failed")
@@ -726,7 +726,7 @@ var _ = Describe("K8sDatapathConfig", func() {
 				"encryption.enabled":         "true",
 				"encryption.ipsec.interface": privateIface,
 				"devices":                    devices,
-				"hostFirewall":               "false",
+				"hostFirewall.enabled":       "false",
 				"kubeProxyReplacement":       "disabled",
 			}, DeployCiliumOptionsAndDNS)
 			Expect(testPodConnectivityAcrossNodes(kubectl)).Should(BeTrue(), "Connectivity test between nodes failed")
@@ -782,16 +782,16 @@ var _ = Describe("K8sDatapathConfig", func() {
 			return !helpers.IsIntegration(helpers.CIIntegrationGKE)
 		}, "Check connectivity with IPv6 disabled", func() {
 			deploymentManager.DeployCilium(map[string]string{
-				"ipv4.enabled": "true",
-				"ipv6.enabled": "false",
-				"hostFirewall": "true",
+				"ipv4.enabled":         "true",
+				"ipv6.enabled":         "false",
+				"hostFirewall.enabled": "true",
 			}, DeployCiliumOptionsAndDNS)
 			Expect(testPodConnectivityAcrossNodes(kubectl)).Should(BeTrue(), "Connectivity test between nodes failed")
 		})
 
 		It("With VXLAN", func() {
 			options := map[string]string{
-				"hostFirewall": "true",
+				"hostFirewall.enabled": "true",
 			}
 			if helpers.RunsOnGKE() {
 				options["gke.enabled"] = "false"
@@ -803,7 +803,7 @@ var _ = Describe("K8sDatapathConfig", func() {
 
 		It("With VXLAN and endpoint routes", func() {
 			options := map[string]string{
-				"hostFirewall":           "true",
+				"hostFirewall.enabled":   "true",
 				"endpointRoutes.enabled": "true",
 			}
 			if helpers.RunsOnGKE() {
@@ -816,8 +816,8 @@ var _ = Describe("K8sDatapathConfig", func() {
 
 		It("With native routing", func() {
 			options := map[string]string{
-				"hostFirewall": "true",
-				"tunnel":       "disabled",
+				"hostFirewall.enabled": "true",
+				"tunnel":               "disabled",
 			}
 			// We don't want to run with per-endpoint routes (enabled by
 			// gke.enabled) for this test.
@@ -832,7 +832,7 @@ var _ = Describe("K8sDatapathConfig", func() {
 
 		It("With native routing and endpoint routes", func() {
 			options := map[string]string{
-				"hostFirewall":           "true",
+				"hostFirewall.enabled":   "true",
 				"tunnel":                 "disabled",
 				"endpointRoutes.enabled": "true",
 			}

diff --git a/test/k8sT/Policies.go b/test/k8sT/Policies.go
@@ -1360,7 +1360,7 @@ var _ = SkipDescribeIf(func() bool {
 						"masquerade":     "false",
 						"bpf.masquerade": "false",
 
-						"hostFirewall": "true",
+						"hostFirewall.enabled": "true",
 					})
 
 				By("Retrieving backend pod and outside node IP addresses")

diff --git a/test/k8sT/Services.go b/test/k8sT/Services.go
@@ -623,7 +623,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 
 			It("with the host firewall and externalTrafficPolicy=Local", func() {
 				DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
-					"hostFirewall": "true",
+					"hostFirewall.enabled": "true",
 				})
 				testExternalTrafficPolicyLocal(kubectl, ni)
 			})
@@ -872,7 +872,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 
 						BeforeAll(func() {
 							DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
-								"hostFirewall": "true",
+								"hostFirewall.enabled": "true",
 							})
 
 							ccnpHostPolicy = helpers.ManifestGet(kubectl.BasePath(), "ccnp-host-policy-nodeport-tests.yaml")
@@ -917,7 +917,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 								"maglev.tableSize": "251",
 								// Support for host firewall + Maglev is currently broken,
 								// see #14047 for details.
-								"hostFirewall": "false",
+								"hostFirewall.enabled": "false",
 							})
 
 							echoYAML = helpers.ManifestGet(kubectl.BasePath(), "echo-svc.yaml")
@@ -1020,7 +1020,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 							DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
 								"tunnel":               "disabled",
 								"autoDirectNodeRoutes": "true",
-								"hostFirewall":         "true",
+								"hostFirewall.enabled": "true",
 							})
 
 							ccnpHostPolicy = helpers.ManifestGet(kubectl.BasePath(), "ccnp-host-policy-nodeport-tests.yaml")
@@ -1070,7 +1070,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 								"maglev.tableSize": "251",
 								// Support for host firewall + Maglev is currently broken,
 								// see #14047 for details.
-								"hostFirewall": "false",
+								"hostFirewall.enabled": "false",
 							})
 
 							echoYAML = helpers.ManifestGet(kubectl.BasePath(), "echo-svc.yaml")
@@ -1392,7 +1392,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 						"devices":                   fmt.Sprintf(`'{%s}'`, ni.privateIface),
 						// Support for host firewall + Maglev is currently broken,
 						// see #14047 for details.
-						"hostFirewall": "false",
+						"hostFirewall.enabled": "false",
 					})
 					testNodePortExternal(kubectl, ni, false, false)
 				})
@@ -1420,7 +1420,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 						"devices":                   fmt.Sprintf(`'{%s}'`, ni.privateIface),
 						// Support for host firewall + Maglev is currently broken,
 						// see #14047 for details.
-						"hostFirewall": "false",
+						"hostFirewall.enabled": "false",
 					})
 					testNodePortExternal(kubectl, ni, true, false)
 				})
@@ -1448,7 +1448,7 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`, helpers.DualStackSupp
 						"devices":                   fmt.Sprintf(`'{%s}'`, ni.privateIface),
 						// Support for host firewall + Maglev is currently broken,
 						// see #14047 for details.
-						"hostFirewall": "false",
+						"hostFirewall.enabled": "false",
 					})
 					testNodePortExternal(kubectl, ni, true, true)
 				})