policy: Enforce ingress policy for Ingress #351
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Store the original source identity for enforcing ingress policy for Ingress, that otherwise only enforces the egress policy, as it operates on the egress path. Now both ingress and egress policies defined for the ingress identity are enforced when configured with the new
enforce_policy_on_l7lb
option.Ingress arrives to Cilium nodes at node ports, which are meaningless for Cilium Network Policies. To remedy this the destination port of the selected backend is used also in ingress path policy enforcement. Note that this destination port may be different from the one the traffic was first received at the external load balancer.
An allow-all Egress policy at Ingress continues to be supported until Cilium 1.14 is EOL. Newer Cilium versions properly generate an allow-all ingress and egress network policy for the Ingress identity also when policy is not enforced.
See cilium/cilium#28126 for reference on how this is used.