policy: Use source pod's egress policy if available

jrajahalme · jrajahalme · commit b08bc22f7e82 · 2025-02-19T13:30:49.000+01:00
Enforce source pod's egress policy, if available, i.e., when the source
is a local pod, even in the north/south scenario, where the Ingress IP is
used as the upstream source address.

Signed-off-by: Jarno Rajahalme &lt;jarno@isovalent.com&gt;
diff --git a/cilium/bpf_metadata.cc b/cilium/bpf_metadata.cc
@@ -464,12 +464,16 @@ Config::extractSocketMetadata(Network::ConnectionSocket& socket) {
 
     source_identity = new_source_identity;
 
-    // AllowAllEgressPolicy will be returned if no explicit Ingress policy exists
-    policy = &getPolicy(ingress_ip_str);
+    // Enforce the egress policy associated with the Ingress if source is not a local pod.
+    // (otherwise keep the source pod's policy and pod_ip as the policy reference)
+    if (policy->getEndpointID() == 0) {
+      // AllowAllEgressPolicy will be returned if no explicit Ingress policy exists
+      policy = &getPolicy(ingress_ip_str);
 
-    // Set Ingress source IP as pod_ip (In case of egress (how N/S L7 LB is implemented), the pod_ip
-    // is the source IP)
-    pod_ip = ingress_ip_str;
+      // Set Ingress source IP as pod_ip (In case of egress (how N/S L7 LB is implemented), the
+      // pod_ip is the source IP)
+      pod_ip = ingress_ip_str;
+    }
 
     // Original source address is never used for north/south LB
     src_address = nullptr;
diff --git a/tests/metadata_config_test.cc b/tests/metadata_config_test.cc
@@ -447,6 +447,7 @@ TEST_F(MetadataConfigTest, EastWestL7LbMetadata) {
 }
 
 // When original source is not configured to be used, east/west traffic takes the north/south path
+// but retains local pod's IP as the "policy name" it found.
 TEST_F(MetadataConfigTest, EastWestL7LbMetadataNoOriginalSource) {
   ::cilium::BpfMetadata config{};
   config.set_is_l7lb(true);
@@ -465,7 +466,7 @@ TEST_F(MetadataConfigTest, EastWestL7LbMetadataNoOriginalSource) {
   EXPECT_EQ(false, policy_fs->ingress_);
   EXPECT_EQ(true, policy_fs->is_l7lb_);
   EXPECT_EQ(80, policy_fs->port_);
-  EXPECT_EQ("10.1.1.42", policy_fs->pod_ip_);
+  EXPECT_EQ("10.1.1.1", policy_fs->pod_ip_);
   EXPECT_EQ(0, policy_fs->ingress_source_identity_);
 
   auto source_addresses_socket_option = socket_metadata->buildSourceAddressSocketOption();
