diff --git a/e2e/cmd/adminpolicy/e2e_test.go b/e2e/cmd/adminpolicy/e2e_test.go index 8bc97358746..d5c67dbe709 100644 --- a/e2e/cmd/adminpolicy/e2e_test.go +++ b/e2e/cmd/adminpolicy/e2e_test.go @@ -1,16 +1,18 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +/* +Copyright 2022 The Kubernetes Authors. -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package main diff --git a/felix/bpf/polprog/pol_prog_builder.go b/felix/bpf/polprog/pol_prog_builder.go index 3f29c8b8424..0bd8fc50c9f 100644 --- a/felix/bpf/polprog/pol_prog_builder.go +++ b/felix/bpf/polprog/pol_prog_builder.go @@ -22,7 +22,6 @@ import ( "github.com/projectcalico/calico/felix/bpf/ipsets" "github.com/projectcalico/calico/felix/bpf/maps" - "github.com/projectcalico/calico/libcalico-go/lib/names" log "github.com/sirupsen/logrus" @@ -485,7 +484,6 @@ func (p *Builder) writeTiers(tiers []Tier, destLeg matchLeg, allowLabel string) actionLabels := map[string]string{ "allow": allowLabel, "deny": "deny", - "pass": "pass", } for _, tier := range tiers { endOfTierLabel := fmt.Sprint("end_of_tier_", p.tierID) @@ -504,10 +502,6 @@ func (p *Builder) writeTiers(tiers []Tier, destLeg matchLeg, allowLabel string) action = TierEndDeny } p.b.AddCommentF("End of tier %s", tier.Name) - // For AdminNetworkPolicy Tier the endOfTier action is pass. - if tier.Name != names.AdminNetworkPolicyTierName { - action = TierEndPass - } log.Debugf("End of tier %d %q: %s", p.tierID, tier.Name, action) p.writeRule(Rule{ Rule: &proto.Rule{}, diff --git a/felix/dataplane/linux/bpf_ep_mgr.go b/felix/dataplane/linux/bpf_ep_mgr.go index 9240aea9c95..c696b3cb23a 100644 --- a/felix/dataplane/linux/bpf_ep_mgr.go +++ b/felix/dataplane/linux/bpf_ep_mgr.go @@ -42,6 +42,7 @@ import ( "github.com/projectcalico/calico/felix/ethtool" "github.com/projectcalico/calico/felix/generictables" "github.com/projectcalico/calico/libcalico-go/lib/health" + "github.com/projectcalico/calico/libcalico-go/lib/names" "github.com/prometheus/client_golang/prometheus" log "github.com/sirupsen/logrus" @@ -2978,6 +2979,11 @@ func (m *bpfEndpointManager) extractTiers(tiers []*proto.TierInfo, direction Pol polTier.Policies[i] = policy } + // This changes will be replaces by changes in https://github.com/projectcalico/calico/pull/9232 + if tier.Name == names.AdminNetworkPolicyTierName { + endTierDrop = false + } + if endTierDrop { polTier.EndAction = polprog.TierEndDeny } else { diff --git a/felix/rules/endpoints.go b/felix/rules/endpoints.go index e03e3363e63..d12dfa705bb 100644 --- a/felix/rules/endpoints.go +++ b/felix/rules/endpoints.go @@ -464,6 +464,7 @@ func (r *DefaultRuleRenderer) endpointIptablesChain( Comment: []string{"Start of tier " + tier.Name}, }) + // This changes will be replaces by changes in https://github.com/projectcalico/calico/pull/9232 endOfTierDrop := true // For AdminNetworkPolicy Tier the endOfTier action is pass. if tier.Name == names.AdminNetworkPolicyTierName { @@ -512,7 +513,6 @@ func (r *DefaultRuleRenderer) endpointIptablesChain( } if chainType == chainTypeNormal || chainType == chainTypeForward { - // TODO: Fix this properly if endOfTierDrop { // When rendering normal and forward rules, if no policy marked the packet as "pass", drop the // packet.