diff --git a/cilium/l7policy.cc b/cilium/l7policy.cc index e0cd30914..1605316af 100644 --- a/cilium/l7policy.cc +++ b/cilium/l7policy.cc @@ -209,8 +209,11 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he callbacks_->streamInfo(), headers); } - allowed_ = policy_fs->enforceHTTPPolicy(conn.ref(), !config_->is_upstream_, destination_identity, - destination_port, headers, *log_entry_); + allowed_ = + dip->addressAsString() == policy_fs->pod_ip_ + ? true + : policy_fs->enforceHTTPPolicy(conn.ref(), !config_->is_upstream_, destination_identity, + destination_port, headers, *log_entry_); ENVOY_CONN_LOG( debug, "cilium.l7policy: {} ({}->{}) {} policy lookup for endpoint {} for port {}: {}", diff --git a/cilium/network_filter.cc b/cilium/network_filter.cc index 4fd688e32..b53c9b75c 100644 --- a/cilium/network_filter.cc +++ b/cilium/network_filter.cc @@ -198,10 +198,15 @@ Network::FilterStatus Instance::onNewConnection() { destination_identity, dst_address, &config_->time_source_); bool use_proxy_lib; - if (!policy_fs->enforceNetworkPolicy(conn, destination_identity, destination_port_, sni, - use_proxy_lib, l7proto_, log_entry_)) { - ENVOY_CONN_LOG(debug, "cilium.network: policy DENY on id: {} port: {} sni: \"{}\"", conn, - remote_id_, destination_port_, sni); + const bool allowed = + dip->addressAsString() == policy_fs->pod_ip_ + ? true + : policy_fs->enforceNetworkPolicy(conn, destination_identity, destination_port_, sni, + use_proxy_lib, l7proto_, log_entry_); + if (!allowed) { + ENVOY_CONN_LOG(debug, "cilium.network: policy DENY {}->{} on id: {} port: {} sni: \"{}\"", + conn, dip->addressAsString(), policy_fs->pod_ip_, remote_id_, + destination_port_, sni); config_->log(log_entry_, ::cilium::EntryType::Denied); return false; }