Azure
diff --git a/‎aitelemetry/api.go‎
Lines changed: 2 additions & 0 deletions b/‎aitelemetry/api.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎aitelemetry/telemetrywrapper.go‎
Lines changed: 13 additions & 1 deletion b/‎aitelemetry/telemetrywrapper.go‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎azure-ipam/go.mod‎
Lines changed: 1 addition & 1 deletion b/‎azure-ipam/go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎azure-ipam/go.sum‎
Lines changed: 2 additions & 2 deletions b/‎azure-ipam/go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎build/tools/go.mod‎
Lines changed: 1 addition & 1 deletion b/‎build/tools/go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎build/tools/go.sum‎
Lines changed: 2 additions & 2 deletions b/‎build/tools/go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cni/network/invoker_cns.go‎
Lines changed: 5 additions & 0 deletions b/‎cni/network/invoker_cns.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎cni/network/invoker_cns_test.go‎
Lines changed: 66 additions & 15 deletions b/‎cni/network/invoker_cns_test.go‎
Lines changed: 66 additions & 15 deletions
diff --git a/‎cni/network/network.go‎
Lines changed: 4 additions & 0 deletions b/‎cni/network/network.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cni/network/network_windows_test.go‎
Lines changed: 26 additions & 0 deletions b/‎cni/network/network_windows_test.go‎
Lines changed: 26 additions & 0 deletions
@@ -5,11 +5,13 @@ import (
 
 	"github.com/Azure/azure-container-networking/common"
 	"github.com/microsoft/ApplicationInsights-Go/appinsights"
+	"github.com/microsoft/ApplicationInsights-Go/appinsights/contracts"
 )
 
 // Application trace/log structure
 type Report struct {
 	Message          string
+	Level            contracts.SeverityLevel
 	Context          string
 	AppVersion       string
 	CustomDimensions map[string]string
 
@@ -11,6 +11,7 @@ import (
 	"github.com/Azure/azure-container-networking/processlock"
 	"github.com/Azure/azure-container-networking/store"
 	"github.com/microsoft/ApplicationInsights-Go/appinsights"
+	"github.com/microsoft/ApplicationInsights-Go/appinsights/contracts"
 )
 
 const (
@@ -35,6 +36,17 @@ const (
 	defaultRefreshTimeoutInSecs      = 10
 )
 
+type Level = contracts.SeverityLevel
+
+const (
+	DebugLevel Level = contracts.Verbose
+	InfoLevel  Level = contracts.Information
+	WarnLevel  Level = contracts.Warning
+	ErrorLevel Level = contracts.Error
+	PanicLevel Level = contracts.Critical
+	FatalLevel Level = contracts.Critical
+)
+
 var debugMode bool
 
 func setAIConfigDefaults(config *AIConfig) {
@@ -203,7 +215,7 @@ func NewAITelemetry(
 // and for rest it uses custom dimesion
 func (th *telemetryHandle) TrackLog(report Report) {
 	// Initialize new trace message
-	trace := appinsights.NewTraceTelemetry(report.Message, appinsights.Warning)
+	trace := appinsights.NewTraceTelemetry(report.Message, report.Level)
 
 	// will be empty if cns used as telemetry service for cni
 	if th.appVersion == "" {
 
@@ -72,7 +72,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.22.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 
@@ -237,8 +237,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
 golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 
@@ -201,7 +201,7 @@ require (
 	golang.org/x/exp v0.0.0-20241004190924-225e2abe05e6 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 
@@ -510,8 +510,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 
@@ -15,6 +15,7 @@ import (
 	"github.com/Azure/azure-container-networking/iptables"
 	"github.com/Azure/azure-container-networking/network"
 	"github.com/Azure/azure-container-networking/network/networkutils"
+	"github.com/Azure/azure-container-networking/network/policy"
 	cniSkel "github.com/containernetworking/cni/pkg/skel"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
@@ -55,6 +56,7 @@ type IPResultInfo struct {
 	skipDefaultRoutes  bool
 	routes             []cns.Route
 	pnpID              string
+	endpointPolicies   []policy.Policy
 }
 
 func (i IPResultInfo) MarshalLogObject(encoder zapcore.ObjectEncoder) error {
@@ -159,6 +161,7 @@ func (invoker *CNSIPAMInvoker) Add(addConfig IPAMAddConfig) (IPAMAddResult, erro
 			skipDefaultRoutes:  response.PodIPInfo[i].SkipDefaultRoutes,
 			routes:             response.PodIPInfo[i].Routes,
 			pnpID:              response.PodIPInfo[i].PnPID,
+			endpointPolicies:   response.PodIPInfo[i].EndpointPolicies,
 		}
 
 		logger.Info("Received info for pod",
@@ -444,6 +447,7 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add
 				Gw:  ncgw,
 			})
 		}
+
 		// if we have multiple infra ip result infos, we effectively append routes and ip configs to that same interface info each time
 		// the host subnet prefix (in ipv4 or ipv6) will always refer to the same interface regardless of which ip result info we look at
 		addResult.interfaceInfo[key] = network.InterfaceInfo{
@@ -452,6 +456,7 @@ func configureDefaultAddResult(info *IPResultInfo, addConfig *IPAMAddConfig, add
 			IPConfigs:         ipConfigs,
 			Routes:            resRoute,
 			HostSubnetPrefix:  *hostIPNet,
+			EndpointPolicies:  info.endpointPolicies,
 		}
 	}
 
 
@@ -12,6 +12,7 @@ import (
 	"github.com/Azure/azure-container-networking/cns"
 	"github.com/Azure/azure-container-networking/iptables"
 	"github.com/Azure/azure-container-networking/network"
+	"github.com/Azure/azure-container-networking/network/policy"
 	cniSkel "github.com/containernetworking/cni/pkg/skel"
 	"github.com/stretchr/testify/require"
 )
@@ -521,14 +522,38 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 		hostSubnetPrefix *net.IPNet
 		options          map[string]interface{}
 	}
+	valueOut := []byte(`{
+		"Type": "ACL",
+		"Action": "Block",
+		"Direction": "Out",
+		"Priority": 10000
+	}`)
 
+	valueIn := []byte(`{
+		"Type": "ACL",
+		"Action": "Block",
+		"Direction": "In",
+		"Priority": 10000
+	}`)
+
+	expectedEndpointPolicies := []policy.Policy{
+		{
+			Type: policy.EndpointPolicy,
+			Data: valueOut,
+		},
+		{
+			Type: policy.EndpointPolicy,
+			Data: valueIn,
+		},
+	}
 	tests := []struct {
-		name                  string
-		fields                fields
-		args                  args
-		wantDefaultResult     network.InterfaceInfo
-		wantMultitenantResult network.InterfaceInfo
-		wantErr               bool
+		name                     string
+		fields                   fields
+		args                     args
+		wantDefaultDenyEndpoints bool
+		wantDefaultResult        network.InterfaceInfo
+		wantMultitenantResult    network.InterfaceInfo
+		wantErr                  bool
 	}{
 		{
 			name: "Test happy CNI add",
@@ -559,7 +584,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 										PrimaryIP: "10.0.0.1",
 										Subnet:    "10.0.0.0/24",
 									},
-									NICType: cns.InfraNIC,
+									NICType:          cns.InfraNIC,
+									EndpointPolicies: expectedEndpointPolicies,
 								},
 							},
 							Response: cns.Response{
@@ -588,6 +614,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 						Gateway: net.ParseIP("10.0.0.1"),
 					},
 				},
+				EndpointPolicies: expectedEndpointPolicies,
 				Routes: []network.RouteInfo{
 					{
 						Dst: network.Ipv4DefaultRouteDstPrefix,
@@ -597,7 +624,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 				NICType:          cns.InfraNIC,
 				HostSubnetPrefix: *parseCIDR("10.0.0.0/24"),
 			},
-			wantErr: false,
+			wantDefaultDenyEndpoints: true,
+			wantErr:                  false,
 		},
 		{
 			name: "Test CNI add with pod ip info empty nictype",
@@ -665,7 +693,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 				NICType:          cns.InfraNIC,
 				HostSubnetPrefix: *parseCIDR("10.0.0.0/24"),
 			},
-			wantErr: false,
+			wantDefaultDenyEndpoints: false,
+			wantErr:                  false,
 		},
 		{
 			name: "Test happy CNI add for both ipv4 and ipv6",
@@ -696,7 +725,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 										PrimaryIP: "10.0.0.1",
 										Subnet:    "10.0.0.0/24",
 									},
-									NICType: cns.InfraNIC,
+									NICType:          cns.InfraNIC,
+									EndpointPolicies: expectedEndpointPolicies,
 								},
 								{
 									PodIPConfig: cns.IPSubnet{
@@ -716,7 +746,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 										PrimaryIP: "fe80::1234:5678:9abc",
 										Subnet:    "fd11:1234::/112",
 									},
-									NICType: cns.InfraNIC,
+									NICType:          cns.InfraNIC,
+									EndpointPolicies: expectedEndpointPolicies,
 								},
 							},
 							Response: cns.Response{
@@ -749,6 +780,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 						Gateway: net.ParseIP("fe80::1234:5678:9abc"),
 					},
 				},
+				EndpointPolicies: expectedEndpointPolicies,
 				Routes: []network.RouteInfo{
 					{
 						Dst: network.Ipv4DefaultRouteDstPrefix,
@@ -762,7 +794,8 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 				NICType:          cns.InfraNIC,
 				HostSubnetPrefix: *parseCIDR("fd11:1234::/112"),
 			},
-			wantErr: false,
+			wantDefaultDenyEndpoints: true,
+			wantErr:                  false,
 		},
 		{
 			name: "fail to request IP addresses from cns",
@@ -773,12 +806,24 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 					require: require,
 					requestIPs: requestIPsHandler{
 						ipconfigArgument: getTestIPConfigsRequest(),
-						result:           nil,
-						err:              errors.New("failed error from CNS"), //nolint "error for ut"
+						result: &cns.IPConfigsResponse{
+							PodIPInfo: []cns.PodIpInfo{
+								{
+									EndpointPolicies: expectedEndpointPolicies,
+								},
+							},
+							Response: cns.Response{
+								ReturnCode: 0,
+								Message:    "",
+							},
+						},
+						err: errors.New("failed error from CNS"), //nolint "error for ut"
+
 					},
 				},
 			},
-			wantErr: true,
+			wantDefaultDenyEndpoints: false,
+			wantErr:                  true,
 		},
 	}
 	for _, tt := range tests {
@@ -794,6 +839,7 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 			}
 			ipamAddResult, err := invoker.Add(IPAMAddConfig{nwCfg: tt.args.nwCfg, args: tt.args.args, options: tt.args.options})
 			if tt.wantErr {
+				require.Equalf([]policy.Policy(nil), ipamAddResult.interfaceInfo[string(cns.InfraNIC)].EndpointPolicies, "There was an error requesting IP addresses from cns")
 				require.Error(err)
 			} else {
 				require.NoError(err)
@@ -809,6 +855,11 @@ func TestCNSIPAMInvoker_Add(t *testing.T) {
 				}
 				if ifInfo.NICType == cns.InfraNIC {
 					require.Equalf(tt.wantDefaultResult, ifInfo, "incorrect default response")
+					if tt.wantDefaultDenyEndpoints {
+						require.Equalf(expectedEndpointPolicies, ifInfo.EndpointPolicies, "Correct default deny ACL")
+					} else {
+						require.Equalf([]policy.Policy(nil), ifInfo.EndpointPolicies, "Correct default deny ACL")
+					}
 				}
 			}
 		})
 
@@ -833,6 +833,10 @@ func (plugin *NetPlugin) createEpInfo(opt *createEpInfoOpt) (*network.EndpointIn
 	// create endpoint policies by appending to network policies
 	// the value passed into NetworkPolicies should be unaffected since we reassign here
 	opt.policies = append(opt.policies, endpointPolicies...)
+
+	// appends endpoint policies specific to this interface
+	opt.policies = append(opt.policies, opt.ifInfo.EndpointPolicies...)
+
 	endpointInfo.EndpointPolicies = opt.policies
 	// add even more endpoint policies
 	epPolicies, err := getPoliciesFromRuntimeCfg(opt.nwCfg, opt.ipamAddResult.ipv6Enabled) // not specific to delegated or infra
 
@@ -878,6 +878,12 @@ func GetTestCNSResponseSecondaryWindows(macAddress string) map[string]network.In
 			SkipDefaultRoutes: true,
 			NICType:           cns.InfraNIC,
 			HostSubnetPrefix:  *getCIDRNotationForAddress("20.224.0.0/16"),
+			EndpointPolicies: []policy.Policy{
+				{
+					Type: policy.EndpointPolicy,
+					Data: GetRawACLPolicy(),
+				},
+			},
 		},
 		macAddress: {
 			MacAddress: parsedMAC,
@@ -895,6 +901,12 @@ func GetTestCNSResponseSecondaryWindows(macAddress string) map[string]network.In
 				},
 			},
 			NICType: cns.NodeNetworkInterfaceFrontendNIC,
+			EndpointPolicies: []policy.Policy{
+				{
+					Type: policy.EndpointPolicy,
+					Data: GetRawOutBoundNATPolicy(),
+				},
+			},
 		},
 	}
 }
@@ -1226,6 +1238,12 @@ func TestPluginWindowsAdd(t *testing.T) {
 								Gateway: net.ParseIP("10.244.2.1"),
 							},
 						},
+						EndpointPolicies: []policy.Policy{
+							{
+								Type: policy.EndpointPolicy,
+								Data: GetRawACLPolicy(),
+							},
+						},
 					},
 					epIDRegex: `.*`,
 				},
@@ -1269,6 +1287,12 @@ func TestPluginWindowsAdd(t *testing.T) {
 								Gateway: net.ParseIP("10.241.0.1"),
 							},
 						},
+						EndpointPolicies: []policy.Policy{
+							{
+								Type: policy.EndpointPolicy,
+								Data: GetRawOutBoundNATPolicy(),
+							},
+						},
 					},
 					epIDRegex: `.*`,
 				},
@@ -1326,6 +1350,8 @@ func TestPluginWindowsAdd(t *testing.T) {
 					epInfo1.EndpointPolicies[0] = policy.Policy{
 						Type: policy.ACLPolicy,
 					}
+					require.Len(t, epInfo1.EndpointPolicies, 1)
+					require.Len(t, epInfo2.EndpointPolicies, 1)
 					require.NotEqual(t, epInfo1.EndpointPolicies, epInfo2.EndpointPolicies)
 				}
 				// ensure the network policy slices are separate entities when in separate endpoint infos