Add support for disabling network on workload

Previously a workload could only have its network disabled when that
was aligned with the Profile. This change enables the workload to be
more restrictive than the Profile.

Signed-off-by: Paulo Gomes <[email protected]>

Author: pjbgf

internal/types/workload.go

@@ -97,7 +97,7 @@ func (w Workload) ApplyProfile(p *Profile) EffectiveWorkload {
 
 	// If profile sets a network, that is enforced on all workloads.
 	// If a profile does not set a network, workloads can only set "none" as a network.
-	if p.Network != "" {
+	if p.Network != "" && w.HostAccess.Network != "none" {
 		e.Workload.HostAccess.Network = p.Network
 	} else if w.HostAccess.Network != "" && w.HostAccess.Network != "none" {
 		e.Workload.HostAccess.Network = ""

internal/types/workload_test.go

@@ -690,6 +690,24 @@ func Test_ApplyProfile(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Network none: workload foo + profile none",
+			workload: Workload{
+				HostAccess: HostAccess{Network: "none"},
+			},
+			profile: &Profile{
+				HostAccess: HostAccess{Network: "foo"},
+			},
+			want: EffectiveWorkload{
+				Name: "-",
+				Workload: Workload{
+					HostAccess: HostAccess{Network: "none"},
+				},
+				Profile: &Profile{
+					HostAccess: HostAccess{Network: "foo"},
+				},
+			},
+		},
 		{
 			name: "Paths empty: workload /foo + profile empty",
 			workload: Workload{