ci: [NPM] conformance test for loadbalancer and nodeport services

[huntergregory]

Reason for Change:

Use Policy Assistant (essentially Cyclonus) to test traffic to LoadBalancer and NodePort services. Previous tests only tested ClusterIP services.

Also updates NPM profiles:

• disable placefirst for "background" profile
• enable background for "placefirst" profile

Issue Fixed:

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• relevant PR labels added

Notes:

Uses this policy assistant change: kubernetes-sigs/network-policy-api#287

[huntergregory]

/azp run NPM Conformance Tests

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[huntergregory]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

npm/profiles/v2-place-first.yaml:12

• The key name 'NetPolInvervalInMilliseconds' is misspelled. It should be 'NetPolIntervalInMilliseconds'.

"NetPolInvervalInMilliseconds": 500,

[huntergregory]

Results: https://msazure.visualstudio.com/One/_build/results?buildId=115164777&view=logs&j=dcd2db64-7faa-5362-ce24-05c7a3a55715&t=9b81cc1a-2cdd-519e-8ba1-69b980b8d0a0

SummaryTable:
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|              TEST              | RESULT |   STEP/TRY    | WRONG | RIGHT | IGNORED |       TCP        | SCTP |       UDP        |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 1: LoadBalancer with           | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| deny all ingress               |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 2: LoadBalancer with           | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| allow ingress from pods and    |        |               |       |       |         |                  |      |                  |
| nodes                          |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 3: LoadBalancer with           | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| deny all egress                |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 4: LoadBalancer with           | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| allow egress to pods           |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 5: NodePort with               | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| deny all ingress (to source    |        |               |       |       |         |                  |      |                  |
| pod's node)                    |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 6: NodePort with               | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| allow ingress from pods and    |        |               |       |       |         |                  |      |                  |
| nodes (to source pod's node)   |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 7: NodePort with               | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| deny all egress (to source     |        |               |       |       |         |                  |      |                  |
| pod's node)                    |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 8: NodePort with               | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Cluster: |        |               |       |       |         |                  |      |                  |
| allow egress to pods (to       |        |               |       |       |         |                  |      |                  |
| source pod's node)             |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 9: LoadBalancer with           | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| deny all ingress               |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    18 |      63 | 36 / 36 (100%)   | -    | 36 / 36 (100%)   |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 10: LoadBalancer with          | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| allow ingress from pods        |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    18 |      63 | 36 / 36 (100%)   | -    | 36 / 36 (100%)   |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 11: LoadBalancer with          | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| deny all egress                |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    18 |      63 | 36 / 36 (100%)   | -    | 36 / 36 (100%)   |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 12: LoadBalancer with          | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| allow egress to pods           |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    18 |      63 | 36 / 36 (100%)   | -    | 36 / 36 (100%)   |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 13: NodePort with              | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| deny all ingress (to           |        |               |       |       |         |                  |      |                  |
| destination pod's node)        |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 14: NodePort with              | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| allow ingress from pods (to    |        |               |       |       |         |                  |      |                  |
| destination pod's node)        |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 15: NodePort with              | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| deny all egress (to            |        |               |       |       |         |                  |      |                  |
| destination pod's node)        |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
| 16: NodePort with              | passed |               |       |       |         |                  |      |                  |
| externalTrafficPolicy=Local:   |        |               |       |       |         |                  |      |                  |
| allow egress to pods and nodes |        |               |       |       |         |                  |      |                  |
| (to destination pod's node)    |        |               |       |       |         |                  |      |                  |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+
|                                |        | Step 1, try 1 |     0 |    72 |       9 | 144 / 144 (100%) | -    | 144 / 144 (100%) |
+--------------------------------+--------+---------------+-------+-------+---------+------------------+------+------------------+

special-services counts:
+--------------------------------------+--------+--------+----------+
|               FEATURE                | PASSED | FAILED | PASSED % |
+--------------------------------------+--------+--------+----------+
| nodeport                             |      8 |      0 |      100 |
| to-source-pod-node                   |      4 |      0 |      100 |
| external-traffic-policy-local        |      8 |      0 |      100 |
| to-destination-pod-node              |      4 |      0 |      100 |
| external-traffic-policy-cluster      |      8 |      0 |      100 |
| loadbalancer                         |      8 |      0 |      100 |
| no-cni-source-pod-info-to-other-node |      2 |      0 |      100 |
+--------------------------------------+--------+--------+----------+

direction counts:
+---------+--------+--------+----------+
| FEATURE | PASSED | FAILED | PASSED % |
+---------+--------+--------+----------+
| egress  |      8 |      0 |      100 |
| ingress |      8 |      0 |      100 |
+---------+--------+--------+----------+

rule counts:
+----------+--------+--------+----------+
| FEATURE  | PASSED | FAILED | PASSED % |
+----------+--------+--------+----------+
| deny-all |      8 |      0 |      100 |
+----------+--------+--------+----------+

peer-pods counts:
+----------------+--------+--------+----------+
|    FEATURE     | PASSED | FAILED | PASSED % |
+----------------+--------+--------+----------+
| all-namespaces |      8 |      0 |      100 |
+----------------+--------+--------+----------+

peer-ipblock counts:
+--------------------+--------+--------+----------+
|      FEATURE       | PASSED | FAILED | PASSED % |
+--------------------+--------+--------+----------+
| ip-block-no-except |      3 |      0 |      100 |
+--------------------+--------+--------+----------+

Pass/Fail for probes on protocols:
+---------------+--------+--------+----------+
|   PROTOCOL    | PASSED | FAILED | PASSED % |
+---------------+--------+--------+----------+
| probe on TCP  |   1872 |      0 |      100 |
| probe on SCTP |      0 |      0 |        0 |
| probe on UDP  |   1872 |      0 |      100 |
+---------------+--------+--------+----------+

Feature results:
| Tag | Result |
| --- | --- |
| action | 16 / 16 = 100% ✅ |
|  - action: create policy | 16 / 16 = 100% ✅ |
| egress | 16 / 16 = 100% ✅ |
|  - 0 port/protocols | 4 / 4 = 100% ✅ |
|  - 0 rules | 12 / 12 = 100% ✅ |
|  - 1 peer | 3 / 3 = 100% ✅ |
|  - 1 rule | 4 / 4 = 100% ✅ |
|  - 2+ peers | 1 / 1 = 100% ✅ |
|  - IPBlock (no except) | 1 / 1 = 100% ✅ |
|  - peer namespace selector empty | 4 / 4 = 100% ✅ |
|  - peer pod selector nil | 4 / 4 = 100% ✅ |
| general | 16 / 16 = 100% ✅ |
|  - policy with egress | 4 / 4 = 100% ✅ |
|  - policy with ingress | 4 / 4 = 100% ✅ |
|  - target: empty pod selector | 16 / 16 = 100% ✅ |
|  - target: specific namespace | 16 / 16 = 100% ✅ |
| ingress | 16 / 16 = 100% ✅ |
|  - 0 port/protocols | 4 / 4 = 100% ✅ |
|  - 0 rules | 12 / 12 = 100% ✅ |
|  - 1 peer | 2 / 2 = 100% ✅ |
|  - 1 rule | 4 / 4 = 100% ✅ |
|  - 2+ peers | 2 / 2 = 100% ✅ |
|  - IPBlock (no except) | 2 / 2 = 100% ✅ |
|  - peer namespace selector empty | 4 / 4 = 100% ✅ |
|  - peer pod selector nil | 4 / 4 = 100% ✅ |

Tag results:
| Tag | Result |
| --- | --- |
| direction | 16 / 16 = 100% ✅ |
|  - egress | 8 / 8 = 100% ✅ |
|  - ingress | 8 / 8 = 100% ✅ |
| peer-ipblock | 3 / 3 = 100% ✅ |
|  - ip-block-no-except | 3 / 3 = 100% ✅ |
| peer-pods | 8 / 8 = 100% ✅ |
|  - all-namespaces | 8 / 8 = 100% ✅ |
| rule | 8 / 8 = 100% ✅ |
|  - deny-all | 8 / 8 = 100% ✅ |
| special-services | 16 / 16 = 100% ✅ |
|  - external-traffic-policy-cluster | 8 / 8 = 100% ✅ |
|  - external-traffic-policy-local | 8 / 8 = 100% ✅ |
|  - loadbalancer | 8 / 8 = 100% ✅ |
|  - no-cni-source-pod-info-to-other-node | 2 / 2 = 100% ✅ |
|  - nodeport | 8 / 8 = 100% ✅ |
|  - to-destination-pod-node | 4 / 4 = 100% ✅ |
|  - to-source-pod-node | 4 / 4 = 100% ✅ |