Skip to content

Commit

Permalink
Use interface instead of struct.
Browse files Browse the repository at this point in the history
Signed-off-by: viktor-kurchenko <[email protected]>
  • Loading branch information
viktor-kurchenko committed Feb 23, 2024
1 parent 484a179 commit 0b46aa4
Show file tree
Hide file tree
Showing 80 changed files with 2,118 additions and 1,603 deletions.
79 changes: 79 additions & 0 deletions CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,85 @@
/connectivity/check/ipcache.go @cilium/ipcache
/connectivity/check/metrics*.go @cilium/metrics
/connectivity/check/policy.go @cilium/sig-policy
/connectivity/factory/all_egress_deny.go @cilium/ci-structure
/connectivity/factory/all_egress_deny_knp.go @cilium/ci-structure
/connectivity/factory/all_entities_deny.go @cilium/ci-structure
/connectivity/factory/all_ingress_deny.go @cilium/ci-structure
/connectivity/factory/all_ingress_deny_from_outside.go @cilium/ci-structure
/connectivity/factory/all_ingress_deny_knp.go @cilium/ci-structure
/connectivity/factory/allow_all_except_world.go @cilium/ci-structure
/connectivity/factory/allow_all_with_metrics_check.go @cilium/ci-structure
/connectivity/factory/check_log_errors.go @cilium/ci-structure
/connectivity/factory/client_egress.go @cilium/ci-structure
/connectivity/factory/client_egress_expression.go @cilium/ci-structure
/connectivity/factory/client_egress_expression_knp.go @cilium/ci-structure
/connectivity/factory/client_egress_knp.go @cilium/ci-structure
/connectivity/factory/client_egress_l7.go @cilium/ci-structure
/connectivity/factory/client_egress_l7_method.go @cilium/ci-structure
/connectivity/factory/client_egress_l7_named_port.go @cilium/ci-structure
/connectivity/factory/client_egress_l7_set_header.go @cilium/ci-structure
/connectivity/factory/client_egress_l7_tls_deny_without_headers.go @cilium/ci-structure
/connectivity/factory/client_egress_l7_tls_headers.go @cilium/ci-structure
/connectivity/factory/client_egress_to_cidr_deny.go @cilium/ci-structure
/connectivity/factory/client_egress_to_cidr_deny_default.go @cilium/ci-structure
/connectivity/factory/client_egress_to_echo_deny.go @cilium/ci-structure
/connectivity/factory/client_egress_to_echo_expression_deny.go @cilium/ci-structure
/connectivity/factory/client_egress_to_echo_service_account.go @cilium/ci-structure
/connectivity/factory/client_egress_to_echo_service_account_deny.go @cilium/ci-structure
/connectivity/factory/client_ingress.go @cilium/ci-structure
/connectivity/factory/client_ingress_from_other_client_icmp_deny.go @cilium/ci-structure
/connectivity/factory/client_ingress_icmp.go @cilium/ci-structure
/connectivity/factory/client_ingress_knp.go @cilium/ci-structure
/connectivity/factory/client_ingress_to_echo_named_port_deny.go @cilium/ci-structure
/connectivity/factory/client_with_service_account_egress_to_echo.go @cilium/ci-structure
/connectivity/factory/client_with_service_account_egress_to_echo_deny.go @cilium/ci-structure
/connectivity/factory/cluster_entity.go @cilium/ci-structure
/connectivity/factory/cluster_entity_multi_cluster.go @cilium/ci-structure
/connectivity/factory/dns_only.go @cilium/ci-structure
/connectivity/factory/echo_ingress.go @cilium/ci-structure
/connectivity/factory/echo_ingress_auth_always_fail.go @cilium/ci-structure
/connectivity/factory/echo_ingress_from_other_client_deny.go @cilium/ci-structure
/connectivity/factory/echo_ingress_from_outside.go @cilium/ci-structure
/connectivity/factory/echo_ingress_knp.go @cilium/ci-structure
/connectivity/factory/echo_ingress_l7.go @cilium/ci-structure
/connectivity/factory/echo_ingress_l7_named_port.go @cilium/ci-structure
/connectivity/factory/echo_ingress_mutual_auth_spiffe.go @cilium/ci-structure
/connectivity/factory/egress_gateway.go @cilium/ci-structure
/connectivity/factory/egress_gateway_excluded_cidrs.go @cilium/ci-structure
/connectivity/factory/factory.go @cilium/ci-structure
/connectivity/factory/from_cidr_host_netns.go @cilium/ci-structure
/connectivity/factory/health.go @cilium/ci-structure
/connectivity/factory/host_entity_egress.go @cilium/ci-structure
/connectivity/factory/host_entity_ingress.go @cilium/ci-structure
/connectivity/factory/network_perf.go @cilium/ci-structure
/connectivity/factory/no_interrupted_connections.go @cilium/ci-structure
/connectivity/factory/no_ipsec_xfrm_errors.go @cilium/ci-structure
/connectivity/factory/no_policies.go @cilium/ci-structure
/connectivity/factory/no_policies_extra.go @cilium/ci-structure
/connectivity/factory/no_policies_from_outside.go @cilium/ci-structure
/connectivity/factory/no_unexpected_packet_drops.go @cilium/ci-structure
/connectivity/factory/node_to_node_encryption.go @cilium/ci-structure
/connectivity/factory/north_south_loadbalancing.go @cilium/ci-structure
/connectivity/factory/north_south_loadbalancing_with_l7_policy.go @cilium/ci-structure
/connectivity/factory/outside_to_ingress_service.go @cilium/ci-structure
/connectivity/factory/outside_to_ingress_service_deny_all_ingress.go @cilium/ci-structure
/connectivity/factory/outside_to_ingress_service_deny_cidr.go @cilium/ci-structure
/connectivity/factory/outside_to_ingress_service_deny_world_identity.go @cilium/ci-structure
/connectivity/factory/pod_to_controlplane_host.go @cilium/ci-structure
/connectivity/factory/pod_to_controlplane_host_cidr.go @cilium/ci-structure
/connectivity/factory/pod_to_ingress_service.go @cilium/ci-structure
/connectivity/factory/pod_to_ingress_service_allow_ingress_identity.go @cilium/ci-structure
/connectivity/factory/pod_to_ingress_service_deny_all.go @cilium/ci-structure
/connectivity/factory/pod_to_ingress_service_deny_backend_service.go @cilium/ci-structure
/connectivity/factory/pod_to_ingress_service_deny_ingress_identity.go @cilium/ci-structure
/connectivity/factory/pod_to_k8s_on_controlplane.go @cilium/ci-structure
/connectivity/factory/pod_to_k8s_on_controlplane_cidr.go @cilium/ci-structure
/connectivity/factory/pod_to_node_cidrpolicy.go @cilium/ci-structure
/connectivity/factory/pod_to_pod_encryption.go @cilium/ci-structure
/connectivity/factory/to_cidr_external.go @cilium/ci-structure
/connectivity/factory/to_cidr_external_knp.go @cilium/ci-structure
/connectivity/factory/to_entities_world.go @cilium/ci-structure
/connectivity/factory/to_fqdns.go @cilium/ci-structure
/connectivity/tests/egressgateway.go @cilium/egress-gateway
/connectivity/tests/encryption.go @cilium/sig-encryption
/connectivity/tests/errors.go @cilium/sig-agent @cilium/sig-datapath
Expand Down
49 changes: 27 additions & 22 deletions connectivity/factory/all_egress_deny.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,29 +6,34 @@ package factory
import (
_ "embed"

"github.com/blang/semver/v4"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

var (
//go:embed manifests/deny-all-egress.yaml
denyAllEgressPolicyYAML string

allEgressDeny = factory{
name: "all-egress-deny",
build: func(name string, ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default
test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug)
ct.AddTest(test).
WithCiliumPolicy(denyAllEgressPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
},
condition: runAlways,
}
)
//go:embed manifests/deny-all-egress.yaml
var denyAllEgressPolicyYAML string

type allEgressDeny struct{}

func (t allEgressDeny) name() string {
return "all-egress-deny"
}

func (t allEgressDeny) shouldRun(_ semver.Version, _ check.Parameters) bool {
return true
}

func (t allEgressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default
newTest(t.name(), ct).
WithCiliumPolicy(denyAllEgressPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
}
49 changes: 27 additions & 22 deletions connectivity/factory/all_egress_deny_knp.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,29 +6,34 @@ package factory
import (
_ "embed"

"github.com/blang/semver/v4"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

var (
//go:embed manifests/deny-all-egress-knp.yaml
denyAllEgressPolicyKNPYAML string

allEgressDenyKnp = factory{
name: "all-egress-deny-knp",
build: func(name string, ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default using KNP.
test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug)
ct.AddTest(test).
WithK8SPolicy(denyAllEgressPolicyKNPYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
},
condition: runAlways,
}
)
//go:embed manifests/deny-all-egress-knp.yaml
var denyAllEgressPolicyKNPYAML string

type allEgressDenyKnp struct{}

func (t allEgressDenyKnp) name() string {
return "all-egress-deny-knp"
}

func (t allEgressDenyKnp) shouldRun(_ semver.Version, _ check.Parameters) bool {
return true
}

func (t allEgressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default using KNP.
newTest(t.name(), ct).
WithK8SPolicy(denyAllEgressPolicyKNPYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
}
49 changes: 27 additions & 22 deletions connectivity/factory/all_entities_deny.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,29 +6,34 @@ package factory
import (
_ "embed"

"github.com/blang/semver/v4"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

var (
//go:embed manifests/deny-all-entities.yaml
denyAllEntitiesPolicyYAML string

allEntitiesDeny = factory{
name: "all-entities-deny",
build: func(name string, ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all entities by default
test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug)
ct.AddTest(test).
WithCiliumPolicy(denyAllEntitiesPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToCIDR(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultPolicyDenyEgressDrop, check.ResultNone
})
},
condition: runAlways,
}
)
//go:embed manifests/deny-all-entities.yaml
var denyAllEntitiesPolicyYAML string

type allEntitiesDeny struct{}

func (t allEntitiesDeny) name() string {
return "all-entities-deny"
}

func (t allEntitiesDeny) shouldRun(_ semver.Version, _ check.Parameters) bool {
return true
}

func (t allEntitiesDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all entities by default
newTest(t.name(), ct).
WithCiliumPolicy(denyAllEntitiesPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToCIDR(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultPolicyDenyEgressDrop, check.ResultNone
})
}
53 changes: 30 additions & 23 deletions connectivity/factory/all_ingress_deny.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,32 +4,39 @@
package factory

import (
"github.com/blang/semver/v4"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

var allIngressDeny = factory{
name: "all-ingress-deny",
build: func(name string, ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default.
//
// 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
// 2. Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug)
ct.AddTest(test).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
},
condition: runAlways,
type allIngressDeny struct{}

func (t allIngressDeny) name() string {
return "all-ingress-deny"
}

func (t allIngressDeny) shouldRun(_ semver.Version, _ check.Parameters) bool {
return true
}

func (t allIngressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default.
//
// 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
// 2. Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
newTest(t.name(), ct).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
41 changes: 23 additions & 18 deletions connectivity/factory/all_ingress_deny_from_outside.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,22 +11,27 @@ import (
"github.com/cilium/cilium-cli/utils/features"
)

var allIngressDenyFromOutside = factory{
name: "all-ingress-deny-from-outside",
build: func(name string, ct *check.ConnectivityTest, _ map[string]string) {
test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug)
ct.AddTest(test).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)).
WithIPRoutesFromOutsideToPodCIDRs().
WithScenarios(tests.FromCIDRToPod()).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
},
condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeUnsafeTests },
type allIngressDenyFromOutside struct{}

func (t allIngressDenyFromOutside) name() string {
return "all-ingress-deny-from-outside"
}

func (t allIngressDenyFromOutside) shouldRun(_ semver.Version, params check.Parameters) bool {
return params.IncludeUnsafeTests
}

func (t allIngressDenyFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) {
newTest(t.name(), ct).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)).
WithIPRoutesFromOutsideToPodCIDRs().
WithScenarios(tests.FromCIDRToPod()).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
Loading

0 comments on commit 0b46aa4

Please sign in to comment.