From 0b46aa4822b005d323d2e0890d888103c828dc46 Mon Sep 17 00:00:00 2001 From: viktor-kurchenko Date: Wed, 21 Feb 2024 17:07:54 +0200 Subject: [PATCH] Use interface instead of struct. Signed-off-by: viktor-kurchenko --- CODEOWNERS | 79 ++++++++ connectivity/factory/all_egress_deny.go | 49 ++--- connectivity/factory/all_egress_deny_knp.go | 49 ++--- connectivity/factory/all_entities_deny.go | 49 ++--- connectivity/factory/all_ingress_deny.go | 53 +++--- .../factory/all_ingress_deny_from_outside.go | 41 +++-- connectivity/factory/all_ingress_deny_knp.go | 67 +++---- .../factory/allow_all_except_world.go | 59 +++--- .../factory/allow_all_with_metrics_check.go | 33 ++-- connectivity/factory/check_log_errors.go | 25 +-- connectivity/factory/client_egress.go | 37 ++-- .../factory/client_egress_expression.go | 37 ++-- .../factory/client_egress_expression_knp.go | 37 ++-- connectivity/factory/client_egress_knp.go | 37 ++-- connectivity/factory/client_egress_l7.go | 69 +++---- .../factory/client_egress_l7_method.go | 77 ++++---- .../factory/client_egress_l7_named_port.go | 69 +++---- .../factory/client_egress_l7_set_header.go | 66 ++++--- ...ient_egress_l7_tls_deny_without_headers.go | 43 +++-- .../factory/client_egress_l7_tls_headers.go | 41 +++-- .../factory/client_egress_to_cidr_deny.go | 51 +++--- .../client_egress_to_cidr_deny_default.go | 47 +++-- .../factory/client_egress_to_echo_deny.go | 63 ++++--- .../client_egress_to_echo_expression_deny.go | 61 +++--- .../client_egress_to_echo_service_account.go | 53 +++--- ...ent_egress_to_echo_service_account_deny.go | 57 +++--- connectivity/factory/client_ingress.go | 49 ++--- ...ent_ingress_from_other_client_icmp_deny.go | 63 ++++--- connectivity/factory/client_ingress_icmp.go | 51 +++--- connectivity/factory/client_ingress_knp.go | 49 ++--- .../client_ingress_to_echo_named_port_deny.go | 59 +++--- ...ent_with_service_account_egress_to_echo.go | 41 +++-- ...ith_service_account_egress_to_echo_deny.go | 59 +++--- connectivity/factory/cluster_entity.go | 41 +++-- .../factory/cluster_entity_multi_cluster.go | 33 ++-- connectivity/factory/dns_only.go | 41 +++-- connectivity/factory/echo_ingress.go | 43 +++-- .../factory/echo_ingress_auth_always_fail.go | 49 ++--- .../echo_ingress_from_other_client_deny.go | 61 +++--- .../factory/echo_ingress_from_outside.go | 43 +++-- connectivity/factory/echo_ingress_knp.go | 53 +++--- connectivity/factory/echo_ingress_l7.go | 71 +++---- .../factory/echo_ingress_l7_named_port.go | 71 +++---- .../echo_ingress_mutual_auth_spiffe.go | 39 ++-- connectivity/factory/egress_gateway.go | 47 ++--- .../factory/egress_gateway_excluded_cidrs.go | 41 +++-- connectivity/factory/factory.go | 173 +++++++++--------- connectivity/factory/from_cidr_host_netns.go | 33 ++-- connectivity/factory/health.go | 27 ++- connectivity/factory/host_entity_egress.go | 43 +++-- connectivity/factory/host_entity_ingress.go | 37 ++-- connectivity/factory/network_perf.go | 21 ++- .../factory/no_interrupted_connections.go | 21 ++- connectivity/factory/no_ipsec_xfrm_errors.go | 23 ++- connectivity/factory/no_policies.go | 43 +++-- connectivity/factory/no_policies_extra.go | 31 ++-- .../factory/no_policies_from_outside.go | 25 ++- .../factory/no_unexpected_packet_drops.go | 25 ++- .../factory/node_to_node_encryption.go | 35 ++-- .../factory/north_south_loadbalancing.go | 29 +-- ...orth_south_loadbalancing_with_l7_policy.go | 49 ++--- .../factory/outside_to_ingress_service.go | 29 +-- ...ide_to_ingress_service_deny_all_ingress.go | 39 ++-- .../outside_to_ingress_service_deny_cidr.go | 39 ++-- ..._to_ingress_service_deny_world_identity.go | 49 ++--- .../factory/pod_to_controlplane_host.go | 33 ++-- .../factory/pod_to_controlplane_host_cidr.go | 29 +-- .../factory/pod_to_ingress_service.go | 27 ++- ..._ingress_service_allow_ingress_identity.go | 39 ++-- .../pod_to_ingress_service_deny_all.go | 33 ++-- ...to_ingress_service_deny_backend_service.go | 43 +++-- ...o_ingress_service_deny_ingress_identity.go | 43 +++-- .../factory/pod_to_k8s_on_controlplane.go | 33 ++-- .../pod_to_k8s_on_controlplane_cidr.go | 25 ++- .../factory/pod_to_node_cidrpolicy.go | 31 ++-- connectivity/factory/pod_to_pod_encryption.go | 29 +-- connectivity/factory/to_cidr_external.go | 47 +++-- connectivity/factory/to_cidr_external_knp.go | 47 +++-- connectivity/factory/to_entities_world.go | 51 +++--- connectivity/factory/to_fqdns.go | 87 +++++---- 80 files changed, 2118 insertions(+), 1603 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index e2845b75a6..5be49cccbc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -31,6 +31,85 @@ /connectivity/check/ipcache.go @cilium/ipcache /connectivity/check/metrics*.go @cilium/metrics /connectivity/check/policy.go @cilium/sig-policy +/connectivity/factory/all_egress_deny.go @cilium/ci-structure +/connectivity/factory/all_egress_deny_knp.go @cilium/ci-structure +/connectivity/factory/all_entities_deny.go @cilium/ci-structure +/connectivity/factory/all_ingress_deny.go @cilium/ci-structure +/connectivity/factory/all_ingress_deny_from_outside.go @cilium/ci-structure +/connectivity/factory/all_ingress_deny_knp.go @cilium/ci-structure +/connectivity/factory/allow_all_except_world.go @cilium/ci-structure +/connectivity/factory/allow_all_with_metrics_check.go @cilium/ci-structure +/connectivity/factory/check_log_errors.go @cilium/ci-structure +/connectivity/factory/client_egress.go @cilium/ci-structure +/connectivity/factory/client_egress_expression.go @cilium/ci-structure +/connectivity/factory/client_egress_expression_knp.go @cilium/ci-structure +/connectivity/factory/client_egress_knp.go @cilium/ci-structure +/connectivity/factory/client_egress_l7.go @cilium/ci-structure +/connectivity/factory/client_egress_l7_method.go @cilium/ci-structure +/connectivity/factory/client_egress_l7_named_port.go @cilium/ci-structure +/connectivity/factory/client_egress_l7_set_header.go @cilium/ci-structure +/connectivity/factory/client_egress_l7_tls_deny_without_headers.go @cilium/ci-structure +/connectivity/factory/client_egress_l7_tls_headers.go @cilium/ci-structure +/connectivity/factory/client_egress_to_cidr_deny.go @cilium/ci-structure +/connectivity/factory/client_egress_to_cidr_deny_default.go @cilium/ci-structure +/connectivity/factory/client_egress_to_echo_deny.go @cilium/ci-structure +/connectivity/factory/client_egress_to_echo_expression_deny.go @cilium/ci-structure +/connectivity/factory/client_egress_to_echo_service_account.go @cilium/ci-structure +/connectivity/factory/client_egress_to_echo_service_account_deny.go @cilium/ci-structure +/connectivity/factory/client_ingress.go @cilium/ci-structure +/connectivity/factory/client_ingress_from_other_client_icmp_deny.go @cilium/ci-structure +/connectivity/factory/client_ingress_icmp.go @cilium/ci-structure +/connectivity/factory/client_ingress_knp.go @cilium/ci-structure +/connectivity/factory/client_ingress_to_echo_named_port_deny.go @cilium/ci-structure +/connectivity/factory/client_with_service_account_egress_to_echo.go @cilium/ci-structure +/connectivity/factory/client_with_service_account_egress_to_echo_deny.go @cilium/ci-structure +/connectivity/factory/cluster_entity.go @cilium/ci-structure +/connectivity/factory/cluster_entity_multi_cluster.go @cilium/ci-structure +/connectivity/factory/dns_only.go @cilium/ci-structure +/connectivity/factory/echo_ingress.go @cilium/ci-structure +/connectivity/factory/echo_ingress_auth_always_fail.go @cilium/ci-structure +/connectivity/factory/echo_ingress_from_other_client_deny.go @cilium/ci-structure +/connectivity/factory/echo_ingress_from_outside.go @cilium/ci-structure +/connectivity/factory/echo_ingress_knp.go @cilium/ci-structure +/connectivity/factory/echo_ingress_l7.go @cilium/ci-structure +/connectivity/factory/echo_ingress_l7_named_port.go @cilium/ci-structure +/connectivity/factory/echo_ingress_mutual_auth_spiffe.go @cilium/ci-structure +/connectivity/factory/egress_gateway.go @cilium/ci-structure +/connectivity/factory/egress_gateway_excluded_cidrs.go @cilium/ci-structure +/connectivity/factory/factory.go @cilium/ci-structure +/connectivity/factory/from_cidr_host_netns.go @cilium/ci-structure +/connectivity/factory/health.go @cilium/ci-structure +/connectivity/factory/host_entity_egress.go @cilium/ci-structure +/connectivity/factory/host_entity_ingress.go @cilium/ci-structure +/connectivity/factory/network_perf.go @cilium/ci-structure +/connectivity/factory/no_interrupted_connections.go @cilium/ci-structure +/connectivity/factory/no_ipsec_xfrm_errors.go @cilium/ci-structure +/connectivity/factory/no_policies.go @cilium/ci-structure +/connectivity/factory/no_policies_extra.go @cilium/ci-structure +/connectivity/factory/no_policies_from_outside.go @cilium/ci-structure +/connectivity/factory/no_unexpected_packet_drops.go @cilium/ci-structure +/connectivity/factory/node_to_node_encryption.go @cilium/ci-structure +/connectivity/factory/north_south_loadbalancing.go @cilium/ci-structure +/connectivity/factory/north_south_loadbalancing_with_l7_policy.go @cilium/ci-structure +/connectivity/factory/outside_to_ingress_service.go @cilium/ci-structure +/connectivity/factory/outside_to_ingress_service_deny_all_ingress.go @cilium/ci-structure +/connectivity/factory/outside_to_ingress_service_deny_cidr.go @cilium/ci-structure +/connectivity/factory/outside_to_ingress_service_deny_world_identity.go @cilium/ci-structure +/connectivity/factory/pod_to_controlplane_host.go @cilium/ci-structure +/connectivity/factory/pod_to_controlplane_host_cidr.go @cilium/ci-structure +/connectivity/factory/pod_to_ingress_service.go @cilium/ci-structure +/connectivity/factory/pod_to_ingress_service_allow_ingress_identity.go @cilium/ci-structure +/connectivity/factory/pod_to_ingress_service_deny_all.go @cilium/ci-structure +/connectivity/factory/pod_to_ingress_service_deny_backend_service.go @cilium/ci-structure +/connectivity/factory/pod_to_ingress_service_deny_ingress_identity.go @cilium/ci-structure +/connectivity/factory/pod_to_k8s_on_controlplane.go @cilium/ci-structure +/connectivity/factory/pod_to_k8s_on_controlplane_cidr.go @cilium/ci-structure +/connectivity/factory/pod_to_node_cidrpolicy.go @cilium/ci-structure +/connectivity/factory/pod_to_pod_encryption.go @cilium/ci-structure +/connectivity/factory/to_cidr_external.go @cilium/ci-structure +/connectivity/factory/to_cidr_external_knp.go @cilium/ci-structure +/connectivity/factory/to_entities_world.go @cilium/ci-structure +/connectivity/factory/to_fqdns.go @cilium/ci-structure /connectivity/tests/egressgateway.go @cilium/egress-gateway /connectivity/tests/encryption.go @cilium/sig-encryption /connectivity/tests/errors.go @cilium/sig-agent @cilium/sig-datapath diff --git a/connectivity/factory/all_egress_deny.go b/connectivity/factory/all_egress_deny.go index 5e951a46e7..e15374b83b 100644 --- a/connectivity/factory/all_egress_deny.go +++ b/connectivity/factory/all_egress_deny.go @@ -6,29 +6,34 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/deny-all-egress.yaml - denyAllEgressPolicyYAML string - - allEgressDeny = factory{ - name: "all-egress-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies all egresses by default - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(denyAllEgressPolicyYAML). - WithScenarios( - tests.PodToPod(), - tests.PodToPodWithEndpoints(), - ). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-all-egress.yaml +var denyAllEgressPolicyYAML string + +type allEgressDeny struct{} + +func (t allEgressDeny) name() string { + return "all-egress-deny" +} + +func (t allEgressDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allEgressDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies all egresses by default + newTest(t.name(), ct). + WithCiliumPolicy(denyAllEgressPolicyYAML). + WithScenarios( + tests.PodToPod(), + tests.PodToPodWithEndpoints(), + ). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/all_egress_deny_knp.go b/connectivity/factory/all_egress_deny_knp.go index d225b17449..646c6de896 100644 --- a/connectivity/factory/all_egress_deny_knp.go +++ b/connectivity/factory/all_egress_deny_knp.go @@ -6,29 +6,34 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/deny-all-egress-knp.yaml - denyAllEgressPolicyKNPYAML string - - allEgressDenyKnp = factory{ - name: "all-egress-deny-knp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies all egresses by default using KNP. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(denyAllEgressPolicyKNPYAML). - WithScenarios( - tests.PodToPod(), - tests.PodToPodWithEndpoints(), - ). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-all-egress-knp.yaml +var denyAllEgressPolicyKNPYAML string + +type allEgressDenyKnp struct{} + +func (t allEgressDenyKnp) name() string { + return "all-egress-deny-knp" +} + +func (t allEgressDenyKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allEgressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies all egresses by default using KNP. + newTest(t.name(), ct). + WithK8SPolicy(denyAllEgressPolicyKNPYAML). + WithScenarios( + tests.PodToPod(), + tests.PodToPodWithEndpoints(), + ). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/all_entities_deny.go b/connectivity/factory/all_entities_deny.go index 55b65414dd..9186355361 100644 --- a/connectivity/factory/all_entities_deny.go +++ b/connectivity/factory/all_entities_deny.go @@ -6,29 +6,34 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/deny-all-entities.yaml - denyAllEntitiesPolicyYAML string - - allEntitiesDeny = factory{ - name: "all-entities-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies all entities by default - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(denyAllEntitiesPolicyYAML). - WithScenarios( - tests.PodToPod(), - tests.PodToCIDR(), - ). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-all-entities.yaml +var denyAllEntitiesPolicyYAML string + +type allEntitiesDeny struct{} + +func (t allEntitiesDeny) name() string { + return "all-entities-deny" +} + +func (t allEntitiesDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allEntitiesDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies all entities by default + newTest(t.name(), ct). + WithCiliumPolicy(denyAllEntitiesPolicyYAML). + WithScenarios( + tests.PodToPod(), + tests.PodToCIDR(), + ). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/all_ingress_deny.go b/connectivity/factory/all_ingress_deny.go index 105b4c954a..81efbaefa2 100644 --- a/connectivity/factory/all_ingress_deny.go +++ b/connectivity/factory/all_ingress_deny.go @@ -4,32 +4,39 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var allIngressDeny = factory{ - name: "all-ingress-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies all ingresses by default. - // - // 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed), - // but then at the destination there is ingress policy that denies the traffic. - // 2. Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed), - // then when replies come back, they are considered as "replies" to the outbound connection. - // so they are not subject to ingress policy. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(denyAllIngressPolicyYAML). - WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP || - a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { - return check.ResultOK, check.ResultNone - } - return check.ResultDrop, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, +type allIngressDeny struct{} + +func (t allIngressDeny) name() string { + return "all-ingress-deny" +} + +func (t allIngressDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allIngressDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies all ingresses by default. + // + // 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed), + // but then at the destination there is ingress policy that denies the traffic. + // 2. Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed), + // then when replies come back, they are considered as "replies" to the outbound connection. + // so they are not subject to ingress policy. + newTest(t.name(), ct). + WithCiliumPolicy(denyAllIngressPolicyYAML). + WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP || + a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { + return check.ResultOK, check.ResultNone + } + return check.ResultDrop, check.ResultDefaultDenyIngressDrop + }) } diff --git a/connectivity/factory/all_ingress_deny_from_outside.go b/connectivity/factory/all_ingress_deny_from_outside.go index cd44bdc065..855a8d5a2c 100644 --- a/connectivity/factory/all_ingress_deny_from_outside.go +++ b/connectivity/factory/all_ingress_deny_from_outside.go @@ -11,22 +11,27 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var allIngressDenyFromOutside = factory{ - name: "all-ingress-deny-from-outside", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(denyAllIngressPolicyYAML). - WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). - WithIPRoutesFromOutsideToPodCIDRs(). - WithScenarios(tests.FromCIDRToPod()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP || - a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { - return check.ResultOK, check.ResultNone - } - return check.ResultDrop, check.ResultDefaultDenyIngressDrop - }) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeUnsafeTests }, +type allIngressDenyFromOutside struct{} + +func (t allIngressDenyFromOutside) name() string { + return "all-ingress-deny-from-outside" +} + +func (t allIngressDenyFromOutside) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeUnsafeTests +} + +func (t allIngressDenyFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumPolicy(denyAllIngressPolicyYAML). + WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). + WithIPRoutesFromOutsideToPodCIDRs(). + WithScenarios(tests.FromCIDRToPod()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP || + a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { + return check.ResultOK, check.ResultNone + } + return check.ResultDrop, check.ResultDefaultDenyIngressDrop + }) } diff --git a/connectivity/factory/all_ingress_deny_knp.go b/connectivity/factory/all_ingress_deny_knp.go index 6119abb1c9..29b4f7aa0a 100644 --- a/connectivity/factory/all_ingress_deny_knp.go +++ b/connectivity/factory/all_ingress_deny_knp.go @@ -6,39 +6,44 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/deny-all-ingress-knp.yaml - denyAllIngressPolicyKNPYAML string - - allIngressDenyKnp = factory{ - name: "all-ingress-deny-knp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies all ingresses by default - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(denyAllIngressPolicyKNPYAML). - WithScenarios( - // Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed), - // but then at the destination there is ingress policy that denies the traffic. - tests.PodToPod(), - // Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed), - // then when replies come back, they are considered as "replies" to the outbound connection. - // so they are not subject to ingress policy. - tests.PodToCIDR(tests.WithRetryAll()), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP || - a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { - return check.ResultOK, check.ResultNone - } - return check.ResultDrop, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-all-ingress-knp.yaml +var denyAllIngressPolicyKNPYAML string + +type allIngressDenyKnp struct{} + +func (t allIngressDenyKnp) name() string { + return "all-ingress-deny-knp" +} + +func (t allIngressDenyKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allIngressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies all ingresses by default + newTest(t.name(), ct). + WithK8SPolicy(denyAllIngressPolicyKNPYAML). + WithScenarios( + // Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed), + // but then at the destination there is ingress policy that denies the traffic. + tests.PodToPod(), + // Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed), + // then when replies come back, they are considered as "replies" to the outbound connection. + // so they are not subject to ingress policy. + tests.PodToCIDR(tests.WithRetryAll()), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP || + a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { + return check.ResultOK, check.ResultNone + } + return check.ResultDrop, check.ResultDefaultDenyIngressDrop + }) +} diff --git a/connectivity/factory/allow_all_except_world.go b/connectivity/factory/allow_all_except_world.go index 9f5a89922b..9a7a3ea9c7 100644 --- a/connectivity/factory/allow_all_except_world.go +++ b/connectivity/factory/allow_all_except_world.go @@ -6,34 +6,39 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/allow-all-except-world.yaml - allowAllExceptWorldPolicyYAML string - - allowAllExceptWorld = factory{ - name: "allow-all-except-world", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test with an allow-all-except-world (and unmanaged) policy. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllExceptWorldPolicyYAML). - WithScenarios( - tests.PodToPod(), - tests.ClientToClient(), - tests.PodToService(), - // We are skipping the following checks because NodePort is - // intended to be used for N-S traffic, which conflicts with - // policies. See GH-17144. - // tests.PodToRemoteNodePort(), - // tests.PodToLocalNodePort(), - tests.PodToHost(), - tests.PodToExternalWorkload(), - ) - }, - condition: runAlways, - } -) +//go:embed manifests/allow-all-except-world.yaml +var allowAllExceptWorldPolicyYAML string + +type allowAllExceptWorld struct{} + +func (t allowAllExceptWorld) name() string { + return "allow-all-except-world" +} + +func (t allowAllExceptWorld) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allowAllExceptWorld) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test with an allow-all-except-world (and unmanaged) policy. + newTest(t.name(), ct). + WithCiliumPolicy(allowAllExceptWorldPolicyYAML). + WithScenarios( + tests.PodToPod(), + tests.ClientToClient(), + tests.PodToService(), + // We are skipping the following checks because NodePort is + // intended to be used for N-S traffic, which conflicts with + // policies. See GH-17144. + // tests.PodToRemoteNodePort(), + // tests.PodToLocalNodePort(), + tests.PodToHost(), + tests.PodToExternalWorkload(), + ) +} diff --git a/connectivity/factory/allow_all_with_metrics_check.go b/connectivity/factory/allow_all_with_metrics_check.go index efe9ee61df..7143dc8e0f 100644 --- a/connectivity/factory/allow_all_with_metrics_check.go +++ b/connectivity/factory/allow_all_with_metrics_check.go @@ -4,21 +4,28 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var allowAllWithMetricsCheck = factory{ - name: "allow-all-with-metrics-check", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows traffic pod to pod and checks if the metric cilium_forward_count_total increases on cilium agent. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios(tests.PodToPod()). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total"), - check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total") - }) - }, - condition: runAlways, +type allowAllWithMetricsCheck struct{} + +func (t allowAllWithMetricsCheck) name() string { + return "allow-all-with-metrics-check" +} + +func (t allowAllWithMetricsCheck) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t allowAllWithMetricsCheck) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows traffic pod to pod and checks if the metric cilium_forward_count_total increases on cilium agent. + newTest(t.name(), ct). + WithScenarios(tests.PodToPod()). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total"), + check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total") + }) } diff --git a/connectivity/factory/check_log_errors.go b/connectivity/factory/check_log_errors.go index ccac4a2a91..40accaf86f 100644 --- a/connectivity/factory/check_log_errors.go +++ b/connectivity/factory/check_log_errors.go @@ -12,15 +12,18 @@ import ( "github.com/cilium/cilium-cli/connectivity/tests" ) -var checkLogErrors = factory{ - name: "check-log-errors", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithSysdumpPolicy(check.SysdumpPolicyOnce). - WithScenarios(tests.NoErrorsInLogs(ct.CiliumVersion)) - }, - condition: func(version semver.Version, params check.Parameters) bool { - return versioncheck.MustCompile(">=1.14.0")(version) || params.IncludeUnsafeTests - }, +type checkLogErrors struct{} + +func (t checkLogErrors) name() string { + return "check-log-errors" +} + +func (t checkLogErrors) shouldRun(version semver.Version, params check.Parameters) bool { + return versioncheck.MustCompile(">=1.14.0")(version) || params.IncludeUnsafeTests +} + +func (t checkLogErrors) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithSysdumpPolicy(check.SysdumpPolicyOnce). + WithScenarios(tests.NoErrorsInLogs(ct.CiliumVersion)) } diff --git a/connectivity/factory/client_egress.go b/connectivity/factory/client_egress.go index 960238703c..8b94874c93 100644 --- a/connectivity/factory/client_egress.go +++ b/connectivity/factory/client_egress.go @@ -6,23 +6,28 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo.yaml - clientEgressToEchoPolicyYAML string - - clientEgress = factory{ - name: "client-egress", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows port 8080 from client to echo, so this should succeed - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressToEchoPolicyYAML). - WithScenarios(tests.PodToPod()) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo.yaml +var clientEgressToEchoPolicyYAML string + +type clientEgress struct{} + +func (t clientEgress) name() string { + return "client-egress" +} + +func (t clientEgress) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgress) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows port 8080 from client to echo, so this should succeed + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressToEchoPolicyYAML). + WithScenarios(tests.PodToPod()) +} diff --git a/connectivity/factory/client_egress_expression.go b/connectivity/factory/client_egress_expression.go index 878d6c3a52..2a162759be 100644 --- a/connectivity/factory/client_egress_expression.go +++ b/connectivity/factory/client_egress_expression.go @@ -6,23 +6,28 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-expression.yaml - clientEgressToEchoExpressionPolicyYAML string - - clientEgressExpression = factory{ - name: "client-egress-expression", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows port 8080 from client to echo (using label match expression, so this should succeed - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressToEchoExpressionPolicyYAML). - WithScenarios(tests.PodToPod()) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-expression.yaml +var clientEgressToEchoExpressionPolicyYAML string + +type clientEgressExpression struct{} + +func (t clientEgressExpression) name() string { + return "client-egress-expression" +} + +func (t clientEgressExpression) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressExpression) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows port 8080 from client to echo (using label match expression, so this should succeed + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressToEchoExpressionPolicyYAML). + WithScenarios(tests.PodToPod()) +} diff --git a/connectivity/factory/client_egress_expression_knp.go b/connectivity/factory/client_egress_expression_knp.go index d37e3d93dc..0217c017fd 100644 --- a/connectivity/factory/client_egress_expression_knp.go +++ b/connectivity/factory/client_egress_expression_knp.go @@ -6,23 +6,28 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-expression-knp.yaml - clientEgressToEchoExpressionPolicyKNPYAML string - - clientEgressExpressionKnp = factory{ - name: "client-egress-expression-knp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows port 8080 from client to echo (using label match expression, so this should succeed - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(clientEgressToEchoExpressionPolicyKNPYAML). - WithScenarios(tests.PodToPod()) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-expression-knp.yaml +var clientEgressToEchoExpressionPolicyKNPYAML string + +type clientEgressExpressionKnp struct{} + +func (t clientEgressExpressionKnp) name() string { + return "client-egress-expression-knp" +} + +func (t clientEgressExpressionKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressExpressionKnp) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows port 8080 from client to echo (using label match expression, so this should succeed + newTest(t.name(), ct). + WithK8SPolicy(clientEgressToEchoExpressionPolicyKNPYAML). + WithScenarios(tests.PodToPod()) +} diff --git a/connectivity/factory/client_egress_knp.go b/connectivity/factory/client_egress_knp.go index 78f38c64f5..cf6a899c7b 100644 --- a/connectivity/factory/client_egress_knp.go +++ b/connectivity/factory/client_egress_knp.go @@ -6,23 +6,28 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-knp.yaml - clientEgressToEchoPolicyKNPYAML string - - clientEgressKnp = factory{ - name: "client-egress-knp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows port 8080 from client to echo, so this should succeed - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(clientEgressToEchoPolicyKNPYAML). - WithScenarios(tests.PodToPod()) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-knp.yaml +var clientEgressToEchoPolicyKNPYAML string + +type clientEgressKnp struct{} + +func (t clientEgressKnp) name() string { + return "client-egress-knp" +} + +func (t clientEgressKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressKnp) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows port 8080 from client to echo, so this should succeed + newTest(t.name(), ct). + WithK8SPolicy(clientEgressToEchoPolicyKNPYAML). + WithScenarios(tests.PodToPod()) +} diff --git a/connectivity/factory/client_egress_l7.go b/connectivity/factory/client_egress_l7.go index b7e41af079..7545a1efed 100644 --- a/connectivity/factory/client_egress_l7.go +++ b/connectivity/factory/client_egress_l7.go @@ -4,42 +4,49 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressL7 = factory{ - name: "client-egress-l7", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Test L7 HTTP introspection using an egress policy on the clients. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only - WithCiliumPolicy(templates["clientEgressL7HTTPPolicyYAML"]). // L7 allow policy with HTTP introspection - WithScenarios( - tests.PodToPod(), - tests.PodToWorld(tests.WithRetryDestPort(80), tests.WithRetryPodLabel("other", "client")), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. - // Outbound HTTP to set domain-name defaults to one.one.one.one is L7-introspected and allowed. - (a.Destination().Port() == 80 && a.Destination().Address(features.GetIPFamily(ct.Params().ExternalTarget)) == ct.Params().ExternalTarget || - a.Destination().Port() == 8080) { // 8080 is traffic to echo Pod. - if a.Destination().Path() == "/" || a.Destination().Path() == "" { - egress = check.ResultOK - // Expect all curls from client2 to be proxied and to be GET calls. - egress.HTTP = check.HTTP{ - Method: "GET", - } - return egress, check.ResultNone +type clientEgressL7 struct{} + +func (t clientEgressL7) name() string { + return "client-egress-l7" +} + +func (t clientEgressL7) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressL7) build(ct *check.ConnectivityTest, templates map[string]string) { + // Test L7 HTTP introspection using an egress policy on the clients. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only + WithCiliumPolicy(templates["clientEgressL7HTTPPolicyYAML"]). // L7 allow policy with HTTP introspection + WithScenarios( + tests.PodToPod(), + tests.PodToWorld(tests.WithRetryDestPort(80), tests.WithRetryPodLabel("other", "client")), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. + // Outbound HTTP to set domain-name defaults to one.one.one.one is L7-introspected and allowed. + (a.Destination().Port() == 80 && a.Destination().Address(features.GetIPFamily(ct.Params().ExternalTarget)) == ct.Params().ExternalTarget || + a.Destination().Port() == 8080) { // 8080 is traffic to echo Pod. + if a.Destination().Path() == "/" || a.Destination().Path() == "" { + egress = check.ResultOK + // Expect all curls from client2 to be proxied and to be GET calls. + egress.HTTP = check.HTTP{ + Method: "GET", } - // Else expect HTTP drop by proxy - return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + return egress, check.ResultNone } - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, + // Else expect HTTP drop by proxy + return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + } + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) } diff --git a/connectivity/factory/client_egress_l7_method.go b/connectivity/factory/client_egress_l7_method.go index e99dd7dfe2..7b374728c5 100644 --- a/connectivity/factory/client_egress_l7_method.go +++ b/connectivity/factory/client_egress_l7_method.go @@ -6,45 +6,50 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/client-egress-l7-http-method.yaml - clientEgressL7HTTPMethodPolicyYAML string - - clientEgressL7Method = factory{ - name: "client-egress-l7-method", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test L7 HTTP with different methods introspection using an egress policy on the clients. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only - WithCiliumPolicy(clientEgressL7HTTPMethodPolicyYAML). // L7 allow policy with HTTP introspection (POST only) - WithScenarios( - tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})), - tests.PodToPodWithEndpoints(tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. - (a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod. - if a.Destination().HasLabel("other", "echo") { //we are POSTing only other echo - egress = check.ResultOK - - egress.HTTP = check.HTTP{ - Method: "POST", - } - return egress, check.ResultNone - } - // Else expect HTTP drop by proxy - return check.ResultDropCurlHTTPError, check.ResultNone +//go:embed manifests/client-egress-l7-http-method.yaml +var clientEgressL7HTTPMethodPolicyYAML string + +type clientEgressL7Method struct{} + +func (t clientEgressL7Method) name() string { + return "client-egress-l7-method" +} + +func (t clientEgressL7Method) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressL7Method) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test L7 HTTP with different methods introspection using an egress policy on the clients. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only + WithCiliumPolicy(clientEgressL7HTTPMethodPolicyYAML). // L7 allow policy with HTTP introspection (POST only) + WithScenarios( + tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})), + tests.PodToPodWithEndpoints(tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. + (a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod. + if a.Destination().HasLabel("other", "echo") { //we are POSTing only other echo + egress = check.ResultOK + + egress.HTTP = check.HTTP{ + Method: "POST", } - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) + return egress, check.ResultNone + } + // Else expect HTTP drop by proxy + return check.ResultDropCurlHTTPError, check.ResultNone + } + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/client_egress_l7_named_port.go b/connectivity/factory/client_egress_l7_named_port.go index a5c4329746..e7ecf33405 100644 --- a/connectivity/factory/client_egress_l7_named_port.go +++ b/connectivity/factory/client_egress_l7_named_port.go @@ -4,42 +4,49 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressL7NamedPort = factory{ - name: "client-egress-l7-named-port", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Test L7 HTTP named port introspection using an egress policy on the clients. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only - WithCiliumPolicy(templates["clientEgressL7HTTPNamedPortPolicyYAML"]). // L7 allow policy with HTTP introspection (named port) - WithScenarios( - tests.PodToPod(), - tests.PodToWorld(tests.WithRetryDestPort(80), tests.WithRetryPodLabel("other", "client")), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. - // Outbound HTTP to domain-name, default one.one.one.one, is L7-introspected and allowed. - (a.Destination().Port() == 80 && a.Destination().Address(features.GetIPFamily(ct.Params().ExternalTarget)) == ct.Params().ExternalTarget || - a.Destination().Port() == 8080) { // named port http-8080 is traffic to echo Pod. - if a.Destination().Path() == "/" || a.Destination().Path() == "" { - egress = check.ResultOK - // Expect all curls from client2 to be proxied and to be GET calls. - egress.HTTP = check.HTTP{ - Method: "GET", - } - return egress, check.ResultNone +type clientEgressL7NamedPort struct{} + +func (t clientEgressL7NamedPort) name() string { + return "client-egress-l7-named-port" +} + +func (t clientEgressL7NamedPort) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressL7NamedPort) build(ct *check.ConnectivityTest, templates map[string]string) { + // Test L7 HTTP named port introspection using an egress policy on the clients. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only + WithCiliumPolicy(templates["clientEgressL7HTTPNamedPortPolicyYAML"]). // L7 allow policy with HTTP introspection (named port) + WithScenarios( + tests.PodToPod(), + tests.PodToWorld(tests.WithRetryDestPort(80), tests.WithRetryPodLabel("other", "client")), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. + // Outbound HTTP to domain-name, default one.one.one.one, is L7-introspected and allowed. + (a.Destination().Port() == 80 && a.Destination().Address(features.GetIPFamily(ct.Params().ExternalTarget)) == ct.Params().ExternalTarget || + a.Destination().Port() == 8080) { // named port http-8080 is traffic to echo Pod. + if a.Destination().Path() == "/" || a.Destination().Path() == "" { + egress = check.ResultOK + // Expect all curls from client2 to be proxied and to be GET calls. + egress.HTTP = check.HTTP{ + Method: "GET", } - // Else expect HTTP drop by proxy - return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + return egress, check.ResultNone } - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, + // Else expect HTTP drop by proxy + return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + } + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) } diff --git a/connectivity/factory/client_egress_l7_set_header.go b/connectivity/factory/client_egress_l7_set_header.go index e84ade42c6..0be0f51590 100644 --- a/connectivity/factory/client_egress_l7_set_header.go +++ b/connectivity/factory/client_egress_l7_set_header.go @@ -4,6 +4,7 @@ package factory import ( + "github.com/blang/semver/v4" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -12,34 +13,39 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressL7SetHeader = factory{ - name: "client-egress-l7-set-header", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Test L7 HTTP with a header replace set in the policy - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)). - WithSecret(&corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "header-match", - }, - Data: map[string][]byte{ - "value": []byte("Bearer 123456"), - }, - }). - WithCiliumPolicy(templates["clientEgressL7HTTPMatchheaderSecretYAML"]). // L7 allow policy with HTTP introspection (POST only) - WithScenarios( - tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithPath("auth-header-required"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})), - tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithPath("auth-header-required"), tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") && // Only client2 has the header policy. - (a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod. - return check.ResultOK, check.ResultNone - } - return check.ResultCurlHTTPError, check.ResultNone // if the header is not set the request will get a 401 - }) - }, - condition: runAlways, +type clientEgressL7SetHeader struct{} + +func (t clientEgressL7SetHeader) name() string { + return "client-egress-l7-set-header" +} + +func (t clientEgressL7SetHeader) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressL7SetHeader) build(ct *check.ConnectivityTest, templates map[string]string) { + // Test L7 HTTP with a header replace set in the policy + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)). + WithSecret(&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "header-match", + }, + Data: map[string][]byte{ + "value": []byte("Bearer 123456"), + }, + }). + WithCiliumPolicy(templates["clientEgressL7HTTPMatchheaderSecretYAML"]). // L7 allow policy with HTTP introspection (POST only) + WithScenarios( + tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithPath("auth-header-required"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})), + tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithPath("auth-header-required"), tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && // Only client2 has the header policy. + (a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod. + return check.ResultOK, check.ResultNone + } + return check.ResultCurlHTTPError, check.ResultNone // if the header is not set the request will get a 401 + }) } diff --git a/connectivity/factory/client_egress_l7_tls_deny_without_headers.go b/connectivity/factory/client_egress_l7_tls_deny_without_headers.go index b95e3e55ab..bf256ca33a 100644 --- a/connectivity/factory/client_egress_l7_tls_deny_without_headers.go +++ b/connectivity/factory/client_egress_l7_tls_deny_without_headers.go @@ -4,27 +4,34 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressL7TlsDenyWithoutHeaders = factory{ - name: "client-egress-l7-tls-deny-without-headers", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Test L7 HTTPS interception using an egress policy on the clients. - // Fail to load site due to missing headers. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)). - WithCABundleSecret(). - WithCertificate("externaltarget-tls", ct.Params().ExternalTarget). - WithCiliumPolicy(templates["clientEgressL7TLSPolicyYAML"]). // L7 allow policy with TLS interception - WithScenarios(tests.PodToWorldWithTLSIntercept()). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultDropCurlHTTPError, check.ResultNone - }) - }, - condition: runAlways, +type clientEgressL7TlsDenyWithoutHeaders struct{} + +func (t clientEgressL7TlsDenyWithoutHeaders) name() string { + return "client-egress-l7-tls-deny-without-headers" +} + +func (t clientEgressL7TlsDenyWithoutHeaders) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressL7TlsDenyWithoutHeaders) build(ct *check.ConnectivityTest, templates map[string]string) { + // Test L7 HTTPS interception using an egress policy on the clients. + // Fail to load site due to missing headers. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)). + WithCABundleSecret(). + WithCertificate("externaltarget-tls", ct.Params().ExternalTarget). + WithCiliumPolicy(templates["clientEgressL7TLSPolicyYAML"]). // L7 allow policy with TLS interception + WithScenarios(tests.PodToWorldWithTLSIntercept()). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultDropCurlHTTPError, check.ResultNone + }) } diff --git a/connectivity/factory/client_egress_l7_tls_headers.go b/connectivity/factory/client_egress_l7_tls_headers.go index fe1267bf72..4e3505767a 100644 --- a/connectivity/factory/client_egress_l7_tls_headers.go +++ b/connectivity/factory/client_egress_l7_tls_headers.go @@ -4,26 +4,33 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressL7TlsHeaders = factory{ - name: "client-egress-l7-tls-headers", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Test L7 HTTPS interception using an egress policy on the clients. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)). - WithCABundleSecret(). - WithCertificate("externaltarget-tls", ct.Params().ExternalTarget). - WithCiliumPolicy(templates["clientEgressL7TLSPolicyYAML"]). // L7 allow policy with TLS interception - WithScenarios(tests.PodToWorldWithTLSIntercept("-H", "X-Very-Secret-Token: 42")). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultOK, check.ResultNone - }) - }, - condition: runAlways, +type clientEgressL7TlsHeaders struct{} + +func (t clientEgressL7TlsHeaders) name() string { + return "client-egress-l7-tls-headers" +} + +func (t clientEgressL7TlsHeaders) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressL7TlsHeaders) build(ct *check.ConnectivityTest, templates map[string]string) { + // Test L7 HTTPS interception using an egress policy on the clients. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithFeatureRequirements(features.RequireEnabled(features.SecretBackendK8s)). + WithCABundleSecret(). + WithCertificate("externaltarget-tls", ct.Params().ExternalTarget). + WithCiliumPolicy(templates["clientEgressL7TLSPolicyYAML"]). // L7 allow policy with TLS interception + WithScenarios(tests.PodToWorldWithTLSIntercept("-H", "X-Very-Secret-Token: 42")). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultOK, check.ResultNone + }) } diff --git a/connectivity/factory/client_egress_to_cidr_deny.go b/connectivity/factory/client_egress_to_cidr_deny.go index 67f21ece92..a7cd760f13 100644 --- a/connectivity/factory/client_egress_to_cidr_deny.go +++ b/connectivity/factory/client_egress_to_cidr_deny.go @@ -4,31 +4,38 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressToCidrDeny = factory{ - name: "client-egress-to-cidr-deny", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // This policy denies L3 traffic to ExternalCIDR except ExternalIP/32 - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(templates["clientEgressToCIDRExternalDenyPolicyYAML"]). - WithScenarios( - tests.PodToCIDR(tests.WithRetryDestIP(ct.Params().ExternalIP)), // Denies all traffic to ExternalOtherIP, but allow ExternalIP - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - } - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { - return check.ResultOK, check.ResultNone - } - return check.ResultDrop, check.ResultDrop - }) - }, - condition: runAlways, +type clientEgressToCidrDeny struct{} + +func (t clientEgressToCidrDeny) name() string { + return "client-egress-to-cidr-deny" +} + +func (t clientEgressToCidrDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressToCidrDeny) build(ct *check.ConnectivityTest, templates map[string]string) { + // This policy denies L3 traffic to ExternalCIDR except ExternalIP/32 + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(templates["clientEgressToCIDRExternalDenyPolicyYAML"]). + WithScenarios( + tests.PodToCIDR(tests.WithRetryDestIP(ct.Params().ExternalIP)), // Denies all traffic to ExternalOtherIP, but allow ExternalIP + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + } + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { + return check.ResultOK, check.ResultNone + } + return check.ResultDrop, check.ResultDrop + }) } diff --git a/connectivity/factory/client_egress_to_cidr_deny_default.go b/connectivity/factory/client_egress_to_cidr_deny_default.go index 8946673b1b..b6bca784b3 100644 --- a/connectivity/factory/client_egress_to_cidr_deny_default.go +++ b/connectivity/factory/client_egress_to_cidr_deny_default.go @@ -4,29 +4,36 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var clientEgressToCidrDenyDefault = factory{ - name: "client-egress-to-cidr-deny-default", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // This test is same as the previous one, but there is no allowed policy. - // The goal is to test default deny policy - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(templates["clientEgressToCIDRExternalDenyPolicyYAML"]). - WithScenarios(tests.PodToCIDR()). // Denies all traffic to ExternalOtherIP, but allow ExternalIP - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - } - if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - } - return check.ResultDrop, check.ResultDrop - }) - }, - condition: runAlways, +type clientEgressToCidrDenyDefault struct{} + +func (t clientEgressToCidrDenyDefault) name() string { + return "client-egress-to-cidr-deny-default" +} + +func (t clientEgressToCidrDenyDefault) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressToCidrDenyDefault) build(ct *check.ConnectivityTest, templates map[string]string) { + // This test is same as the previous one, but there is no allowed policy. + // The goal is to test default deny policy + newTest(t.name(), ct). + WithCiliumPolicy(templates["clientEgressToCIDRExternalDenyPolicyYAML"]). + WithScenarios(tests.PodToCIDR()). // Denies all traffic to ExternalOtherIP, but allow ExternalIP + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + } + if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + } + return check.ResultDrop, check.ResultDrop + }) } diff --git a/connectivity/factory/client_egress_to_echo_deny.go b/connectivity/factory/client_egress_to_echo_deny.go index 7f7612242f..5575b07ddf 100644 --- a/connectivity/factory/client_egress_to_echo_deny.go +++ b/connectivity/factory/client_egress_to_echo_deny.go @@ -6,36 +6,41 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-deny.yaml - clientEgressToEchoDenyPolicyYAML string - - clientEgressToEchoDeny = factory{ - name: "client-egress-to-echo-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies port 8080 from client to echo - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(clientEgressToEchoDenyPolicyYAML). // Deny client to echo traffic via port 8080 - WithScenarios( - tests.ClientToClient(), // Client to client traffic should be allowed - tests.PodToPod(), // Client to echo traffic should be denied - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("kind", "client") && - a.Destination().HasLabel("kind", "echo") && - a.Destination().Port() == 8080 { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - } - return check.ResultOK, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-deny.yaml +var clientEgressToEchoDenyPolicyYAML string + +type clientEgressToEchoDeny struct{} + +func (t clientEgressToEchoDeny) name() string { + return "client-egress-to-echo-deny" +} + +func (t clientEgressToEchoDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressToEchoDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies port 8080 from client to echo + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(clientEgressToEchoDenyPolicyYAML). // Deny client to echo traffic via port 8080 + WithScenarios( + tests.ClientToClient(), // Client to client traffic should be allowed + tests.PodToPod(), // Client to echo traffic should be denied + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("kind", "client") && + a.Destination().HasLabel("kind", "echo") && + a.Destination().Port() == 8080 { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + } + return check.ResultOK, check.ResultNone + }) +} diff --git a/connectivity/factory/client_egress_to_echo_expression_deny.go b/connectivity/factory/client_egress_to_echo_expression_deny.go index f12f38de6b..0a3e0aee7a 100644 --- a/connectivity/factory/client_egress_to_echo_expression_deny.go +++ b/connectivity/factory/client_egress_to_echo_expression_deny.go @@ -6,35 +6,40 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-expression-deny.yaml - clientEgressToEchoExpressionDenyPolicyYAML string - - clientEgressToEchoExpressionDeny = factory{ - name: "client-egress-to-echo-expression-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies port 8080 from client to echo (using label match expression), but allows traffic from client2 - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(clientEgressToEchoExpressionDenyPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be denied - tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be allowed - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("kind", "echo") && - a.Source().HasLabel("name", "client") { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-expression-deny.yaml +var clientEgressToEchoExpressionDenyPolicyYAML string + +type clientEgressToEchoExpressionDeny struct{} + +func (t clientEgressToEchoExpressionDeny) name() string { + return "client-egress-to-echo-expression-deny" +} + +func (t clientEgressToEchoExpressionDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressToEchoExpressionDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies port 8080 from client to echo (using label match expression), but allows traffic from client2 + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(clientEgressToEchoExpressionDenyPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be denied + tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be allowed + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("kind", "echo") && + a.Source().HasLabel("name", "client") { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + } + return check.ResultOK, check.ResultOK + }) +} diff --git a/connectivity/factory/client_egress_to_echo_service_account.go b/connectivity/factory/client_egress_to_echo_service_account.go index 5182616de1..e3e15688aa 100644 --- a/connectivity/factory/client_egress_to_echo_service_account.go +++ b/connectivity/factory/client_egress_to_echo_service_account.go @@ -6,31 +6,36 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-service-account.yaml - clientEgressToEchoServiceAccountPolicyYAML string - - clientEgressToEchoServiceAccount = factory{ - name: "client-egress-to-echo-service-account", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows port 8080 from client to endpoint with service account label as echo-same-node - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressToEchoServiceAccountPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"kind": "client"})), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("name", "echo-same-node") { - return check.ResultOK, check.ResultOK - } - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-service-account.yaml +var clientEgressToEchoServiceAccountPolicyYAML string + +type clientEgressToEchoServiceAccount struct{} + +func (t clientEgressToEchoServiceAccount) name() string { + return "client-egress-to-echo-service-account" +} + +func (t clientEgressToEchoServiceAccount) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressToEchoServiceAccount) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows port 8080 from client to endpoint with service account label as echo-same-node + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressToEchoServiceAccountPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"kind": "client"})), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("name", "echo-same-node") { + return check.ResultOK, check.ResultOK + } + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/client_egress_to_echo_service_account_deny.go b/connectivity/factory/client_egress_to_echo_service_account_deny.go index 07ce0d16b8..e3fca0ea18 100644 --- a/connectivity/factory/client_egress_to_echo_service_account_deny.go +++ b/connectivity/factory/client_egress_to_echo_service_account_deny.go @@ -6,33 +6,38 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-service-account-deny.yaml - clientEgressToEchoServiceAccountDenyPolicyYAML string - - clientEgressToEchoServiceAccountDeny = factory{ - name: "client-egress-to-echo-service-account-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies port 8080 from client to endpoint with service account, but not from client2 - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(clientEgressToEchoServiceAccountDenyPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"name": "client"})), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("name", "echo-same-node") { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-service-account-deny.yaml +var clientEgressToEchoServiceAccountDenyPolicyYAML string + +type clientEgressToEchoServiceAccountDeny struct{} + +func (t clientEgressToEchoServiceAccountDeny) name() string { + return "client-egress-to-echo-service-account-deny" +} + +func (t clientEgressToEchoServiceAccountDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientEgressToEchoServiceAccountDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies port 8080 from client to endpoint with service account, but not from client2 + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(clientEgressToEchoServiceAccountDenyPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"name": "client"})), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("name", "echo-same-node") { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + } + return check.ResultOK, check.ResultOK + }) +} diff --git a/connectivity/factory/client_ingress.go b/connectivity/factory/client_ingress.go index 38d9f5526b..a9f98d9e4b 100644 --- a/connectivity/factory/client_ingress.go +++ b/connectivity/factory/client_ingress.go @@ -6,29 +6,34 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-ingress-from-client2.yaml - clientIngressFromClient2PolicyYAML string - - clientIngress = factory{ - name: "client-ingress", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy only allows ingress into client from client2. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientIngressFromClient2PolicyYAML). - WithScenarios(tests.ClientToClient()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") { - return check.ResultOK, check.ResultOK - } - return check.ResultOK, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-ingress-from-client2.yaml +var clientIngressFromClient2PolicyYAML string + +type clientIngress struct{} + +func (t clientIngress) name() string { + return "client-ingress" +} + +func (t clientIngress) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientIngress) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy only allows ingress into client from client2. + newTest(t.name(), ct). + WithCiliumPolicy(clientIngressFromClient2PolicyYAML). + WithScenarios(tests.ClientToClient()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") { + return check.ResultOK, check.ResultOK + } + return check.ResultOK, check.ResultDefaultDenyIngressDrop + }) +} diff --git a/connectivity/factory/client_ingress_from_other_client_icmp_deny.go b/connectivity/factory/client_ingress_from_other_client_icmp_deny.go index 1f90f1ee6a..eae5c5dd69 100644 --- a/connectivity/factory/client_ingress_from_other_client_icmp_deny.go +++ b/connectivity/factory/client_ingress_from_other_client_icmp_deny.go @@ -6,37 +6,42 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-icmp-deny.yaml - echoIngressICMPDenyPolicyYAML string - - clientIngressFromOtherClientIcmpDeny = factory{ - name: "client-ingress-from-other-client-icmp-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies ICMP ingress to client only from other client - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(echoIngressICMPDenyPolicyYAML). // Deny ICMP traffic from client to another client - WithFeatureRequirements(features.RequireEnabled(features.ICMPPolicy)). - WithScenarios( - tests.PodToPod(), // Client to echo traffic should be allowed - tests.ClientToClient(), // Client to client traffic should be denied - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") && - a.Destination().HasLabel("kind", "client") { - return check.ResultDrop, check.ResultPolicyDenyIngressDrop - } - return check.ResultOK, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-icmp-deny.yaml +var echoIngressICMPDenyPolicyYAML string + +type clientIngressFromOtherClientIcmpDeny struct{} + +func (t clientIngressFromOtherClientIcmpDeny) name() string { + return "client-ingress-from-other-client-icmp-deny" +} + +func (t clientIngressFromOtherClientIcmpDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientIngressFromOtherClientIcmpDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies ICMP ingress to client only from other client + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(echoIngressICMPDenyPolicyYAML). // Deny ICMP traffic from client to another client + WithFeatureRequirements(features.RequireEnabled(features.ICMPPolicy)). + WithScenarios( + tests.PodToPod(), // Client to echo traffic should be allowed + tests.ClientToClient(), // Client to client traffic should be denied + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && + a.Destination().HasLabel("kind", "client") { + return check.ResultDrop, check.ResultPolicyDenyIngressDrop + } + return check.ResultOK, check.ResultNone + }) +} diff --git a/connectivity/factory/client_ingress_icmp.go b/connectivity/factory/client_ingress_icmp.go index ffb037b2da..b2a46f9b3d 100644 --- a/connectivity/factory/client_ingress_icmp.go +++ b/connectivity/factory/client_ingress_icmp.go @@ -6,31 +6,36 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-icmp.yaml - echoIngressICMPPolicyYAML string - - clientIngressIcmp = factory{ - name: "client-ingress-icmp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allowed ICMP traffic from client to another client. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(echoIngressICMPPolicyYAML). - WithFeatureRequirements(features.RequireEnabled(features.ICMPPolicy)). - WithScenarios(tests.ClientToClient()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") { - return check.ResultOK, check.ResultOK - } - return check.ResultOK, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-icmp.yaml +var echoIngressICMPPolicyYAML string + +type clientIngressIcmp struct{} + +func (t clientIngressIcmp) name() string { + return "client-ingress-icmp" +} + +func (t clientIngressIcmp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientIngressIcmp) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allowed ICMP traffic from client to another client. + newTest(t.name(), ct). + WithCiliumPolicy(echoIngressICMPPolicyYAML). + WithFeatureRequirements(features.RequireEnabled(features.ICMPPolicy)). + WithScenarios(tests.ClientToClient()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") { + return check.ResultOK, check.ResultOK + } + return check.ResultOK, check.ResultDefaultDenyIngressDrop + }) +} diff --git a/connectivity/factory/client_ingress_knp.go b/connectivity/factory/client_ingress_knp.go index e21c21616f..8d7f37acd8 100644 --- a/connectivity/factory/client_ingress_knp.go +++ b/connectivity/factory/client_ingress_knp.go @@ -6,29 +6,34 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-ingress-from-client2-knp.yaml - clientIngressFromClient2PolicyKNPYAML string - - clientIngressKnp = factory{ - name: "client-ingress-knp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Run a simple test with k8s Network Policy. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(clientIngressFromClient2PolicyKNPYAML). - WithScenarios(tests.ClientToClient()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") { - return check.ResultOK, check.ResultOK - } - return check.ResultOK, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-ingress-from-client2-knp.yaml +var clientIngressFromClient2PolicyKNPYAML string + +type clientIngressKnp struct{} + +func (t clientIngressKnp) name() string { + return "client-ingress-knp" +} + +func (t clientIngressKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientIngressKnp) build(ct *check.ConnectivityTest, _ map[string]string) { + // Run a simple test with k8s Network Policy. + newTest(t.name(), ct). + WithK8SPolicy(clientIngressFromClient2PolicyKNPYAML). + WithScenarios(tests.ClientToClient()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") { + return check.ResultOK, check.ResultOK + } + return check.ResultOK, check.ResultDefaultDenyIngressDrop + }) +} diff --git a/connectivity/factory/client_ingress_to_echo_named_port_deny.go b/connectivity/factory/client_ingress_to_echo_named_port_deny.go index 00096bef06..31c4fbc714 100644 --- a/connectivity/factory/client_ingress_to_echo_named_port_deny.go +++ b/connectivity/factory/client_ingress_to_echo_named_port_deny.go @@ -6,34 +6,39 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-echo-named-port-deny.yaml - clientEgressToEchoDenyNamedPortPolicyYAML string - - clientIngressToEchoNamedPortDeny = factory{ - name: "client-ingress-to-echo-named-port-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies port http-8080 from client to echo, but allows traffic from client2 to echo - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(clientEgressToEchoDenyNamedPortPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be denied - tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be allowed - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("kind", "echo") && a.Source().HasLabel("name", "client") { - return check.ResultDropCurlTimeout, check.ResultPolicyDenyIngressDrop - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-echo-named-port-deny.yaml +var clientEgressToEchoDenyNamedPortPolicyYAML string + +type clientIngressToEchoNamedPortDeny struct{} + +func (t clientIngressToEchoNamedPortDeny) name() string { + return "client-ingress-to-echo-named-port-deny" +} + +func (t clientIngressToEchoNamedPortDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientIngressToEchoNamedPortDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies port http-8080 from client to echo, but allows traffic from client2 to echo + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(clientEgressToEchoDenyNamedPortPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be denied + tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be allowed + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("kind", "echo") && a.Source().HasLabel("name", "client") { + return check.ResultDropCurlTimeout, check.ResultPolicyDenyIngressDrop + } + return check.ResultOK, check.ResultOK + }) +} diff --git a/connectivity/factory/client_with_service_account_egress_to_echo.go b/connectivity/factory/client_with_service_account_egress_to_echo.go index 60f992f2ea..6643b3de07 100644 --- a/connectivity/factory/client_with_service_account_egress_to_echo.go +++ b/connectivity/factory/client_with_service_account_egress_to_echo.go @@ -6,25 +6,30 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-with-service-account-egress-to-echo.yaml - clientWithServiceAccountEgressToEchoPolicyYAML string - - clientWithServiceAccountEgressToEcho = factory{ - name: "client-with-service-account-egress-to-echo", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows port 8080 from client with service account label to echo - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientWithServiceAccountEgressToEchoPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"kind": "client"})), - ) - }, - condition: runAlways, - } -) +//go:embed manifests/client-with-service-account-egress-to-echo.yaml +var clientWithServiceAccountEgressToEchoPolicyYAML string + +type clientWithServiceAccountEgressToEcho struct{} + +func (t clientWithServiceAccountEgressToEcho) name() string { + return "client-with-service-account-egress-to-echo" +} + +func (t clientWithServiceAccountEgressToEcho) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientWithServiceAccountEgressToEcho) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows port 8080 from client with service account label to echo + newTest(t.name(), ct). + WithCiliumPolicy(clientWithServiceAccountEgressToEchoPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"kind": "client"})), + ) +} diff --git a/connectivity/factory/client_with_service_account_egress_to_echo_deny.go b/connectivity/factory/client_with_service_account_egress_to_echo_deny.go index 664641923e..81898dc600 100644 --- a/connectivity/factory/client_with_service_account_egress_to_echo_deny.go +++ b/connectivity/factory/client_with_service_account_egress_to_echo_deny.go @@ -6,34 +6,39 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-with-service-account-egress-to-echo-deny.yaml - clientWithServiceAccountEgressToEchoDenyPolicyYAML string - - clientWithServiceAccountEgressToEchoDeny = factory{ - name: "client-with-service-account-egress-to-echo-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy denies port 8080 from client with service account selector to echo, but not from client2 - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(clientWithServiceAccountEgressToEchoDenyPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"name": "client"})), // Client to echo should be denied - tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"name": "client2"})), // Client2 to echo should be allowed - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("kind", "echo") && a.Source().HasLabel("name", "client") { - return check.ResultPolicyDenyEgressDrop, check.ResultNone - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-with-service-account-egress-to-echo-deny.yaml +var clientWithServiceAccountEgressToEchoDenyPolicyYAML string + +type clientWithServiceAccountEgressToEchoDeny struct{} + +func (t clientWithServiceAccountEgressToEchoDeny) name() string { + return "client-with-service-account-egress-to-echo-deny" +} + +func (t clientWithServiceAccountEgressToEchoDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clientWithServiceAccountEgressToEchoDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy denies port 8080 from client with service account selector to echo, but not from client2 + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(clientWithServiceAccountEgressToEchoDenyPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"name": "client"})), // Client to echo should be denied + tests.PodToPod(tests.WithSourceLabelsOption(map[string]string{"name": "client2"})), // Client2 to echo should be allowed + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("kind", "echo") && a.Source().HasLabel("name", "client") { + return check.ResultPolicyDenyEgressDrop, check.ResultNone + } + return check.ResultOK, check.ResultOK + }) +} diff --git a/connectivity/factory/cluster_entity.go b/connectivity/factory/cluster_entity.go index 435df4fc80..073c4c4053 100644 --- a/connectivity/factory/cluster_entity.go +++ b/connectivity/factory/cluster_entity.go @@ -4,25 +4,32 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var clusterEntity = factory{ - name: "cluster-entity", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows cluster entity - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowClusterEntityPolicyYAML). - WithScenarios( - // Only enable to local cluster for now due to the below - // https://github.com/cilium/cilium/blob/88c4dddede2a3b5b9a7339c1316a0dedd7229a26/pkg/policy/api/entity.go#L126 - tests.PodToPod(tests.WithDestinationLabelsOption(map[string]string{"name": "echo-same-node"})), - ). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, +type clusterEntity struct{} + +func (t clusterEntity) name() string { + return "cluster-entity" +} + +func (t clusterEntity) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t clusterEntity) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows cluster entity + newTest(t.name(), ct). + WithCiliumPolicy(allowClusterEntityPolicyYAML). + WithScenarios( + // Only enable to local cluster for now due to the below + // https://github.com/cilium/cilium/blob/88c4dddede2a3b5b9a7339c1316a0dedd7229a26/pkg/policy/api/entity.go#L126 + tests.PodToPod(tests.WithDestinationLabelsOption(map[string]string{"name": "echo-same-node"})), + ). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultOK, check.ResultOK + }) } diff --git a/connectivity/factory/cluster_entity_multi_cluster.go b/connectivity/factory/cluster_entity_multi_cluster.go index e092f5323e..85755ec2e4 100644 --- a/connectivity/factory/cluster_entity_multi_cluster.go +++ b/connectivity/factory/cluster_entity_multi_cluster.go @@ -10,18 +10,23 @@ import ( "github.com/cilium/cilium-cli/connectivity/tests" ) -var clusterEntityMultiCluster = factory{ - name: "cluster-entity-multi-cluster", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowClusterEntityPolicyYAML). - WithScenarios( - tests.PodToPod(tests.WithDestinationLabelsOption(map[string]string{"name": "echo-other-node"})), - ). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.MultiCluster != "" }, +type clusterEntityMultiCluster struct{} + +func (t clusterEntityMultiCluster) name() string { + return "cluster-entity-multi-cluster" +} + +func (t clusterEntityMultiCluster) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.MultiCluster != "" +} + +func (t clusterEntityMultiCluster) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumPolicy(allowClusterEntityPolicyYAML). + WithScenarios( + tests.PodToPod(tests.WithDestinationLabelsOption(map[string]string{"name": "echo-other-node"})), + ). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) } diff --git a/connectivity/factory/dns_only.go b/connectivity/factory/dns_only.go index bad5a418a0..9ed92dab47 100644 --- a/connectivity/factory/dns_only.go +++ b/connectivity/factory/dns_only.go @@ -4,26 +4,33 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var dnsOnly = factory{ - name: "dns-only", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Only allow UDP:53 to kube-dns, no DNS proxy enabled. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithScenarios( - tests.PodToPod(), // connects to other Pods directly, no DNS - tests.PodToWorld(), // resolves set domain-name defaults to one.one.one.one - ). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDropCurlTimeout, check.ResultNone - }) - }, - condition: runAlways, +type dnsOnly struct{} + +func (t dnsOnly) name() string { + return "dns-only" +} + +func (t dnsOnly) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t dnsOnly) build(ct *check.ConnectivityTest, _ map[string]string) { + // Only allow UDP:53 to kube-dns, no DNS proxy enabled. + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithScenarios( + tests.PodToPod(), // connects to other Pods directly, no DNS + tests.PodToWorld(), // resolves set domain-name defaults to one.one.one.one + ). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDropCurlTimeout, check.ResultNone + }) } diff --git a/connectivity/factory/echo_ingress.go b/connectivity/factory/echo_ingress.go index 5bdbe24754..afa8b4e03f 100644 --- a/connectivity/factory/echo_ingress.go +++ b/connectivity/factory/echo_ingress.go @@ -4,26 +4,33 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var echoIngress = factory{ - name: "echo-ingress", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows ingress to echo only from client with a label 'other:client'. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(echoIngressFromOtherClientPolicyYAML). - WithScenarios(tests.PodToPod()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("kind", "echo") && !a.Source().HasLabel("other", "client") { - // TCP handshake fails both in egress and ingress when - // L3(/L4) policy drops at either location. - return check.ResultDropCurlTimeout, check.ResultDropCurlTimeout - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, +type echoIngress struct{} + +func (t echoIngress) name() string { + return "echo-ingress" +} + +func (t echoIngress) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngress) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows ingress to echo only from client with a label 'other:client'. + newTest(t.name(), ct). + WithCiliumPolicy(echoIngressFromOtherClientPolicyYAML). + WithScenarios(tests.PodToPod()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("kind", "echo") && !a.Source().HasLabel("other", "client") { + // TCP handshake fails both in egress and ingress when + // L3(/L4) policy drops at either location. + return check.ResultDropCurlTimeout, check.ResultDropCurlTimeout + } + return check.ResultOK, check.ResultOK + }) } diff --git a/connectivity/factory/echo_ingress_auth_always_fail.go b/connectivity/factory/echo_ingress_auth_always_fail.go index 20390ccb5a..7c9182f0e6 100644 --- a/connectivity/factory/echo_ingress_auth_always_fail.go +++ b/connectivity/factory/echo_ingress_auth_always_fail.go @@ -6,30 +6,35 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-mutual-authentication-fail.yaml - echoIngressAuthFailPolicyYAML string - - echoIngressAuthAlwaysFail = factory{ - name: "echo-ingress-auth-always-fail", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test mutual auth with always-fail - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(echoIngressAuthFailPolicyYAML). - // this test is only useful when auth is supported in the Cilium version and it is enabled - // currently this is tested spiffe as that is the only functional auth method - WithFeatureRequirements(features.RequireEnabled(features.AuthSpiffe)). - WithScenarios(tests.PodToPod()). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultDropCurlTimeout, check.ResultDropAuthRequired - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-mutual-authentication-fail.yaml +var echoIngressAuthFailPolicyYAML string + +type echoIngressAuthAlwaysFail struct{} + +func (t echoIngressAuthAlwaysFail) name() string { + return "echo-ingress-auth-always-fail" +} + +func (t echoIngressAuthAlwaysFail) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngressAuthAlwaysFail) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test mutual auth with always-fail + newTest(t.name(), ct). + WithCiliumPolicy(echoIngressAuthFailPolicyYAML). + // this test is only useful when auth is supported in the Cilium version and it is enabled + // currently this is tested spiffe as that is the only functional auth method + WithFeatureRequirements(features.RequireEnabled(features.AuthSpiffe)). + WithScenarios(tests.PodToPod()). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultDropCurlTimeout, check.ResultDropAuthRequired + }) +} diff --git a/connectivity/factory/echo_ingress_from_other_client_deny.go b/connectivity/factory/echo_ingress_from_other_client_deny.go index d2da2c78db..ee53e5ffc9 100644 --- a/connectivity/factory/echo_ingress_from_other_client_deny.go +++ b/connectivity/factory/echo_ingress_from_other_client_deny.go @@ -6,35 +6,40 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/echo-ingress-from-other-client-deny.yaml - echoIngressFromOtherClientDenyPolicyYAML string - - echoIngressFromOtherClientDeny = factory{ - name: "echo-ingress-from-other-client-deny", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Tests with deny policy - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic - WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic - WithCiliumPolicy(echoIngressFromOtherClientDenyPolicyYAML). // Deny other client contact echo - WithScenarios( - tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be allowed - tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be denied - tests.ClientToClient(), // Client to client should be allowed - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") && a.Destination().HasLabel("kind", "echo") { - return check.ResultDrop, check.ResultPolicyDenyIngressDrop - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-from-other-client-deny.yaml +var echoIngressFromOtherClientDenyPolicyYAML string + +type echoIngressFromOtherClientDeny struct{} + +func (t echoIngressFromOtherClientDeny) name() string { + return "echo-ingress-from-other-client-deny" +} + +func (t echoIngressFromOtherClientDeny) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngressFromOtherClientDeny) build(ct *check.ConnectivityTest, _ map[string]string) { + // Tests with deny policy + newTest(t.name(), ct). + WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic + WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic + WithCiliumPolicy(echoIngressFromOtherClientDenyPolicyYAML). // Deny other client contact echo + WithScenarios( + tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be allowed + tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be denied + tests.ClientToClient(), // Client to client should be allowed + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && a.Destination().HasLabel("kind", "echo") { + return check.ResultDrop, check.ResultPolicyDenyIngressDrop + } + return check.ResultOK, check.ResultOK + }) +} diff --git a/connectivity/factory/echo_ingress_from_outside.go b/connectivity/factory/echo_ingress_from_outside.go index aa930d3e04..0a48d25dde 100644 --- a/connectivity/factory/echo_ingress_from_outside.go +++ b/connectivity/factory/echo_ingress_from_outside.go @@ -11,23 +11,28 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var echoIngressFromOutside = factory{ - name: "echo-ingress-from-outside", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(echoIngressFromOtherClientPolicyYAML). - WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). - WithIPRoutesFromOutsideToPodCIDRs(). - WithScenarios(tests.FromCIDRToPod()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("kind", "echo") && !a.Source().HasLabel("other", "client") { - // TCP handshake fails both in egress and ingress when - // L3(/L4) policy drops at either location. - return check.ResultDropCurlTimeout, check.ResultDropCurlTimeout - } - return check.ResultOK, check.ResultOK - }) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeUnsafeTests }, +type echoIngressFromOutside struct{} + +func (t echoIngressFromOutside) name() string { + return "echo-ingress-from-outside" +} + +func (t echoIngressFromOutside) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeUnsafeTests +} + +func (t echoIngressFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumPolicy(echoIngressFromOtherClientPolicyYAML). + WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). + WithIPRoutesFromOutsideToPodCIDRs(). + WithScenarios(tests.FromCIDRToPod()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("kind", "echo") && !a.Source().HasLabel("other", "client") { + // TCP handshake fails both in egress and ingress when + // L3(/L4) policy drops at either location. + return check.ResultDropCurlTimeout, check.ResultDropCurlTimeout + } + return check.ResultOK, check.ResultOK + }) } diff --git a/connectivity/factory/echo_ingress_knp.go b/connectivity/factory/echo_ingress_knp.go index 724409d934..fd92266f61 100644 --- a/connectivity/factory/echo_ingress_knp.go +++ b/connectivity/factory/echo_ingress_knp.go @@ -6,31 +6,36 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/echo-ingress-from-other-client-knp.yaml - echoIngressFromOtherClientPolicyKNPYAML string - - echoIngressKnp = factory{ - name: "echo-ingress-knp", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This k8s policy allows ingress to echo only from client with a label 'other:client'. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(echoIngressFromOtherClientPolicyKNPYAML). - WithScenarios(tests.PodToPod()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().HasLabel("kind", "echo") && !a.Source().HasLabel("other", "client") { - // TCP handshake fails both in egress and ingress when - // L3(/L4) policy drops at either location. - return check.ResultDropCurlTimeout, check.ResultDropCurlTimeout - } - return check.ResultOK, check.ResultOK - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-from-other-client-knp.yaml +var echoIngressFromOtherClientPolicyKNPYAML string + +type echoIngressKnp struct{} + +func (t echoIngressKnp) name() string { + return "echo-ingress-knp" +} + +func (t echoIngressKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngressKnp) build(ct *check.ConnectivityTest, _ map[string]string) { + // This k8s policy allows ingress to echo only from client with a label 'other:client'. + newTest(t.name(), ct). + WithK8SPolicy(echoIngressFromOtherClientPolicyKNPYAML). + WithScenarios(tests.PodToPod()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().HasLabel("kind", "echo") && !a.Source().HasLabel("other", "client") { + // TCP handshake fails both in egress and ingress when + // L3(/L4) policy drops at either location. + return check.ResultDropCurlTimeout, check.ResultDropCurlTimeout + } + return check.ResultOK, check.ResultOK + }) +} diff --git a/connectivity/factory/echo_ingress_l7.go b/connectivity/factory/echo_ingress_l7.go index 4db739673a..84aa6d1cdb 100644 --- a/connectivity/factory/echo_ingress_l7.go +++ b/connectivity/factory/echo_ingress_l7.go @@ -6,41 +6,46 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-l7-http.yaml - echoIngressL7HTTPPolicyYAML string - - echoIngressL7 = factory{ - name: "echo-ingress-l7", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test L7 HTTP introspection using an ingress policy on echo pods. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection - WithScenarios(tests.PodToPodWithEndpoints()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls. - // Trying to access private endpoint without "secret" header set - // should lead to a drop. - if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") { - return check.ResultDropCurlHTTPError, check.ResultNone - } - egress = check.ResultOK - // Expect all curls from client2 to be proxied and to be GET calls. - egress.HTTP = check.HTTP{ - Method: "GET", - } - return egress, check.ResultNone - } - return check.ResultDrop, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-l7-http.yaml +var echoIngressL7HTTPPolicyYAML string + +type echoIngressL7 struct{} + +func (t echoIngressL7) name() string { + return "echo-ingress-l7" +} + +func (t echoIngressL7) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngressL7) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test L7 HTTP introspection using an ingress policy on echo pods. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithCiliumPolicy(echoIngressL7HTTPPolicyYAML). // L7 allow policy with HTTP introspection + WithScenarios(tests.PodToPodWithEndpoints()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls. + // Trying to access private endpoint without "secret" header set + // should lead to a drop. + if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") { + return check.ResultDropCurlHTTPError, check.ResultNone + } + egress = check.ResultOK + // Expect all curls from client2 to be proxied and to be GET calls. + egress.HTTP = check.HTTP{ + Method: "GET", + } + return egress, check.ResultNone + } + return check.ResultDrop, check.ResultDefaultDenyIngressDrop + }) +} diff --git a/connectivity/factory/echo_ingress_l7_named_port.go b/connectivity/factory/echo_ingress_l7_named_port.go index 2fbe108046..73d69c90e8 100644 --- a/connectivity/factory/echo_ingress_l7_named_port.go +++ b/connectivity/factory/echo_ingress_l7_named_port.go @@ -6,41 +6,46 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-l7-http-named-port.yaml - echoIngressL7HTTPNamedPortPolicyYAML string - - echoIngressL7NamedPort = factory{ - name: "echo-ingress-l7-named-port", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test L7 HTTP introspection using an ingress policy on echo pods. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithCiliumPolicy(echoIngressL7HTTPNamedPortPolicyYAML). // L7 allow policy with HTTP introspection (named port) - WithScenarios(tests.PodToPodWithEndpoints()). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls. - // Trying to access private endpoint without "secret" header set - // should lead to a drop. - if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") { - return check.ResultDropCurlHTTPError, check.ResultNone - } - egress = check.ResultOK - // Expect all curls from client2 to be proxied and to be GET calls. - egress.HTTP = check.HTTP{ - Method: "GET", - } - return egress, check.ResultNone - } - return check.ResultDrop, check.ResultDefaultDenyIngressDrop - }) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-l7-http-named-port.yaml +var echoIngressL7HTTPNamedPortPolicyYAML string + +type echoIngressL7NamedPort struct{} + +func (t echoIngressL7NamedPort) name() string { + return "echo-ingress-l7-named-port" +} + +func (t echoIngressL7NamedPort) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngressL7NamedPort) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test L7 HTTP introspection using an ingress policy on echo pods. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithCiliumPolicy(echoIngressL7HTTPNamedPortPolicyYAML). // L7 allow policy with HTTP introspection (named port) + WithScenarios(tests.PodToPodWithEndpoints()). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") { // Only client2 is allowed to make HTTP calls. + // Trying to access private endpoint without "secret" header set + // should lead to a drop. + if a.Destination().Path() == "/private" && !a.Destination().HasLabel("X-Very-Secret-Token", "42") { + return check.ResultDropCurlHTTPError, check.ResultNone + } + egress = check.ResultOK + // Expect all curls from client2 to be proxied and to be GET calls. + egress.HTTP = check.HTTP{ + Method: "GET", + } + return egress, check.ResultNone + } + return check.ResultDrop, check.ResultDefaultDenyIngressDrop + }) +} diff --git a/connectivity/factory/echo_ingress_mutual_auth_spiffe.go b/connectivity/factory/echo_ingress_mutual_auth_spiffe.go index 5958c80581..d432f2810a 100644 --- a/connectivity/factory/echo_ingress_mutual_auth_spiffe.go +++ b/connectivity/factory/echo_ingress_mutual_auth_spiffe.go @@ -6,25 +6,30 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-mutual-authentication.yaml - echoIngressMutualAuthPolicyYAML string - - echoIngressMutualAuthSpiffe = factory{ - name: "echo-ingress-mutual-auth-spiffe", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test mutual auth with SPIFFE - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(echoIngressMutualAuthPolicyYAML). - WithFeatureRequirements(features.RequireEnabled(features.AuthSpiffe)). - WithScenarios(tests.PodToPod()) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-mutual-authentication.yaml +var echoIngressMutualAuthPolicyYAML string + +type echoIngressMutualAuthSpiffe struct{} + +func (t echoIngressMutualAuthSpiffe) name() string { + return "echo-ingress-mutual-auth-spiffe" +} + +func (t echoIngressMutualAuthSpiffe) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t echoIngressMutualAuthSpiffe) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test mutual auth with SPIFFE + newTest(t.name(), ct). + WithCiliumPolicy(echoIngressMutualAuthPolicyYAML). + WithFeatureRequirements(features.RequireEnabled(features.AuthSpiffe)). + WithScenarios(tests.PodToPod()) +} diff --git a/connectivity/factory/egress_gateway.go b/connectivity/factory/egress_gateway.go index 5766cfefea..77a91d1e5a 100644 --- a/connectivity/factory/egress_gateway.go +++ b/connectivity/factory/egress_gateway.go @@ -11,25 +11,30 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var egressGateway = factory{ - name: "egress-gateway", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ - Name: "cegp-sample-client", - PodSelectorKind: "client", - }). - WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ - Name: "cegp-sample-echo", - PodSelectorKind: "echo", - }). - WithIPRoutesFromOutsideToPodCIDRs(). - WithFeatureRequirements( - features.RequireEnabled(features.EgressGateway), - features.RequireEnabled(features.NodeWithoutCilium), - ). - WithScenarios(tests.EgressGateway()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeUnsafeTests }, +type egressGateway struct{} + +func (t egressGateway) name() string { + return "egress-gateway" +} + +func (t egressGateway) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeUnsafeTests +} + +func (t egressGateway) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ + Name: "cegp-sample-client", + PodSelectorKind: "client", + }). + WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ + Name: "cegp-sample-echo", + PodSelectorKind: "echo", + }). + WithIPRoutesFromOutsideToPodCIDRs(). + WithFeatureRequirements( + features.RequireEnabled(features.EgressGateway), + features.RequireEnabled(features.NodeWithoutCilium), + ). + WithScenarios(tests.EgressGateway()) } diff --git a/connectivity/factory/egress_gateway_excluded_cidrs.go b/connectivity/factory/egress_gateway_excluded_cidrs.go index 8e69eca5c4..674f023fdb 100644 --- a/connectivity/factory/egress_gateway_excluded_cidrs.go +++ b/connectivity/factory/egress_gateway_excluded_cidrs.go @@ -13,23 +13,26 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var egressGatewayExcludedCidrs = factory{ - name: "egress-gateway-excluded-cidrs", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ - Name: "cegp-sample-client", - PodSelectorKind: "client", - ExcludedCIDRsConf: check.ExternalNodeExcludedCIDRs, - }). - WithFeatureRequirements( - features.RequireEnabled(features.EgressGateway), - features.RequireEnabled(features.NodeWithoutCilium), - ). - WithScenarios(tests.EgressGatewayExcludedCIDRs()) - }, - condition: func(version semver.Version, _ check.Parameters) bool { - return versioncheck.MustCompile(">=1.14.0")(version) - }, +type egressGatewayExcludedCidrs struct{} + +func (t egressGatewayExcludedCidrs) name() string { + return "egress-gateway-excluded-cidrs" +} + +func (t egressGatewayExcludedCidrs) shouldRun(version semver.Version, _ check.Parameters) bool { + return versioncheck.MustCompile(">=1.14.0")(version) +} + +func (t egressGatewayExcludedCidrs) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{ + Name: "cegp-sample-client", + PodSelectorKind: "client", + ExcludedCIDRsConf: check.ExternalNodeExcludedCIDRs, + }). + WithFeatureRequirements( + features.RequireEnabled(features.EgressGateway), + features.RequireEnabled(features.NodeWithoutCilium), + ). + WithScenarios(tests.EgressGatewayExcludedCIDRs()) } diff --git a/connectivity/factory/factory.go b/connectivity/factory/factory.go index 29b3dea006..75490e2be6 100644 --- a/connectivity/factory/factory.go +++ b/connectivity/factory/factory.go @@ -76,91 +76,89 @@ var ( clientLabel = map[string]string{"name": "client"} client2Label = map[string]string{"name": "client2"} - runAlways = func(semver.Version, check.Parameters) bool { return true } - // Test order is important parallelTests = []factory{ - noUnexpectedPacketDrops, - noPolicies, - noPoliciesFromOutside, - noPoliciesExtra, - allowAllExceptWorld, - clientIngress, - clientIngressKnp, - allowAllWithMetricsCheck, - allIngressDeny, - allIngressDenyFromOutside, - allIngressDenyKnp, - allEgressDeny, - allEgressDenyKnp, - allEntitiesDeny, - clusterEntity, - clusterEntityMultiCluster, - hostEntityEgress, - hostEntityIngress, - echoIngress, - echoIngressFromOutside, - echoIngressKnp, - clientIngressIcmp, - clientEgress, - clientEgressKnp, - clientEgressExpression, - clientEgressExpressionKnp, - clientWithServiceAccountEgressToEcho, - clientEgressToEchoServiceAccount, - toEntitiesWorld, - toCidrExternal, - toCidrExternalKnp, - fromCidrHostNetns, - echoIngressFromOtherClientDeny, - clientIngressFromOtherClientIcmpDeny, - clientEgressToEchoDeny, - clientIngressToEchoNamedPortDeny, - clientEgressToEchoExpressionDeny, - clientWithServiceAccountEgressToEchoDeny, - clientEgressToEchoServiceAccountDeny, - clientEgressToCidrDeny, - clientEgressToCidrDenyDefault, - health, - northSouthLoadbalancing, - podToPodEncryption, - nodeToNodeEncryption, - egressGateway, - egressGatewayExcludedCidrs, - podToNodeCidrpolicy, - northSouthLoadbalancingWithL7Policy, - echoIngressL7, - echoIngressL7NamedPort, - clientEgressL7Method, - clientEgressL7, - clientEgressL7NamedPort, - clientEgressL7TlsDenyWithoutHeaders, - clientEgressL7TlsHeaders, - clientEgressL7SetHeader, - echoIngressAuthAlwaysFail, - echoIngressMutualAuthSpiffe, - podToIngressService, - podToIngressServiceDenyAll, - podToIngressServiceDenyIngressIdentity, - podToIngressServiceDenyBackendService, - podToIngressServiceAllowIngressIdentity, - outsideToIngressService, - outsideToIngressServiceDenyWorldIdentity, - outsideToIngressServiceDenyCidr, - outsideToIngressServiceDenyAllIngress, - dnsOnly, - toFqdns, - podToControlplaneHost, - podToK8sOnControlplane, - podToControlplaneHostCidr, - podToK8sOnControlplaneCidr, + noUnexpectedPacketDrops{}, + noPolicies{}, + noPoliciesFromOutside{}, + noPoliciesExtra{}, + allowAllExceptWorld{}, + clientIngress{}, + clientIngressKnp{}, + allowAllWithMetricsCheck{}, + allIngressDeny{}, + allIngressDenyFromOutside{}, + allIngressDenyKnp{}, + allEgressDeny{}, + allEgressDenyKnp{}, + allEntitiesDeny{}, + clusterEntity{}, + clusterEntityMultiCluster{}, + hostEntityEgress{}, + hostEntityIngress{}, + echoIngress{}, + echoIngressFromOutside{}, + echoIngressKnp{}, + clientIngressIcmp{}, + clientEgress{}, + clientEgressKnp{}, + clientEgressExpression{}, + clientEgressExpressionKnp{}, + clientWithServiceAccountEgressToEcho{}, + clientEgressToEchoServiceAccount{}, + toEntitiesWorld{}, + toCidrExternal{}, + toCidrExternalKnp{}, + fromCidrHostNetns{}, + echoIngressFromOtherClientDeny{}, + clientIngressFromOtherClientIcmpDeny{}, + clientEgressToEchoDeny{}, + clientIngressToEchoNamedPortDeny{}, + clientEgressToEchoExpressionDeny{}, + clientWithServiceAccountEgressToEchoDeny{}, + clientEgressToEchoServiceAccountDeny{}, + clientEgressToCidrDeny{}, + clientEgressToCidrDenyDefault{}, + health{}, + northSouthLoadbalancing{}, + podToPodEncryption{}, + nodeToNodeEncryption{}, + egressGateway{}, + egressGatewayExcludedCidrs{}, + podToNodeCidrpolicy{}, + northSouthLoadbalancingWithL7Policy{}, + echoIngressL7{}, + echoIngressL7NamedPort{}, + clientEgressL7Method{}, + clientEgressL7{}, + clientEgressL7NamedPort{}, + clientEgressL7TlsDenyWithoutHeaders{}, + clientEgressL7TlsHeaders{}, + clientEgressL7SetHeader{}, + echoIngressAuthAlwaysFail{}, + echoIngressMutualAuthSpiffe{}, + podToIngressService{}, + podToIngressServiceDenyAll{}, + podToIngressServiceDenyIngressIdentity{}, + podToIngressServiceDenyBackendService{}, + podToIngressServiceAllowIngressIdentity{}, + outsideToIngressService{}, + outsideToIngressServiceDenyWorldIdentity{}, + outsideToIngressServiceDenyCidr{}, + outsideToIngressServiceDenyAllIngress{}, + dnsOnly{}, + toFqdns{}, + podToControlplaneHost{}, + podToK8sOnControlplane{}, + podToControlplaneHostCidr{}, + podToK8sOnControlplaneCidr{}, } ) -type factory struct { - name string - build func(name string, ct *check.ConnectivityTest, templates map[string]string) - condition func(version semver.Version, params check.Parameters) bool +type factory interface { + name() string + shouldRun(version semver.Version, params check.Parameters) bool + build(ct *check.ConnectivityTest, templates map[string]string) } // InjectTests function injects needed connectivity tests in a proper order. @@ -172,13 +170,13 @@ func InjectTests(ct *check.ConnectivityTest, extraTests func(ct *check.Connectiv // Network Performance Test if ct.Params().Perf { - injectTests(ct, templates, networkPerf) + injectTests(ct, templates, networkPerf{}) return nil } // Conn disrupt Test if ct.Params().IncludeConnDisruptTest { - injectTests(ct, templates, noInterruptedConnections, noIpsecXfrmErrors) + injectTests(ct, templates, noInterruptedConnections{}, noIpsecXfrmErrors{}) if ct.Params().ConnDisruptTestSetup { // Exit early, as --conn-disrupt-test-setup is only needed to deploy pods which // will be used by another invocation of "cli connectivity test" (with @@ -193,7 +191,7 @@ func InjectTests(ct *check.ConnectivityTest, extraTests func(ct *check.Connectiv return err } - injectTests(ct, templates, checkLogErrors) + injectTests(ct, templates, checkLogErrors{}) return nil } @@ -227,10 +225,15 @@ func renderTemplates(param check.Parameters) (map[string]string, error) { return renderedTemplates, nil } +func newTest(name string, ct *check.ConnectivityTest) *check.Test { + test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) + return ct.AddTest(test) +} + func injectTests(ct *check.ConnectivityTest, templates map[string]string, tests ...factory) { for _, t := range tests { - if t.condition(ct.CiliumVersion, ct.Params()) { - t.build(t.name, ct, templates) + if t.shouldRun(ct.CiliumVersion, ct.Params()) { + t.build(ct, templates) } } } diff --git a/connectivity/factory/from_cidr_host_netns.go b/connectivity/factory/from_cidr_host_netns.go index 9f7ef87db3..d393bb9eb1 100644 --- a/connectivity/factory/from_cidr_host_netns.go +++ b/connectivity/factory/from_cidr_host_netns.go @@ -11,18 +11,23 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var fromCidrHostNetns = factory{ - name: "from-cidr-host-netns", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). - WithCiliumPolicy(templates["echoIngressFromCIDRYAML"]). - WithIPRoutesFromOutsideToPodCIDRs(). - WithScenarios(tests.FromCIDRToPod()). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultOK, check.ResultNone - }) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeUnsafeTests }, +type fromCidrHostNetns struct{} + +func (t fromCidrHostNetns) name() string { + return "from-cidr-host-netns" +} + +func (t fromCidrHostNetns) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeUnsafeTests +} + +func (t fromCidrHostNetns) build(ct *check.ConnectivityTest, templates map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). + WithCiliumPolicy(templates["echoIngressFromCIDRYAML"]). + WithIPRoutesFromOutsideToPodCIDRs(). + WithScenarios(tests.FromCIDRToPod()). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultOK, check.ResultNone + }) } diff --git a/connectivity/factory/health.go b/connectivity/factory/health.go index d6373b3d94..e46ada8c98 100644 --- a/connectivity/factory/health.go +++ b/connectivity/factory/health.go @@ -4,19 +4,26 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var health = factory{ - name: "health", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Health check tests. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.HealthChecking)). - WithScenarios(tests.CiliumHealth()) - }, - condition: runAlways, +type health struct{} + +func (t health) name() string { + return "health" +} + +func (t health) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t health) build(ct *check.ConnectivityTest, _ map[string]string) { + // Health check tests. + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.HealthChecking)). + WithScenarios(tests.CiliumHealth()) } diff --git a/connectivity/factory/host_entity_egress.go b/connectivity/factory/host_entity_egress.go index 515d968c86..83c5a2333d 100644 --- a/connectivity/factory/host_entity_egress.go +++ b/connectivity/factory/host_entity_egress.go @@ -6,26 +6,31 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/allow-host-entity-egress.yaml - allowHostEntityEgressPolicyYAML string - - hostEntityEgress = factory{ - name: "host-entity-egress", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows egress traffic towards the host entity - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowHostEntityEgressPolicyYAML). - WithScenarios(tests.PodToHost()). - WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { - return check.ResultOK, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/allow-host-entity-egress.yaml +var allowHostEntityEgressPolicyYAML string + +type hostEntityEgress struct{} + +func (t hostEntityEgress) name() string { + return "host-entity-egress" +} + +func (t hostEntityEgress) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t hostEntityEgress) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows egress traffic towards the host entity + newTest(t.name(), ct). + WithCiliumPolicy(allowHostEntityEgressPolicyYAML). + WithScenarios(tests.PodToHost()). + WithExpectations(func(_ *check.Action) (egress, ingress check.Result) { + return check.ResultOK, check.ResultNone + }) +} diff --git a/connectivity/factory/host_entity_ingress.go b/connectivity/factory/host_entity_ingress.go index 56bca21785..c71a709979 100644 --- a/connectivity/factory/host_entity_ingress.go +++ b/connectivity/factory/host_entity_ingress.go @@ -6,23 +6,28 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/allow-host-entity-ingress.yaml - allowHostEntityIngressPolicyYAML string - - hostEntityIngress = factory{ - name: "host-entity-ingress", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows ingress traffic from the host entity - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(allowHostEntityIngressPolicyYAML). - WithScenarios(tests.HostToPod()) - }, - condition: runAlways, - } -) +//go:embed manifests/allow-host-entity-ingress.yaml +var allowHostEntityIngressPolicyYAML string + +type hostEntityIngress struct{} + +func (t hostEntityIngress) name() string { + return "host-entity-ingress" +} + +func (t hostEntityIngress) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t hostEntityIngress) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows ingress traffic from the host entity + newTest(t.name(), ct). + WithCiliumPolicy(allowHostEntityIngressPolicyYAML). + WithScenarios(tests.HostToPod()) +} diff --git a/connectivity/factory/network_perf.go b/connectivity/factory/network_perf.go index 10feb62065..f7ba364fba 100644 --- a/connectivity/factory/network_perf.go +++ b/connectivity/factory/network_perf.go @@ -10,12 +10,17 @@ import ( "github.com/cilium/cilium-cli/connectivity/perf/benchmarks/netperf" ) -var networkPerf = factory{ - "network-perf", - func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios(netperf.Netperf("")) - }, - func(_ semver.Version, params check.Parameters) bool { return params.Perf }, +type networkPerf struct{} + +func (t networkPerf) name() string { + return "network-perf" +} + +func (t networkPerf) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.Perf +} + +func (t networkPerf) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithScenarios(netperf.Netperf("")) } diff --git a/connectivity/factory/no_interrupted_connections.go b/connectivity/factory/no_interrupted_connections.go index e000cd4061..abb8d19e2c 100644 --- a/connectivity/factory/no_interrupted_connections.go +++ b/connectivity/factory/no_interrupted_connections.go @@ -10,12 +10,17 @@ import ( "github.com/cilium/cilium-cli/connectivity/tests" ) -var noInterruptedConnections = factory{ - name: "no-interrupted-connections", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios(tests.NoInterruptedConnections()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeConnDisruptTest }, +type noInterruptedConnections struct{} + +func (t noInterruptedConnections) name() string { + return "no-interrupted-connections" +} + +func (t noInterruptedConnections) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeConnDisruptTest +} + +func (t noInterruptedConnections) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithScenarios(tests.NoInterruptedConnections()) } diff --git a/connectivity/factory/no_ipsec_xfrm_errors.go b/connectivity/factory/no_ipsec_xfrm_errors.go index 9e305c76b8..a9f279b070 100644 --- a/connectivity/factory/no_ipsec_xfrm_errors.go +++ b/connectivity/factory/no_ipsec_xfrm_errors.go @@ -11,13 +11,18 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var noIpsecXfrmErrors = factory{ - name: "no-ipsec-xfrm-errors", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireMode(features.EncryptionPod, "ipsec")). - WithScenarios(tests.NoIPsecXfrmErrors(ct.Params().ExpectedXFRMErrors)) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeConnDisruptTest }, +type noIpsecXfrmErrors struct{} + +func (t noIpsecXfrmErrors) name() string { + return "no-ipsec-xfrm-errors" +} + +func (t noIpsecXfrmErrors) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeConnDisruptTest +} + +func (t noIpsecXfrmErrors) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireMode(features.EncryptionPod, "ipsec")). + WithScenarios(tests.NoIPsecXfrmErrors(ct.Params().ExpectedXFRMErrors)) } diff --git a/connectivity/factory/no_policies.go b/connectivity/factory/no_policies.go index dee013ca26..f7260299dc 100644 --- a/connectivity/factory/no_policies.go +++ b/connectivity/factory/no_policies.go @@ -4,26 +4,33 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var noPolicies = factory{ - name: "no-policies", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios( - tests.PodToPod(), - tests.ClientToClient(), - tests.PodToService(), - tests.PodToHostPort(), - tests.PodToWorld(tests.WithRetryAll()), - tests.PodToHost(), - tests.HostToPod(), - tests.PodToExternalWorkload(), - tests.PodToCIDR(tests.WithRetryAll()), - ) - }, - condition: runAlways, +type noPolicies struct{} + +func (t noPolicies) name() string { + return "no-policies" +} + +func (t noPolicies) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t noPolicies) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithScenarios( + tests.PodToPod(), + tests.ClientToClient(), + tests.PodToService(), + tests.PodToHostPort(), + tests.PodToWorld(tests.WithRetryAll()), + tests.PodToHost(), + tests.HostToPod(), + tests.PodToExternalWorkload(), + tests.PodToCIDR(tests.WithRetryAll()), + ) } diff --git a/connectivity/factory/no_policies_extra.go b/connectivity/factory/no_policies_extra.go index d2eb65ae87..2086c85ed0 100644 --- a/connectivity/factory/no_policies_extra.go +++ b/connectivity/factory/no_policies_extra.go @@ -4,20 +4,27 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var noPoliciesExtra = factory{ - name: "no-policies-extra", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(withKPRReqForMultiCluster(ct)...). - WithScenarios( - tests.PodToRemoteNodePort(), - tests.PodToLocalNodePort(), - ) - }, - condition: runAlways, +type noPoliciesExtra struct{} + +func (t noPoliciesExtra) name() string { + return "no-policies-extra" +} + +func (t noPoliciesExtra) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t noPoliciesExtra) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(withKPRReqForMultiCluster(ct)...). + WithScenarios( + tests.PodToRemoteNodePort(), + tests.PodToLocalNodePort(), + ) } diff --git a/connectivity/factory/no_policies_from_outside.go b/connectivity/factory/no_policies_from_outside.go index 735a7d095f..d4747bdb44 100644 --- a/connectivity/factory/no_policies_from_outside.go +++ b/connectivity/factory/no_policies_from_outside.go @@ -11,14 +11,19 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var noPoliciesFromOutside = factory{ - name: "no-policies-from-outside", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). - WithIPRoutesFromOutsideToPodCIDRs(). - WithScenarios(tests.FromCIDRToPod()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.IncludeUnsafeTests }, +type noPoliciesFromOutside struct{} + +func (t noPoliciesFromOutside) name() string { + return "no-policies-from-outside" +} + +func (t noPoliciesFromOutside) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.IncludeUnsafeTests +} + +func (t noPoliciesFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)). + WithIPRoutesFromOutsideToPodCIDRs(). + WithScenarios(tests.FromCIDRToPod()) } diff --git a/connectivity/factory/no_unexpected_packet_drops.go b/connectivity/factory/no_unexpected_packet_drops.go index 6c9054dab3..e199f6ccb9 100644 --- a/connectivity/factory/no_unexpected_packet_drops.go +++ b/connectivity/factory/no_unexpected_packet_drops.go @@ -4,17 +4,24 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var noUnexpectedPacketDrops = factory{ - name: "no-unexpected-packet-drops", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios(tests.NoUnexpectedPacketDrops(ct.Params().ExpectedDropReasons)). - WithSysdumpPolicy(check.SysdumpPolicyOnce) - }, - condition: runAlways, +type noUnexpectedPacketDrops struct{} + +func (t noUnexpectedPacketDrops) name() string { + return "no-unexpected-packet-drops" +} + +func (t noUnexpectedPacketDrops) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t noUnexpectedPacketDrops) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithScenarios(tests.NoUnexpectedPacketDrops(ct.Params().ExpectedDropReasons)). + WithSysdumpPolicy(check.SysdumpPolicyOnce) } diff --git a/connectivity/factory/node_to_node_encryption.go b/connectivity/factory/node_to_node_encryption.go index 5b7a639a84..260e3dc4ea 100644 --- a/connectivity/factory/node_to_node_encryption.go +++ b/connectivity/factory/node_to_node_encryption.go @@ -11,19 +11,24 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var nodeToNodeEncryption = factory{ - name: "node-to-node-encryption", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Encryption checks are always executed as a sanity check, asserting whether - // unencrypted packets shall, or shall not, be observed based on the feature set. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios( - tests.NodeToNodeEncryption( - features.RequireEnabled(features.EncryptionPod), - features.RequireEnabled(features.EncryptionNode), - ), - ) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return !params.SingleNode }, +type nodeToNodeEncryption struct{} + +func (t nodeToNodeEncryption) name() string { + return "node-to-node-encryption" +} + +func (t nodeToNodeEncryption) shouldRun(_ semver.Version, params check.Parameters) bool { + return !params.SingleNode +} + +func (t nodeToNodeEncryption) build(ct *check.ConnectivityTest, _ map[string]string) { + // Encryption checks are always executed as a sanity check, asserting whether + // unencrypted packets shall, or shall not, be observed based on the feature set. + newTest(t.name(), ct). + WithScenarios( + tests.NodeToNodeEncryption( + features.RequireEnabled(features.EncryptionPod), + features.RequireEnabled(features.EncryptionNode), + ), + ) } diff --git a/connectivity/factory/north_south_loadbalancing.go b/connectivity/factory/north_south_loadbalancing.go index deaf2946ea..d5efd8a3dc 100644 --- a/connectivity/factory/north_south_loadbalancing.go +++ b/connectivity/factory/north_south_loadbalancing.go @@ -4,20 +4,27 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var northSouthLoadbalancing = factory{ - name: "north-south-loadbalancing", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements( - withKPRReqForMultiCluster(ct, features.RequireEnabled(features.NodeWithoutCilium))..., - ). - WithScenarios(tests.OutsideToNodePort()) - }, - condition: runAlways, +type northSouthLoadbalancing struct{} + +func (t northSouthLoadbalancing) name() string { + return "north-south-loadbalancing" +} + +func (t northSouthLoadbalancing) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t northSouthLoadbalancing) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements( + withKPRReqForMultiCluster(ct, features.RequireEnabled(features.NodeWithoutCilium))..., + ). + WithScenarios(tests.OutsideToNodePort()) } diff --git a/connectivity/factory/north_south_loadbalancing_with_l7_policy.go b/connectivity/factory/north_south_loadbalancing_with_l7_policy.go index 667060c239..f8573ad511 100644 --- a/connectivity/factory/north_south_loadbalancing_with_l7_policy.go +++ b/connectivity/factory/north_south_loadbalancing_with_l7_policy.go @@ -6,30 +6,35 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/echo-ingress-l7-http-from-anywhere.yaml - echoIngressL7HTTPFromAnywherePolicyYAML string - - northSouthLoadbalancingWithL7Policy = factory{ - name: "north-south-loadbalancing-with-l7-policy", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // The following tests have DNS redirect policies. They should be executed last. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements( - withKPRReqForMultiCluster(ct, - features.RequireEnabled(features.NodeWithoutCilium), - features.RequireEnabled(features.L7Proxy))..., - ). - WithCiliumVersion(">1.13.2"). - WithCiliumPolicy(echoIngressL7HTTPFromAnywherePolicyYAML). - WithScenarios(tests.OutsideToNodePort()) - }, - condition: runAlways, - } -) +//go:embed manifests/echo-ingress-l7-http-from-anywhere.yaml +var echoIngressL7HTTPFromAnywherePolicyYAML string + +type northSouthLoadbalancingWithL7Policy struct{} + +func (t northSouthLoadbalancingWithL7Policy) name() string { + return "north-south-loadbalancing-with-l7-policy" +} + +func (t northSouthLoadbalancingWithL7Policy) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t northSouthLoadbalancingWithL7Policy) build(ct *check.ConnectivityTest, _ map[string]string) { + // The following tests have DNS redirect policies. They should be executed last. + newTest(t.name(), ct). + WithFeatureRequirements( + withKPRReqForMultiCluster(ct, + features.RequireEnabled(features.NodeWithoutCilium), + features.RequireEnabled(features.L7Proxy))..., + ). + WithCiliumVersion(">1.13.2"). + WithCiliumPolicy(echoIngressL7HTTPFromAnywherePolicyYAML). + WithScenarios(tests.OutsideToNodePort()) +} diff --git a/connectivity/factory/outside_to_ingress_service.go b/connectivity/factory/outside_to_ingress_service.go index a2cb940510..3d3027110d 100644 --- a/connectivity/factory/outside_to_ingress_service.go +++ b/connectivity/factory/outside_to_ingress_service.go @@ -4,20 +4,27 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var outsideToIngressService = factory{ - name: "outside-to-ingress-service", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements( - features.RequireEnabled(features.IngressController), - features.RequireEnabled(features.NodeWithoutCilium)). - WithScenarios(tests.OutsideToIngressService()) - }, - condition: runAlways, +type outsideToIngressService struct{} + +func (t outsideToIngressService) name() string { + return "outside-to-ingress-service" +} + +func (t outsideToIngressService) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t outsideToIngressService) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements( + features.RequireEnabled(features.IngressController), + features.RequireEnabled(features.NodeWithoutCilium)). + WithScenarios(tests.OutsideToIngressService()) } diff --git a/connectivity/factory/outside_to_ingress_service_deny_all_ingress.go b/connectivity/factory/outside_to_ingress_service_deny_all_ingress.go index 3ccc59ee82..4bd854b694 100644 --- a/connectivity/factory/outside_to_ingress_service_deny_all_ingress.go +++ b/connectivity/factory/outside_to_ingress_service_deny_all_ingress.go @@ -4,25 +4,32 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var outsideToIngressServiceDenyAllIngress = factory{ - name: "outside-to-ingress-service-deny-all-ingress", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements( - features.RequireEnabled(features.IngressController), - features.RequireEnabled(features.NodeWithoutCilium), - ). - WithCiliumPolicy(denyAllIngressPolicyYAML). - WithScenarios(tests.OutsideToIngressService()). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, +type outsideToIngressServiceDenyAllIngress struct{} + +func (t outsideToIngressServiceDenyAllIngress) name() string { + return "outside-to-ingress-service-deny-all-ingress" +} + +func (t outsideToIngressServiceDenyAllIngress) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t outsideToIngressServiceDenyAllIngress) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements( + features.RequireEnabled(features.IngressController), + features.RequireEnabled(features.NodeWithoutCilium), + ). + WithCiliumPolicy(denyAllIngressPolicyYAML). + WithScenarios(tests.OutsideToIngressService()). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) } diff --git a/connectivity/factory/outside_to_ingress_service_deny_cidr.go b/connectivity/factory/outside_to_ingress_service_deny_cidr.go index 8d51be4f9b..c2c2c9a9ed 100644 --- a/connectivity/factory/outside_to_ingress_service_deny_cidr.go +++ b/connectivity/factory/outside_to_ingress_service_deny_cidr.go @@ -4,25 +4,32 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var outsideToIngressServiceDenyCidr = factory{ - name: "outside-to-ingress-service-deny-cidr", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements( - features.RequireEnabled(features.IngressController), - features.RequireEnabled(features.NodeWithoutCilium), - ). - WithCiliumPolicy(templates["denyCIDRPolicyYAML"]). - WithScenarios(tests.OutsideToIngressService()). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, +type outsideToIngressServiceDenyCidr struct{} + +func (t outsideToIngressServiceDenyCidr) name() string { + return "outside-to-ingress-service-deny-cidr" +} + +func (t outsideToIngressServiceDenyCidr) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t outsideToIngressServiceDenyCidr) build(ct *check.ConnectivityTest, templates map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements( + features.RequireEnabled(features.IngressController), + features.RequireEnabled(features.NodeWithoutCilium), + ). + WithCiliumPolicy(templates["denyCIDRPolicyYAML"]). + WithScenarios(tests.OutsideToIngressService()). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) } diff --git a/connectivity/factory/outside_to_ingress_service_deny_world_identity.go b/connectivity/factory/outside_to_ingress_service_deny_world_identity.go index 0112f987b9..d90df8c53c 100644 --- a/connectivity/factory/outside_to_ingress_service_deny_world_identity.go +++ b/connectivity/factory/outside_to_ingress_service_deny_world_identity.go @@ -6,30 +6,35 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/deny-world-entity.yaml - denyWorldIdentityPolicyYAML string - - outsideToIngressServiceDenyWorldIdentity = factory{ - name: "outside-to-ingress-service-deny-world-identity", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements( - features.RequireEnabled(features.IngressController), - features.RequireEnabled(features.NodeWithoutCilium), - ). - WithCiliumPolicy(denyWorldIdentityPolicyYAML). - WithScenarios(tests.OutsideToIngressService()). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-world-entity.yaml +var denyWorldIdentityPolicyYAML string + +type outsideToIngressServiceDenyWorldIdentity struct{} + +func (t outsideToIngressServiceDenyWorldIdentity) name() string { + return "outside-to-ingress-service-deny-world-identity" +} + +func (t outsideToIngressServiceDenyWorldIdentity) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t outsideToIngressServiceDenyWorldIdentity) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements( + features.RequireEnabled(features.IngressController), + features.RequireEnabled(features.NodeWithoutCilium), + ). + WithCiliumPolicy(denyWorldIdentityPolicyYAML). + WithScenarios(tests.OutsideToIngressService()). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/pod_to_controlplane_host.go b/connectivity/factory/pod_to_controlplane_host.go index f81d0d6c94..97870b75b4 100644 --- a/connectivity/factory/pod_to_controlplane_host.go +++ b/connectivity/factory/pod_to_controlplane_host.go @@ -12,18 +12,21 @@ import ( "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-entities-host.yaml - clientEgressToEntitiesHostPolicyYAML string - - podToControlplaneHost = factory{ - name: "pod-to-controlplane-host", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressToEntitiesHostPolicyYAML). - WithScenarios(tests.PodToControlPlaneHost()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.K8sLocalHostTest }, - } -) +//go:embed manifests/client-egress-to-entities-host.yaml +var clientEgressToEntitiesHostPolicyYAML string + +type podToControlplaneHost struct{} + +func (t podToControlplaneHost) name() string { + return "pod-to-controlplane-host" +} + +func (t podToControlplaneHost) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.K8sLocalHostTest +} + +func (t podToControlplaneHost) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressToEntitiesHostPolicyYAML). + WithScenarios(tests.PodToControlPlaneHost()) +} diff --git a/connectivity/factory/pod_to_controlplane_host_cidr.go b/connectivity/factory/pod_to_controlplane_host_cidr.go index 5bea682cbc..b113a43e1f 100644 --- a/connectivity/factory/pod_to_controlplane_host_cidr.go +++ b/connectivity/factory/pod_to_controlplane_host_cidr.go @@ -11,16 +11,21 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var podToControlplaneHostCidr = factory{ - name: "pod-to-controlplane-host-cidr", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Check that pods can access when referencing them by CIDR selectors - // (when this feature is enabled). - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.CIDRMatchNodes)). - WithK8SPolicy(templates["clientEgressToCIDRCPHostPolicyYAML"]). - WithScenarios(tests.PodToControlPlaneHost()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.K8sLocalHostTest }, +type podToControlplaneHostCidr struct{} + +func (t podToControlplaneHostCidr) name() string { + return "pod-to-controlplane-host-cidr" +} + +func (t podToControlplaneHostCidr) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.K8sLocalHostTest +} + +func (t podToControlplaneHostCidr) build(ct *check.ConnectivityTest, templates map[string]string) { + // Check that pods can access when referencing them by CIDR selectors + // (when this feature is enabled). + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.CIDRMatchNodes)). + WithK8SPolicy(templates["clientEgressToCIDRCPHostPolicyYAML"]). + WithScenarios(tests.PodToControlPlaneHost()) } diff --git a/connectivity/factory/pod_to_ingress_service.go b/connectivity/factory/pod_to_ingress_service.go index 09724b2e39..f2c7d70684 100644 --- a/connectivity/factory/pod_to_ingress_service.go +++ b/connectivity/factory/pod_to_ingress_service.go @@ -4,19 +4,26 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var podToIngressService = factory{ - name: "pod-to-ingress-service", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Test Ingress controller - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.IngressController)). - WithScenarios(tests.PodToIngress()) - }, - condition: runAlways, +type podToIngressService struct{} + +func (t podToIngressService) name() string { + return "pod-to-ingress-service" +} + +func (t podToIngressService) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t podToIngressService) build(ct *check.ConnectivityTest, _ map[string]string) { + // Test Ingress controller + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithScenarios(tests.PodToIngress()) } diff --git a/connectivity/factory/pod_to_ingress_service_allow_ingress_identity.go b/connectivity/factory/pod_to_ingress_service_allow_ingress_identity.go index 6961bc60ba..50553a8340 100644 --- a/connectivity/factory/pod_to_ingress_service_allow_ingress_identity.go +++ b/connectivity/factory/pod_to_ingress_service_allow_ingress_identity.go @@ -6,25 +6,30 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/allow-ingress-identity.yaml - allowIngressIdentityPolicyYAML string - - podToIngressServiceAllowIngressIdentity = factory{ - name: "pod-to-ingress-service-allow-ingress-identity", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.IngressController)). - WithCiliumPolicy(denyAllIngressPolicyYAML). - WithCiliumPolicy(allowIngressIdentityPolicyYAML). - WithScenarios(tests.PodToIngress()) - }, - condition: runAlways, - } -) +//go:embed manifests/allow-ingress-identity.yaml +var allowIngressIdentityPolicyYAML string + +type podToIngressServiceAllowIngressIdentity struct{} + +func (t podToIngressServiceAllowIngressIdentity) name() string { + return "pod-to-ingress-service-allow-ingress-identity" +} + +func (t podToIngressServiceAllowIngressIdentity) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t podToIngressServiceAllowIngressIdentity) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithCiliumPolicy(denyAllIngressPolicyYAML). + WithCiliumPolicy(allowIngressIdentityPolicyYAML). + WithScenarios(tests.PodToIngress()) +} diff --git a/connectivity/factory/pod_to_ingress_service_deny_all.go b/connectivity/factory/pod_to_ingress_service_deny_all.go index 281db011b0..1eecd52cdf 100644 --- a/connectivity/factory/pod_to_ingress_service_deny_all.go +++ b/connectivity/factory/pod_to_ingress_service_deny_all.go @@ -4,22 +4,29 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var podToIngressServiceDenyAll = factory{ - name: "pod-to-ingress-service-deny-all", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.IngressController)). - WithCiliumPolicy(denyAllIngressPolicyYAML). - WithScenarios(tests.PodToIngress()). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, +type podToIngressServiceDenyAll struct{} + +func (t podToIngressServiceDenyAll) name() string { + return "pod-to-ingress-service-deny-all" +} + +func (t podToIngressServiceDenyAll) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t podToIngressServiceDenyAll) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithCiliumPolicy(denyAllIngressPolicyYAML). + WithScenarios(tests.PodToIngress()). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) } diff --git a/connectivity/factory/pod_to_ingress_service_deny_backend_service.go b/connectivity/factory/pod_to_ingress_service_deny_backend_service.go index 30f4fe3886..0c345777f8 100644 --- a/connectivity/factory/pod_to_ingress_service_deny_backend_service.go +++ b/connectivity/factory/pod_to_ingress_service_deny_backend_service.go @@ -6,27 +6,32 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/deny-ingress-backend.yaml - denyIngressBackendPolicyYAML string - - podToIngressServiceDenyBackendService = factory{ - name: "pod-to-ingress-service-deny-backend-service", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.IngressController)). - WithCiliumPolicy(denyIngressBackendPolicyYAML). - WithScenarios(tests.PodToIngress()). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-ingress-backend.yaml +var denyIngressBackendPolicyYAML string + +type podToIngressServiceDenyBackendService struct{} + +func (t podToIngressServiceDenyBackendService) name() string { + return "pod-to-ingress-service-deny-backend-service" +} + +func (t podToIngressServiceDenyBackendService) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t podToIngressServiceDenyBackendService) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithCiliumPolicy(denyIngressBackendPolicyYAML). + WithScenarios(tests.PodToIngress()). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/pod_to_ingress_service_deny_ingress_identity.go b/connectivity/factory/pod_to_ingress_service_deny_ingress_identity.go index e5e05333a6..533de7bd38 100644 --- a/connectivity/factory/pod_to_ingress_service_deny_ingress_identity.go +++ b/connectivity/factory/pod_to_ingress_service_deny_ingress_identity.go @@ -6,27 +6,32 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var ( - //go:embed manifests/deny-ingress-entity.yaml - denyIngressIdentityPolicyYAML string - - podToIngressServiceDenyIngressIdentity = factory{ - name: "pod-to-ingress-service-deny-ingress-identity", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.IngressController)). - WithCiliumPolicy(denyIngressIdentityPolicyYAML). - WithScenarios(tests.PodToIngress()). - WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { - return check.ResultDefaultDenyEgressDrop, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/deny-ingress-entity.yaml +var denyIngressIdentityPolicyYAML string + +type podToIngressServiceDenyIngressIdentity struct{} + +func (t podToIngressServiceDenyIngressIdentity) name() string { + return "pod-to-ingress-service-deny-ingress-identity" +} + +func (t podToIngressServiceDenyIngressIdentity) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t podToIngressServiceDenyIngressIdentity) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithCiliumPolicy(denyIngressIdentityPolicyYAML). + WithScenarios(tests.PodToIngress()). + WithExpectations(func(_ *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) +} diff --git a/connectivity/factory/pod_to_k8s_on_controlplane.go b/connectivity/factory/pod_to_k8s_on_controlplane.go index 3117b310ea..bfb18e02b9 100644 --- a/connectivity/factory/pod_to_k8s_on_controlplane.go +++ b/connectivity/factory/pod_to_k8s_on_controlplane.go @@ -12,18 +12,21 @@ import ( "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-entities-k8s.yaml - clientEgressToEntitiesK8sPolicyYAML string - - podToK8sOnControlplane = factory{ - name: "pod-to-k8s-on-controlplane", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressToEntitiesK8sPolicyYAML). - WithScenarios(tests.PodToK8sLocal()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.K8sLocalHostTest }, - } -) +//go:embed manifests/client-egress-to-entities-k8s.yaml +var clientEgressToEntitiesK8sPolicyYAML string + +type podToK8sOnControlplane struct{} + +func (t podToK8sOnControlplane) name() string { + return "pod-to-k8s-on-controlplane" +} + +func (t podToK8sOnControlplane) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.K8sLocalHostTest +} + +func (t podToK8sOnControlplane) build(ct *check.ConnectivityTest, _ map[string]string) { + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressToEntitiesK8sPolicyYAML). + WithScenarios(tests.PodToK8sLocal()) +} diff --git a/connectivity/factory/pod_to_k8s_on_controlplane_cidr.go b/connectivity/factory/pod_to_k8s_on_controlplane_cidr.go index a62bc45952..07b987f0c0 100644 --- a/connectivity/factory/pod_to_k8s_on_controlplane_cidr.go +++ b/connectivity/factory/pod_to_k8s_on_controlplane_cidr.go @@ -11,14 +11,19 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var podToK8sOnControlplaneCidr = factory{ - name: "pod-to-k8s-on-controlplane-cidr", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.CIDRMatchNodes)). - WithCiliumPolicy(templates["clientEgressToCIDRK8sPolicyKNPYAML"]). - WithScenarios(tests.PodToK8sLocal()) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return params.K8sLocalHostTest }, +type podToK8sOnControlplaneCidr struct{} + +func (t podToK8sOnControlplaneCidr) name() string { + return "pod-to-k8s-on-controlplane-cidr" +} + +func (t podToK8sOnControlplaneCidr) shouldRun(_ semver.Version, params check.Parameters) bool { + return params.K8sLocalHostTest +} + +func (t podToK8sOnControlplaneCidr) build(ct *check.ConnectivityTest, templates map[string]string) { + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.CIDRMatchNodes)). + WithCiliumPolicy(templates["clientEgressToCIDRK8sPolicyKNPYAML"]). + WithScenarios(tests.PodToK8sLocal()) } diff --git a/connectivity/factory/pod_to_node_cidrpolicy.go b/connectivity/factory/pod_to_node_cidrpolicy.go index fa18c9eabe..e045ef4baa 100644 --- a/connectivity/factory/pod_to_node_cidrpolicy.go +++ b/connectivity/factory/pod_to_node_cidrpolicy.go @@ -4,21 +4,28 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var podToNodeCidrpolicy = factory{ - name: "pod-to-node-cidrpolicy", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // Check that pods can access nodes when referencing them by CIDR selectors - // (when this feature is enabled). - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithFeatureRequirements(features.RequireEnabled(features.CIDRMatchNodes)). - WithK8SPolicy(templates["clientEgressToCIDRNodeKNPYAML"]). - WithScenarios(tests.PodToHost()) - }, - condition: runAlways, +type podToNodeCidrpolicy struct{} + +func (t podToNodeCidrpolicy) name() string { + return "pod-to-node-cidrpolicy" +} + +func (t podToNodeCidrpolicy) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t podToNodeCidrpolicy) build(ct *check.ConnectivityTest, templates map[string]string) { + // Check that pods can access nodes when referencing them by CIDR selectors + // (when this feature is enabled). + newTest(t.name(), ct). + WithFeatureRequirements(features.RequireEnabled(features.CIDRMatchNodes)). + WithK8SPolicy(templates["clientEgressToCIDRNodeKNPYAML"]). + WithScenarios(tests.PodToHost()) } diff --git a/connectivity/factory/pod_to_pod_encryption.go b/connectivity/factory/pod_to_pod_encryption.go index a9d5850dc6..63c69c4884 100644 --- a/connectivity/factory/pod_to_pod_encryption.go +++ b/connectivity/factory/pod_to_pod_encryption.go @@ -11,16 +11,21 @@ import ( "github.com/cilium/cilium-cli/utils/features" ) -var podToPodEncryption = factory{ - name: "pod-to-pod-encryption", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // Encryption checks are always executed as a sanity check, asserting whether - // unencrypted packets shall, or shall not, be observed based on the feature set. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithScenarios( - tests.PodToPodEncryption(features.RequireEnabled(features.EncryptionPod)), - ) - }, - condition: func(_ semver.Version, params check.Parameters) bool { return !params.SingleNode }, +type podToPodEncryption struct{} + +func (t podToPodEncryption) name() string { + return "pod-to-pod-encryption" +} + +func (t podToPodEncryption) shouldRun(_ semver.Version, params check.Parameters) bool { + return !params.SingleNode +} + +func (t podToPodEncryption) build(ct *check.ConnectivityTest, _ map[string]string) { + // Encryption checks are always executed as a sanity check, asserting whether + // unencrypted packets shall, or shall not, be observed based on the feature set. + newTest(t.name(), ct). + WithScenarios( + tests.PodToPodEncryption(features.RequireEnabled(features.EncryptionPod)), + ) } diff --git a/connectivity/factory/to_cidr_external.go b/connectivity/factory/to_cidr_external.go index c4ba67a33b..6cf56068f9 100644 --- a/connectivity/factory/to_cidr_external.go +++ b/connectivity/factory/to_cidr_external.go @@ -4,29 +4,36 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var toCidrExternal = factory{ - name: "to-cidr-external", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // This policy allows L3 traffic to ExternalCIDR/24 (including ExternalIP), with the - // exception of ExternalOtherIP. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(templates["clientEgressToCIDRExternalPolicyYAML"]). - WithScenarios( - tests.PodToCIDR(tests.WithRetryDestIP(ct.Params().ExternalIP)), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.IPFamilyV4) == ct.Params().ExternalOtherIP { - // Expect packets for ExternalOtherIP to be dropped. - return check.ResultDropCurlTimeout, check.ResultNone - } - return check.ResultOK, check.ResultNone - }) - }, - condition: runAlways, +type toCidrExternal struct{} + +func (t toCidrExternal) name() string { + return "to-cidr-external" +} + +func (t toCidrExternal) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t toCidrExternal) build(ct *check.ConnectivityTest, templates map[string]string) { + // This policy allows L3 traffic to ExternalCIDR/24 (including ExternalIP), with the + // exception of ExternalOtherIP. + newTest(t.name(), ct). + WithCiliumPolicy(templates["clientEgressToCIDRExternalPolicyYAML"]). + WithScenarios( + tests.PodToCIDR(tests.WithRetryDestIP(ct.Params().ExternalIP)), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.IPFamilyV4) == ct.Params().ExternalOtherIP { + // Expect packets for ExternalOtherIP to be dropped. + return check.ResultDropCurlTimeout, check.ResultNone + } + return check.ResultOK, check.ResultNone + }) } diff --git a/connectivity/factory/to_cidr_external_knp.go b/connectivity/factory/to_cidr_external_knp.go index a463150afe..bb8fec4799 100644 --- a/connectivity/factory/to_cidr_external_knp.go +++ b/connectivity/factory/to_cidr_external_knp.go @@ -4,29 +4,36 @@ package factory import ( + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var toCidrExternalKnp = factory{ - name: "to-cidr-external-knp", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // This policy allows L3 traffic to ExternalCIDR/24 (including ExternalIP), with the - // exception of ExternalOtherIP. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithK8SPolicy(templates["clientEgressToCIDRExternalPolicyKNPYAML"]). - WithScenarios( - tests.PodToCIDR(tests.WithRetryDestIP(ct.Params().ExternalIP)), - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.IPFamilyV4) == ct.Params().ExternalOtherIP { - // Expect packets for ExternalOtherIP to be dropped. - return check.ResultDropCurlTimeout, check.ResultNone - } - return check.ResultOK, check.ResultNone - }) - }, - condition: runAlways, +type toCidrExternalKnp struct{} + +func (t toCidrExternalKnp) name() string { + return "to-cidr-external-knp" +} + +func (t toCidrExternalKnp) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t toCidrExternalKnp) build(ct *check.ConnectivityTest, templates map[string]string) { + // This policy allows L3 traffic to ExternalCIDR/24 (including ExternalIP), with the + // exception of ExternalOtherIP. + newTest(t.name(), ct). + WithK8SPolicy(templates["clientEgressToCIDRExternalPolicyKNPYAML"]). + WithScenarios( + tests.PodToCIDR(tests.WithRetryDestIP(ct.Params().ExternalIP)), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.IPFamilyV4) == ct.Params().ExternalOtherIP { + // Expect packets for ExternalOtherIP to be dropped. + return check.ResultDropCurlTimeout, check.ResultNone + } + return check.ResultOK, check.ResultNone + }) } diff --git a/connectivity/factory/to_entities_world.go b/connectivity/factory/to_entities_world.go index f749013f12..9afbd679a9 100644 --- a/connectivity/factory/to_entities_world.go +++ b/connectivity/factory/to_entities_world.go @@ -6,30 +6,35 @@ package factory import ( _ "embed" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" ) -var ( - //go:embed manifests/client-egress-to-entities-world.yaml - clientEgressToEntitiesWorldPolicyYAML string - - toEntitiesWorld = factory{ - name: "to-entities-world", - build: func(name string, ct *check.ConnectivityTest, _ map[string]string) { - // This policy allows UDP to kube-dns and port 80 TCP to all 'world' endpoints. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(clientEgressToEntitiesWorldPolicyYAML). - WithScenarios(tests.PodToWorld(tests.WithRetryDestPort(80))). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Port() == 80 { - return check.ResultOK, check.ResultNone - } - // PodToWorld traffic to port 443 will be dropped by the policy - return check.ResultDropCurlTimeout, check.ResultNone - }) - }, - condition: runAlways, - } -) +//go:embed manifests/client-egress-to-entities-world.yaml +var clientEgressToEntitiesWorldPolicyYAML string + +type toEntitiesWorld struct{} + +func (t toEntitiesWorld) name() string { + return "to-entities-world" +} + +func (t toEntitiesWorld) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t toEntitiesWorld) build(ct *check.ConnectivityTest, _ map[string]string) { + // This policy allows UDP to kube-dns and port 80 TCP to all 'world' endpoints. + newTest(t.name(), ct). + WithCiliumPolicy(clientEgressToEntitiesWorldPolicyYAML). + WithScenarios(tests.PodToWorld(tests.WithRetryDestPort(80))). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Port() == 80 { + return check.ResultOK, check.ResultNone + } + // PodToWorld traffic to port 443 will be dropped by the policy + return check.ResultDropCurlTimeout, check.ResultNone + }) +} diff --git a/connectivity/factory/to_fqdns.go b/connectivity/factory/to_fqdns.go index 1179871348..e7fe4692d3 100644 --- a/connectivity/factory/to_fqdns.go +++ b/connectivity/factory/to_fqdns.go @@ -6,54 +6,61 @@ package factory import ( "fmt" + "github.com/blang/semver/v4" + "github.com/cilium/cilium-cli/connectivity/check" "github.com/cilium/cilium-cli/connectivity/tests" "github.com/cilium/cilium-cli/utils/features" ) -var toFqdns = factory{ - name: "to-fqdns", - build: func(name string, ct *check.ConnectivityTest, templates map[string]string) { - // This policy only allows port 80 to domain-name, default one.one.one.one,. DNS proxy enabled. - test := check.NewTest(name, ct.Params().Verbose, ct.Params().Debug) - ct.AddTest(test). - WithCiliumPolicy(templates["clientEgressToFQDNsCiliumIOPolicyYAML"]). - WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). - WithScenarios( - tests.PodToWorld(tests.WithRetryDestPort(80)), - tests.PodToWorld2(), // resolves cilium.io - ). - WithExpectations(func(a *check.Action) (egress, ingress check.Result) { - if a.Destination().Address(features.IPFamilyAny) == "cilium.io" { - if a.Destination().Path() == "/" || a.Destination().Path() == "" { - egress = check.ResultDNSOK - egress.HTTP = check.HTTP{ - Method: "GET", - URL: "https://cilium.io", - } - // Expect packets for cilium.io / 104.198.14.52 to be dropped. - return check.ResultDropCurlTimeout, check.ResultNone +type toFqdns struct{} + +func (t toFqdns) name() string { + return "to-fqdns" +} + +func (t toFqdns) shouldRun(_ semver.Version, _ check.Parameters) bool { + return true +} + +func (t toFqdns) build(ct *check.ConnectivityTest, templates map[string]string) { + // This policy only allows port 80 to domain-name, default one.one.one.one,. DNS proxy enabled. + newTest(t.name(), ct). + WithCiliumPolicy(templates["clientEgressToFQDNsCiliumIOPolicyYAML"]). + WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)). + WithScenarios( + tests.PodToWorld(tests.WithRetryDestPort(80)), + tests.PodToWorld2(), // resolves cilium.io + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Destination().Address(features.IPFamilyAny) == "cilium.io" { + if a.Destination().Path() == "/" || a.Destination().Path() == "" { + egress = check.ResultDNSOK + egress.HTTP = check.HTTP{ + Method: "GET", + URL: "https://cilium.io", } - // Else expect HTTP drop by proxy - return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + // Expect packets for cilium.io / 104.198.14.52 to be dropped. + return check.ResultDropCurlTimeout, check.ResultNone } + // Else expect HTTP drop by proxy + return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + } - extTarget := ct.Params().ExternalTarget - if a.Destination().Port() == 80 && a.Destination().Address(features.GetIPFamily(extTarget)) == extTarget { - if a.Destination().Path() == "/" || a.Destination().Path() == "" { - egress = check.ResultDNSOK - egress.HTTP = check.HTTP{ - Method: "GET", - URL: fmt.Sprintf("http://%s/", extTarget), - } - return egress, check.ResultNone + extTarget := ct.Params().ExternalTarget + if a.Destination().Port() == 80 && a.Destination().Address(features.GetIPFamily(extTarget)) == extTarget { + if a.Destination().Path() == "/" || a.Destination().Path() == "" { + egress = check.ResultDNSOK + egress.HTTP = check.HTTP{ + Method: "GET", + URL: fmt.Sprintf("http://%s/", extTarget), } - // Else expect HTTP drop by proxy - return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + return egress, check.ResultNone } - // No HTTP proxy on other ports - return check.ResultDNSOKDropCurlTimeout, check.ResultNone - }) - }, - condition: runAlways, + // Else expect HTTP drop by proxy + return check.ResultDNSOKDropCurlHTTPError, check.ResultNone + } + // No HTTP proxy on other ports + return check.ResultDNSOKDropCurlTimeout, check.ResultNone + }) }