Skip to content

Commit

Permalink
Add connectivity tests for auth
Browse files Browse the repository at this point in the history
This adds tests to validate that the auth handling in policy is working.
These tests will only run on clusters with auth enabled on Cilium v1.14.0+.
It uses the always-fail type to test the fail case.
It will also perfom a successful test run with mTLS-SPIFFE when enabled.

Signed-off-by: Maartje Eyskens <[email protected]>
  • Loading branch information
meyskens committed Apr 13, 2023
1 parent 2c20333 commit 272f8c6
Show file tree
Hide file tree
Showing 5 changed files with 86 additions and 0 deletions.
6 changes: 6 additions & 0 deletions connectivity/check/features.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ const (

FeatureCNP Feature = "cilium-network-policy"
FeatureKNP Feature = "k8s-network-policy"

FeatureAuthMTLSSpiffe Feature = "auth-mtls-spiffe"
)

// FeatureStatus describes the status of a feature. Some features are either
Expand Down Expand Up @@ -199,6 +201,10 @@ func (ct *ConnectivityTest) extractFeaturesFromConfigMap(ctx context.Context, cl
Enabled: cm.Data["enable-endpoint-routes"] == "true",
}

result[FeatureAuthMTLSSpiffe] = FeatureStatus{
Enabled: cm.Data["mesh-auth-mtls-enabled"] == "true",
}

return nil
}

Expand Down
11 changes: 11 additions & 0 deletions connectivity/check/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,10 @@ func defaultDenyReason(flow *flowpb.Flow) bool {
return flow.GetDropReasonDesc() == flowpb.DropReason_POLICY_DENIED
}

func authRequiredDropReason(flow *flowpb.Flow) bool {
return flow.GetDropReasonDesc() == flowpb.DropReason_AUTH_REQUIRED
}

var (
// ResultNone expects a successful command, don't match any packets.
ResultNone = Result{
Expand Down Expand Up @@ -248,6 +252,13 @@ var (
DropReasonFunc: defaultDropReason,
}

// ResultDropAuthRequired expects a dropped flow with auth required as reason.
ResultDropAuthRequired = Result{
Drop: true,
// IngressDrop: true,
DropReasonFunc: authRequiredDropReason,
}

// ResultAnyReasonEgressDrop expects a dropped flow at Egress and a failed command.
ResultAnyReasonEgressDrop = Result{
Drop: true,
Expand Down
21 changes: 21 additions & 0 deletions connectivity/manifests/echo-ingress-auth-fail.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: auth-ingress-fail
namespace: cilium-test
spec:
description: "Allow other client to contact echo but fail on auth"
endpointSelector:
matchLabels:
kind: echo
ingress:
- fromEndpoints:
- matchLabels:
kind: client
toPorts:
- ports:
- port: "8080"
protocol: TCP
auth:
type: always-fail
21 changes: 21 additions & 0 deletions connectivity/manifests/echo-ingress-mtls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: auth-ingress
namespace: cilium-test
spec:
description: "Allow other client to contact echo after mTLS"
endpointSelector:
matchLabels:
kind: echo
ingress:
- fromEndpoints:
- matchLabels:
kind: client
toPorts:
- ports:
- port: "8080"
protocol: TCP
auth:
type: mtls-spiffe
27 changes: 27 additions & 0 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,12 @@ var (

//go:embed manifests/echo-ingress-icmp-deny.yaml
echoIngressICMPDenyPolicyYAML string

//go:embed manifests/echo-ingress-auth-fail.yaml
echoIngressAuthFailPolicyYAML string

//go:embed manifests/echo-ingress-mtls.yaml
echoIngressMTLSPolicyYAML string
)

var (
Expand Down Expand Up @@ -824,6 +830,27 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
return check.ResultCurlHTTPError, check.ResultNone // if the header is not set the request will get a 401
})

// Test mTLS auth with always-fail
ct.NewTest("echo-ingress-auth-always-fail").WithPolicy(echoIngressAuthFailPolicyYAML).
// this test is only useful when auth is supported in the Cilium version and it is enabled
// currently this is tested my mtls-spiffe as that is the only functional auth method
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureAuthMTLSSpiffe)).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
return check.ResultDropCurlTimeout, check.ResultDropAuthRequired
})

// Test mTLS auth with SPIFFE
ct.NewTest("echo-ingress-auth-mtls-spiffe").WithPolicy(echoIngressMTLSPolicyYAML).
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureAuthMTLSSpiffe)).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
)

// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
ct.NewTest("dns-only").WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).
Expand Down

0 comments on commit 272f8c6

Please sign in to comment.