Skip to content

Commit

Permalink
Connectivity test builder component implemented.
Browse files Browse the repository at this point in the history
Signed-off-by: viktor-kurchenko <[email protected]>
  • Loading branch information
viktor-kurchenko authored and tklauser committed Mar 5, 2024
1 parent b922331 commit 486eb99
Show file tree
Hide file tree
Showing 142 changed files with 2,493 additions and 1,300 deletions.
17 changes: 17 additions & 0 deletions CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,23 @@
/connectivity/check/ipcache.go @cilium/ipcache
/connectivity/check/metrics*.go @cilium/metrics
/connectivity/check/policy.go @cilium/sig-policy
/connectivity/builder/** @cilium/ci-structure
/connectivity/builder/all_ingress_deny_from_outside.go @cilium/sig-encryption
/connectivity/builder/cluster_entity_multi_cluster.go @cilium/sig-clustermesh
/connectivity/builder/dns_only.go @cilium/sig-clustermesh
/connectivity/builder/echo_ingress.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_auth_always_fail.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_from_other_client_deny.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_from_outside.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_knp.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_l7.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_l7_named_port.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_mutual_auth_spiffe.go @cilium/sig-servicemesh
/connectivity/builder/egress_gateway.go @cilium/egress-gateway
/connectivity/builder/egress_gateway_excluded_cidrs.go @cilium/egress-gateway
/connectivity/builder/no_ipsec_xfrm_errors.go @cilium/sig-encryption
/connectivity/builder/node_to_node_encryption.go @cilium/sig-encryption
/connectivity/builder/pod_to_pod_encryption.go @cilium/sig-encryption
/connectivity/tests/egressgateway.go @cilium/egress-gateway
/connectivity/tests/encryption.go @cilium/sig-encryption
/connectivity/tests/errors.go @cilium/sig-agent @cilium/sig-datapath
Expand Down
29 changes: 29 additions & 0 deletions connectivity/builder/all_egress_deny.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/deny-all-egress.yaml
var denyAllEgressPolicyYAML string

type allEgressDeny struct{}

func (t allEgressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default
newTest("all-egress-deny", ct).
WithCiliumPolicy(denyAllEgressPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
}
29 changes: 29 additions & 0 deletions connectivity/builder/all_egress_deny_knp.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/deny-all-egress-knp.yaml
var denyAllEgressPolicyKNPYAML string

type allEgressDenyKnp struct{}

func (t allEgressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default using KNP.
newTest("all-egress-deny-knp", ct).
WithK8SPolicy(denyAllEgressPolicyKNPYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
}
29 changes: 29 additions & 0 deletions connectivity/builder/all_entities_deny.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/deny-all-entities.yaml
var denyAllEntitiesPolicyYAML string

type allEntitiesDeny struct{}

func (t allEntitiesDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all entities by default
newTest("all-entities-deny", ct).
WithCiliumPolicy(denyAllEntitiesPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToCIDR(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultPolicyDenyEgressDrop, check.ResultNone
})
}
32 changes: 32 additions & 0 deletions connectivity/builder/all_ingress_deny.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

type allIngressDeny struct{}

func (t allIngressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default.
//
// 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
// 2. Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
newTest("all-ingress-deny", ct).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
28 changes: 28 additions & 0 deletions connectivity/builder/all_ingress_deny_from_outside.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

type allIngressDenyFromOutside struct{}

func (t allIngressDenyFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) {
newTest("all-ingress-deny-from-outside", ct).
WithCondition(func() bool { return ct.Params().IncludeUnsafeTests }).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)).
WithIPRoutesFromOutsideToPodCIDRs().
WithScenarios(tests.FromCIDRToPod()).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
39 changes: 39 additions & 0 deletions connectivity/builder/all_ingress_deny_knp.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

//go:embed manifests/deny-all-ingress-knp.yaml
var denyAllIngressPolicyKNPYAML string

type allIngressDenyKnp struct{}

func (t allIngressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default
newTest("all-ingress-deny-knp", ct).
WithK8SPolicy(denyAllIngressPolicyKNPYAML).
WithScenarios(
// Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
tests.PodToPod(),
// Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
tests.PodToCIDR(tests.WithRetryAll()),
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
34 changes: 34 additions & 0 deletions connectivity/builder/allow_all_except_world.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/allow-all-except-world.yaml
var allowAllExceptWorldPolicyYAML string

type allowAllExceptWorld struct{}

func (t allowAllExceptWorld) build(ct *check.ConnectivityTest, _ map[string]string) {
// Test with an allow-all-except-world (and unmanaged) policy.
newTest("allow-all-except-world", ct).
WithCiliumPolicy(allowAllExceptWorldPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.ClientToClient(),
tests.PodToService(),
// We are skipping the following checks because NodePort is
// intended to be used for N-S traffic, which conflicts with
// policies. See GH-17144.
// tests.PodToRemoteNodePort(),
// tests.PodToLocalNodePort(),
tests.PodToHost(),
tests.PodToExternalWorkload(),
)
}
21 changes: 21 additions & 0 deletions connectivity/builder/allow_all_with_metrics_check.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

type allowAllWithMetricsCheck struct{}

func (t allowAllWithMetricsCheck) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy allows traffic pod to pod and checks if the metric cilium_forward_count_total increases on cilium agent.
newTest("allow-all-with-metrics-check", ct).
WithScenarios(tests.PodToPod()).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total"),
check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total")
})
}
Loading

0 comments on commit 486eb99

Please sign in to comment.