Skip to content

Commit

Permalink
connectivity: add test for accessing NodePort from outside with L7 po…
Browse files Browse the repository at this point in the history
…licy

This test case covers cilium/cilium#21954. The
test is for accessing NodePort from outside with L7 policy."

The echo-ingress-l7-http policy is updated to allow HTTP GET from outside,
instead of only from 'other' client pods.

Use `cilium connectivity test --test north-south-loadbalancing --datapath`
to run this test.

Signed-off-by: Zhichuan Liang <[email protected]>
  • Loading branch information
jschwinger233 committed Apr 27, 2023
1 parent cbbecbb commit 4a7ea58
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
4 changes: 3 additions & 1 deletion connectivity/manifests/echo-ingress-l7-http.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,11 @@ spec:
matchLabels:
kind: echo
ingress:
# Only allow 'other' client to make a GET /public requests.
# Only allow 'other' client or world to make a GET /public requests.
# Allow GET /private' only if a particular HTTP header is set.
# Disallow L3 traffic for now, flow matcher doesn't yet support L7 drops.
- fromEntities:
- world
- fromEndpoints:
- matchLabels:
other: client
Expand Down
6 changes: 6 additions & 0 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,12 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
WithScenarios(
tests.OutsideToNodePort(),
)
ct.NewTest("north-south-loadbalancing-with-l7-policy").
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureNodeWithoutCilium)).
WithCiliumPolicy(echoIngressL7HTTPPolicyYAML).
WithScenarios(
tests.OutsideToNodePort(),
)
ct.NewTest("pod-to-pod-encryption").
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureEncryptionPod)).
WithScenarios(
Expand Down

0 comments on commit 4a7ea58

Please sign in to comment.