Skip to content

Commit

Permalink
connectivity: introduce host firewall tests
Browse files Browse the repository at this point in the history
Introduce two new tests covering the host firewall functionality, i.e.,
asserting that both ingress and egress CiliumClusterwideNetworkPolicies
specifying a NodeSelector correctly block the expected traffic. The
tests are executed only when the unsafe tests are enabled, as
potentially disruptive if executed against a live cluster.

Original commit by Marco Iorio
7a928d6
has been accidentally dropped by the following commit during merge
486eb99

Signed-off-by: viktor-kurchenko <[email protected]>
  • Loading branch information
viktor-kurchenko committed Apr 11, 2024
1 parent f4a02ed commit 627653b
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 0 deletions.
2 changes: 2 additions & 0 deletions connectivity/builder/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,8 @@ var (
outsideToIngressServiceDenyWorldIdentity{},
outsideToIngressServiceDenyCidr{},
outsideToIngressServiceDenyAllIngress{},
hostFirewallIngress{},
hostFirewallEgress{},
dnsOnly{},
toFqdns{},
podToControlplaneHost{},
Expand Down
31 changes: 31 additions & 0 deletions connectivity/builder/host_firewall_egress.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

//go:embed manifests/host-firewall-egress.yaml
var hostFirewallEgressPolicyYAML string

type hostFirewallEgress struct{}

func (t hostFirewallEgress) build(ct *check.ConnectivityTest, _ map[string]string) {
newTest("host-firewall-egress", ct).
WithCondition(func() bool { return ct.Params().IncludeUnsafeTests }).
WithFeatureRequirements(features.RequireEnabled(features.HostFirewall)).
WithCiliumClusterwidePolicy(hostFirewallEgressPolicyYAML).
WithScenarios(tests.HostToPod()).
WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
if a.Destination().HasLabel("name", "echo-other-node") {
return check.ResultPolicyDenyEgressDrop, check.ResultOK
}
return check.ResultOK, check.ResultOK
})
}
31 changes: 31 additions & 0 deletions connectivity/builder/host_firewall_ingress.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

//go:embed manifests/host-firewall-ingress.yaml
var hostFirewallIngressPolicyYAML string

type hostFirewallIngress struct{}

func (t hostFirewallIngress) build(ct *check.ConnectivityTest, _ map[string]string) {
newTest("host-firewall-ingress", ct).
WithCondition(func() bool { return ct.Params().IncludeUnsafeTests }).
WithFeatureRequirements(features.RequireEnabled(features.HostFirewall)).
WithCiliumClusterwidePolicy(hostFirewallIngressPolicyYAML).
WithScenarios(tests.PodToHost()).
WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
if a.Source().HasLabel("name", "client") {
return check.ResultOK, check.ResultPolicyDenyIngressDrop
}
return check.ResultOK, check.ResultOK
})
}
1 change: 1 addition & 0 deletions connectivity/check/test.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ func NewTest(name string, verbose bool, debug bool) *Test {
name: name,
scenarios: make(map[Scenario][]*Action),
cnps: make(map[string]*ciliumv2.CiliumNetworkPolicy),
ccnps: make(map[string]*ciliumv2.CiliumClusterwideNetworkPolicy),
knps: make(map[string]*networkingv1.NetworkPolicy),
cegps: make(map[string]*ciliumv2.CiliumEgressGatewayPolicy),
verbose: verbose,
Expand Down

0 comments on commit 627653b

Please sign in to comment.