Skip to content

Commit

Permalink
connectivity: add egress-gateway-with-l7-policy test
Browse files Browse the repository at this point in the history
egress-gateway-with-l7-policy checks if traffic from Pods that
are selected by both Egress Gateway Policy and L7 Network Policy
is properly SNATed with an Egress IP.

Signed-off-by: Yusuke Suzuki <[email protected]>
  • Loading branch information
ysksuzuki authored and julianwiedmann committed Jun 6, 2024
1 parent 77cedeb commit 79dc975
Show file tree
Hide file tree
Showing 5 changed files with 92 additions and 0 deletions.
1 change: 1 addition & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
/connectivity/builder/echo_ingress_mutual_auth_spiffe.go @cilium/sig-servicemesh
/connectivity/builder/egress_gateway.go @cilium/egress-gateway
/connectivity/builder/egress_gateway_excluded_cidrs.go @cilium/egress-gateway
/connectivity/builder/egress_gateway_with_l7_policy.go @cilium/egress-gateway
/connectivity/builder/no_ipsec_xfrm_errors.go @cilium/sig-encryption
/connectivity/builder/node_to_node_encryption.go @cilium/sig-encryption
/connectivity/builder/pod_to_pod_encryption.go @cilium/sig-encryption
Expand Down
1 change: 1 addition & 0 deletions connectivity/builder/builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ func concurrentTests(connTests []*check.ConnectivityTest) error {
nodeToNodeEncryption{},
egressGateway{},
egressGatewayExcludedCidrs{},
egressGatewayWithL7Policy{},
podToNodeCidrpolicy{},
northSouthLoadbalancingWithL7Policy{},
echoIngressL7{},
Expand Down
47 changes: 47 additions & 0 deletions connectivity/builder/egress_gateway_with_l7_policy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium/pkg/versioncheck"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

//go:embed manifests/client-egress-icmp.yaml
var clientEgressICMPYAML string

//go:embed manifests/client-egress-l7-http-external-node.yaml
var clientEgressL7HTTPExternalYAML string

type egressGatewayWithL7Policy struct{}

func (t egressGatewayWithL7Policy) build(ct *check.ConnectivityTest, _ map[string]string) {
newTest("egress-gateway-with-l7-policy", ct).
WithCondition(func() bool {
return versioncheck.MustCompile(">=1.16.0")(ct.CiliumVersion) && ct.Params().IncludeUnsafeTests
}).
WithCiliumPolicy(clientEgressICMPYAML).
WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only
WithCiliumPolicy(clientEgressL7HTTPExternalYAML). // L7 allow policy with HTTP introspection
WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{
Name: "cegp-sample-client",
PodSelectorKind: "client",
}).
WithCiliumEgressGatewayPolicy(check.CiliumEgressGatewayPolicyParams{
Name: "cegp-sample-echo",
PodSelectorKind: "echo",
}).
WithIPRoutesFromOutsideToPodCIDRs().
WithFeatureRequirements(
features.RequireEnabled(features.EgressGateway),
features.RequireEnabled(features.L7Proxy),
features.RequireEnabled(features.NodeWithoutCilium),
).
WithScenarios(tests.EgressGateway())
}
17 changes: 17 additions & 0 deletions connectivity/builder/manifests/client-egress-icmp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: client-egress-icmp
spec:
description: "Allow clients to send ICMP"
endpointSelector:
matchLabels:
kind: client
egress:
- icmps:
- fields:
- type: 8
family: IPv4
- type: 128
family: IPv6
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
# All clients are allowed to contact
# echo-external-node.cilium-test.svc.cluster.local/client-ip
# on port http-8080.
# The toFQDNs section relies on DNS introspection being performed by
# the client-egress-only-dns policy.
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: client-egress-l7-http-external-node
spec:
description: "Allow GET echo-external-node.cilium-test.svc.cluster.local:8080/client-ip"
endpointSelector:
matchLabels:
any:kind: client
egress:
- toFQDNs:
- matchName: "echo-external-node.cilium-test.svc.cluster.local"
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: /client-ip

0 comments on commit 79dc975

Please sign in to comment.