Skip to content

Commit

Permalink
connectivity: introduce host firewall tests
Browse files Browse the repository at this point in the history
Introduce two new tests covering the host firewall functionality, i.e.,
asserting that both ingress and egress CiliumClusterwideNetworkPolicies
specifying a NodeSelector correctly block the expected traffic. The
tests are executed only when the unsafe tests are enabled, as
potentially disruptive if executed against a live cluster.

Signed-off-by: Marco Iorio <[email protected]>
  • Loading branch information
giorio94 authored and nathanjsweet committed Feb 23, 2024
1 parent 6349fd4 commit 7a928d6
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 0 deletions.
18 changes: 18 additions & 0 deletions connectivity/manifests/host-firewall-egress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "host-firewall-egress"
spec:
nodeSelector: {}
egress:
- toEntities:
- health
- kube-apiserver
- remote-node
- world
- toEndpoints:
- matchExpressions:
- key: name
operator: NotIn
values:
- echo-other-node
18 changes: 18 additions & 0 deletions connectivity/manifests/host-firewall-ingress.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "host-firewall-ingress"
spec:
nodeSelector: {}
ingress:
- fromEntities:
- health
- kube-apiserver
- remote-node
- world
- fromEndpoints:
- matchExpressions:
- key: name
operator: NotIn
values:
- client
30 changes: 30 additions & 0 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,12 @@ var (

//go:embed manifests/echo-ingress-mutual-authentication.yaml
echoIngressMutualAuthPolicyYAML string

//go:embed manifests/host-firewall-ingress.yaml
hostFirewallIngressPolicyYAML string

//go:embed manifests/host-firewall-egress.yaml
hostFirewallEgressPolicyYAML string
)

var (
Expand Down Expand Up @@ -1144,6 +1150,30 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, extra Hooks) error {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})

if ct.Params().IncludeUnsafeTests {
ct.NewTest("host-firewall-ingress").
WithFeatureRequirements(features.RequireEnabled(features.HostFirewall)).
WithCiliumClusterwidePolicy(hostFirewallIngressPolicyYAML).
WithScenarios(tests.PodToHost()).
WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
if a.Source().HasLabel("name", "client") {
return check.ResultOK, check.ResultPolicyDenyIngressDrop
}
return check.ResultOK, check.ResultOK
})

ct.NewTest("host-firewall-egress").
WithFeatureRequirements(features.RequireEnabled(features.HostFirewall)).
WithCiliumClusterwidePolicy(hostFirewallEgressPolicyYAML).
WithScenarios(tests.HostToPod()).
WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
if a.Destination().HasLabel("name", "echo-other-node") {
return check.ResultPolicyDenyEgressDrop, check.ResultOK
}
return check.ResultOK, check.ResultOK
})
}

// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
ct.NewTest("dns-only").WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).
WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
Expand Down

0 comments on commit 7a928d6

Please sign in to comment.