Skip to content

Commit

Permalink
connectivity: Add more tests for Ingress Controller
Browse files Browse the repository at this point in the history
This commit is to add two more tests related to Ingress Controller:

- Deny policy on reserve:ingress identity
- Deny policy on backend service of ingress (e.g. echo-same-node)

Relates: #2015
Signed-off-by: Tam Mach <[email protected]>
  • Loading branch information
sayboras committed Nov 13, 2023
1 parent 6e664fe commit a06efa5
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 0 deletions.
10 changes: 10 additions & 0 deletions connectivity/manifests/deny-ingress-backend.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "ingress-backend-deny"
spec:
endpointSelector: {}
egressDeny:
- toEndpoints:
- matchLabels:
kind: echo
9 changes: 9 additions & 0 deletions connectivity/manifests/deny-ingress-entity.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "ingress-entity-deny"
spec:
endpointSelector: {}
egressDeny:
- toEntities:
- ingress
26 changes: 26 additions & 0 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ var (
//go:embed manifests/deny-all-entities.yaml
denyAllEntitiesPolicyYAML string

//go:embed manifests/deny-ingress-entity.yaml
denyIngressIdentityPolicyYAML string

//go:embed manifests/deny-ingress-backend.yaml
denyIngressBackendPolicyYAML string

//go:embed manifests/allow-cluster-entity.yaml
allowClusterEntityPolicyYAML string

Expand Down Expand Up @@ -1043,6 +1049,26 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})

ct.NewTest("pod-to-ingress-service-deny-ingress-identity").
WithFeatureRequirements(features.RequireEnabled(features.IngressController)).
WithCiliumPolicy(denyIngressIdentityPolicyYAML).
WithScenarios(
tests.PodToIngress(),
).
WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})

ct.NewTest("pod-to-ingress-service-deny-backend-service").
WithFeatureRequirements(features.RequireEnabled(features.IngressController)).
WithCiliumPolicy(denyIngressBackendPolicyYAML).
WithScenarios(
tests.PodToIngress(),
).
WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})

ct.NewTest("pod-to-ingress-service-allow-ingress-identity").
WithFeatureRequirements(features.RequireEnabled(features.IngressController)).
WithCiliumPolicy(denyAllIngressPolicyYAML).
Expand Down

0 comments on commit a06efa5

Please sign in to comment.