Skip to content

Commit

Permalink
Add connectivity tests for auth
Browse files Browse the repository at this point in the history
This adds tests to validate that the auth handling in policy is working.
It uses  the always-fail type to test the fail case.
If mTLS-SPIFFE is enabled in the cluster it will also perfom a successful test run with mTLS enabled.

Signed-off-by: Maartje Eyskens <[email protected]>
  • Loading branch information
meyskens committed Apr 12, 2023
1 parent dc83a55 commit ac518d3
Show file tree
Hide file tree
Showing 5 changed files with 83 additions and 0 deletions.
6 changes: 6 additions & 0 deletions connectivity/check/features.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ const (
FeatureFlavor Feature = "flavor"

FeatureSecretBackendK8s Feature = "secret-backend-k8s"

FeatureAuthMTLSSpiffe Feature = "auth-mtls-spiffe"
)

// FeatureStatus describes the status of a feature. Some features are either
Expand Down Expand Up @@ -193,6 +195,10 @@ func (ct *ConnectivityTest) extractFeaturesFromConfigMap(ctx context.Context, cl
Enabled: cm.Data["enable-endpoint-routes"] == "true",
}

result[FeatureAuthMTLSSpiffe] = FeatureStatus{
Enabled: cm.Data["mesh-auth-mtls-enabled"] == "true",
}

return nil
}

Expand Down
11 changes: 11 additions & 0 deletions connectivity/check/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,10 @@ func defaultDenyReason(flow *flowpb.Flow) bool {
return flow.GetDropReasonDesc() == flowpb.DropReason_POLICY_DENIED
}

func authRequiredDropReason(flow *flowpb.Flow) bool {
return flow.GetDropReasonDesc() == flowpb.DropReason_AUTH_REQUIRED
}

var (
// ResultNone expects a successful command, don't match any packets.
ResultNone = Result{
Expand Down Expand Up @@ -197,6 +201,13 @@ var (
DropReasonFunc: defaultDropReason,
}

// ResultDropAuthRequired expects a dropped flow with auth required as reason.
ResultDropAuthRequired = Result{
Drop: true,
// IngressDrop: true,
DropReasonFunc: authRequiredDropReason,
}

// ResultAnyReasonEgressDrop expects a dropped flow at Egress and a failed command.
ResultAnyReasonEgressDrop = Result{
Drop: true,
Expand Down
21 changes: 21 additions & 0 deletions connectivity/manifests/echo-ingress-auth-fail.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: auth-ingress-fail
namespace: cilium-test
spec:
description: "Allow other client to contact echo but fail on auth"
endpointSelector:
matchLabels:
kind: echo
ingress:
- fromEndpoints:
- matchLabels:
kind: client
toPorts:
- ports:
- port: "8080"
protocol: TCP
auth:
type: always-fail
21 changes: 21 additions & 0 deletions connectivity/manifests/echo-ingress-mtls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: auth-ingress
namespace: cilium-test
spec:
description: "Allow other client to contact echo after mTLS"
endpointSelector:
matchLabels:
kind: echo
ingress:
- fromEndpoints:
- matchLabels:
kind: client
toPorts:
- ports:
- port: "8080"
protocol: TCP
auth:
type: mtls-spiffe
24 changes: 24 additions & 0 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,12 @@ var (

//go:embed manifests/echo-ingress-icmp-deny.yaml
echoIngressICMPDenyPolicyYAML string

//go:embed manifests/echo-ingress-auth-fail.yaml
echoIngressAuthFailPolicyYAML string

//go:embed manifests/echo-ingress-mtls.yaml
echoIngressMTLSPolicyYAML string
)

var (
Expand Down Expand Up @@ -728,6 +734,24 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
return check.ResultCurlHTTPError, check.ResultNone // if the header is not set the request will get a 401
})

// Test mTLS auth with always-fail
ct.NewTest("echo-ingress-auth-always-fail").WithPolicy(echoIngressAuthFailPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
return check.ResultDropCurlTimeout, check.ResultDropAuthRequired
})

// Test mTLS auth with SPIFFE
ct.NewTest("echo-ingress-auth-mtls-spiffe").WithPolicy(echoIngressMTLSPolicyYAML).
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureAuthMTLSSpiffe)).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
)

// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
ct.NewTest("dns-only").WithPolicy(clientEgressOnlyDNSPolicyYAML).
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).
Expand Down

0 comments on commit ac518d3

Please sign in to comment.