connectivity: L7 HTTP method test

This test checks whether different HTTP methods are properly handled by proxy and dropped if they don't match policy. Signed-off-by: Maciej Kwiek <[email protected]>
cilium · Aug 31, 2022 · cee0eed · cee0eed
1 parent 371979c
commit cee0eed
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/connectivity/check/deployment.go b/connectivity/check/deployment.go
@@ -707,6 +707,7 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
 				Port:      containerPort,
 				HostPort:  hostPort,
 				Image:     ct.params.JSONMockImage,
+				Labels:    map[string]string{"first": "echo"},
 				Affinity: &corev1.Affinity{
 					PodAntiAffinity: &corev1.PodAntiAffinity{
 						RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{

diff --git a/connectivity/manifests/client-egress-l7-http-method.yaml b/connectivity/manifests/client-egress-l7-http-method.yaml
@@ -0,0 +1,30 @@
+---
+# client2 is allowed to contact the echo Pod
+# on port 8080 via POST method. HTTP introspection is enabled for client2.
+# The toFQDNs section relies on DNS introspection being performed by
+# the client-egress-only-dns policy.
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  namespace: cilium-test
+  name: client-egress-l7-http-method
+spec:
+  description: "Allow POST <echo>:8080/(public|private) from client2"
+  endpointSelector:
+    matchLabels:
+      other: client
+  egress:
+  # Allow POST /public requests towards echo pods.
+  - toEndpoints:
+    - matchLabels:
+        kind: echo
+    toPorts:
+    - ports:
+      - port: "8080"
+        protocol: TCP
+      rules:
+        http:
+        - method: "POST"
+          path: "/public$"
+        - method: "POST"
+          path: "/private$"
diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -6,6 +6,7 @@ package connectivity
 import (
 	"context"
 	_ "embed"
+	"strings"
 
 	"github.com/blang/semver/v4"
 	"github.com/cilium/cilium/pkg/versioncheck"
@@ -76,6 +77,9 @@ var (
 	//go:embed manifests/client-egress-l7-http.yaml
 	clientEgressL7HTTPPolicyYAML string
 
+	//go:embed manifests/client-egress-l7-http-method.yaml
+	clientEgressL7HTTPMethodPolicyYAML string
+
 	//go:embed manifests/client-egress-l7-http-named-port.yaml
 	clientEgressL7HTTPNamedPortPolicyYAML string
 
@@ -496,6 +500,32 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 			return check.ResultDrop, check.ResultNone
 		})
 
+	// Test L7 HTTP with different methods introspection using an egress policy on the clients.
+	ct.NewTest("client-egress-l7-method").
+		WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).
+		WithPolicy(clientEgressOnlyDNSPolicyYAML).      // DNS resolution only
+		WithPolicy(clientEgressL7HTTPMethodPolicyYAML). // L7 allow policy with HTTP introspection (named port)
+		WithScenarios(
+			tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})),
+			tests.PodToPodWithEndpoints(tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})),
+		).
+		WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
+			if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls.
+				(a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod.
+				if strings.HasPrefix(a.Destination().Name(), "curl-1") { //TODO: figure out why a.Destination().HasLabel() hasn't worked here
+					egress = check.ResultOK
+
+					egress.HTTP = check.HTTP{
+						Method: "POST",
+					}
+					return egress, check.ResultNone
+				}
+				// Else expect HTTP drop by proxy
+				return check.ResultDNSOKDropCurlHTTPError, check.ResultNone
+			}
+			return check.ResultDrop, check.ResultNone
+		})
+
 	// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
 	ct.NewTest("dns-only").WithPolicy(clientEgressOnlyDNSPolicyYAML).
 		WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).