Skip to content

Commit

Permalink
connectivity: L7 HTTP method test
Browse files Browse the repository at this point in the history
This test checks whether different HTTP methods are properly handled by
proxy and dropped if they don't match policy.

Signed-off-by: Maciej Kwiek <[email protected]>
  • Loading branch information
nebril committed Sep 1, 2022
1 parent a789dae commit d1d040c
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 0 deletions.
1 change: 1 addition & 0 deletions connectivity/check/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -707,6 +707,7 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error {
Port: containerPort,
HostPort: hostPort,
Image: ct.params.JSONMockImage,
Labels: map[string]string{"first": "echo"},
Affinity: &corev1.Affinity{
PodAntiAffinity: &corev1.PodAntiAffinity{
RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{
Expand Down
30 changes: 30 additions & 0 deletions connectivity/manifests/client-egress-l7-http-method.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
# client2 is allowed to contact the echo Pod
# on port 8080 via POST method. HTTP introspection is enabled for client2.
# The toFQDNs section relies on DNS introspection being performed by
# the client-egress-only-dns policy.
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
namespace: cilium-test
name: client-egress-l7-http-method
spec:
description: "Allow POST <echo>:8080/(public|private) from client2"
endpointSelector:
matchLabels:
other: client
egress:
# Allow POST /public requests towards echo pods.
- toEndpoints:
- matchLabels:
kind: echo
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: "POST"
path: "/public$"
- method: "POST"
path: "/private$"
29 changes: 29 additions & 0 deletions connectivity/suite.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ var (
//go:embed manifests/client-egress-l7-http.yaml
clientEgressL7HTTPPolicyYAML string

//go:embed manifests/client-egress-l7-http-method.yaml
clientEgressL7HTTPMethodPolicyYAML string

//go:embed manifests/client-egress-l7-http-named-port.yaml
clientEgressL7HTTPNamedPortPolicyYAML string

Expand Down Expand Up @@ -440,6 +443,32 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {

// The following tests have DNS redirect policies. They should be executed last.

// Test L7 HTTP with different methods introspection using an egress policy on the clients.
ct.NewTest("client-egress-l7-method").
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).
WithPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only
WithPolicy(clientEgressL7HTTPMethodPolicyYAML). // L7 allow policy with HTTP introspection (POST only)
WithScenarios(
tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})),
tests.PodToPodWithEndpoints(tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})),
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls.
(a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod.
if a.Destination().HasLabel("other", "echo") { //we are POSTing only other echo
egress = check.ResultOK

egress.HTTP = check.HTTP{
Method: "POST",
}
return egress, check.ResultNone
}
// Else expect HTTP drop by proxy
return check.ResultDropCurlHTTPError, check.ResultNone
}
return check.ResultDrop, check.ResultNone
})

// Test L7 HTTP introspection using an egress policy on the clients.
ct.NewTest("client-egress-l7").
WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).
Expand Down

0 comments on commit d1d040c

Please sign in to comment.