diff --git a/connectivity/check/deployment.go b/connectivity/check/deployment.go index dee9981116..9354d849f8 100644 --- a/connectivity/check/deployment.go +++ b/connectivity/check/deployment.go @@ -707,6 +707,7 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error { Port: containerPort, HostPort: hostPort, Image: ct.params.JSONMockImage, + Labels: map[string]string{"first": "echo"}, Affinity: &corev1.Affinity{ PodAntiAffinity: &corev1.PodAntiAffinity{ RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{ diff --git a/connectivity/manifests/client-egress-l7-http-method.yaml b/connectivity/manifests/client-egress-l7-http-method.yaml new file mode 100644 index 0000000000..696fae80d3 --- /dev/null +++ b/connectivity/manifests/client-egress-l7-http-method.yaml @@ -0,0 +1,30 @@ +--- +# client2 is allowed to contact the echo Pod +# on port 8080 via POST method. HTTP introspection is enabled for client2. +# The toFQDNs section relies on DNS introspection being performed by +# the client-egress-only-dns policy. +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + namespace: cilium-test + name: client-egress-l7-http-method +spec: + description: "Allow POST :8080/(public|private) from client2" + endpointSelector: + matchLabels: + other: client + egress: + # Allow POST /public requests towards echo pods. + - toEndpoints: + - matchLabels: + kind: echo + toPorts: + - ports: + - port: "8080" + protocol: TCP + rules: + http: + - method: "POST" + path: "/public$" + - method: "POST" + path: "/private$" diff --git a/connectivity/suite.go b/connectivity/suite.go index de07dfedce..19e9c94918 100644 --- a/connectivity/suite.go +++ b/connectivity/suite.go @@ -76,6 +76,9 @@ var ( //go:embed manifests/client-egress-l7-http.yaml clientEgressL7HTTPPolicyYAML string + //go:embed manifests/client-egress-l7-http-method.yaml + clientEgressL7HTTPMethodPolicyYAML string + //go:embed manifests/client-egress-l7-http-named-port.yaml clientEgressL7HTTPNamedPortPolicyYAML string @@ -440,6 +443,32 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error { // The following tests have DNS redirect policies. They should be executed last. + // Test L7 HTTP with different methods introspection using an egress policy on the clients. + ct.NewTest("client-egress-l7-method"). + WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)). + WithPolicy(clientEgressOnlyDNSPolicyYAML). // DNS resolution only + WithPolicy(clientEgressL7HTTPMethodPolicyYAML). // L7 allow policy with HTTP introspection (POST only) + WithScenarios( + tests.PodToPodWithEndpoints(tests.WithMethod("POST"), tests.WithDestinationLabelsOption(map[string]string{"other": "echo"})), + tests.PodToPodWithEndpoints(tests.WithDestinationLabelsOption(map[string]string{"first": "echo"})), + ). + WithExpectations(func(a *check.Action) (egress, ingress check.Result) { + if a.Source().HasLabel("other", "client") && // Only client2 is allowed to make HTTP calls. + (a.Destination().Port() == 8080) { // port 8080 is traffic to echo Pod. + if a.Destination().HasLabel("other", "echo") { //we are POSTing only other echo + egress = check.ResultOK + + egress.HTTP = check.HTTP{ + Method: "POST", + } + return egress, check.ResultNone + } + // Else expect HTTP drop by proxy + return check.ResultDropCurlHTTPError, check.ResultNone + } + return check.ResultDrop, check.ResultNone + }) + // Test L7 HTTP introspection using an egress policy on the clients. ct.NewTest("client-egress-l7"). WithFeatureRequirements(check.RequireFeatureEnabled(check.FeatureL7Proxy)).