Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connectivity test factory component. #2322

Merged
merged 1 commit into from
Mar 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,23 @@
/connectivity/check/ipcache.go @cilium/ipcache
/connectivity/check/metrics*.go @cilium/metrics
/connectivity/check/policy.go @cilium/sig-policy
/connectivity/builder/** @cilium/ci-structure
/connectivity/builder/all_ingress_deny_from_outside.go @cilium/sig-encryption
/connectivity/builder/cluster_entity_multi_cluster.go @cilium/sig-clustermesh
/connectivity/builder/dns_only.go @cilium/sig-clustermesh
/connectivity/builder/echo_ingress.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_auth_always_fail.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_from_other_client_deny.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_from_outside.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_knp.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_l7.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_l7_named_port.go @cilium/sig-servicemesh
/connectivity/builder/echo_ingress_mutual_auth_spiffe.go @cilium/sig-servicemesh
/connectivity/builder/egress_gateway.go @cilium/egress-gateway
/connectivity/builder/egress_gateway_excluded_cidrs.go @cilium/egress-gateway
/connectivity/builder/no_ipsec_xfrm_errors.go @cilium/sig-encryption
/connectivity/builder/node_to_node_encryption.go @cilium/sig-encryption
/connectivity/builder/pod_to_pod_encryption.go @cilium/sig-encryption
/connectivity/tests/egressgateway.go @cilium/egress-gateway
/connectivity/tests/encryption.go @cilium/sig-encryption
/connectivity/tests/errors.go @cilium/sig-agent @cilium/sig-datapath
Expand Down
29 changes: 29 additions & 0 deletions connectivity/builder/all_egress_deny.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/deny-all-egress.yaml
var denyAllEgressPolicyYAML string

type allEgressDeny struct{}

func (t allEgressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default
newTest("all-egress-deny", ct).
WithCiliumPolicy(denyAllEgressPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
}
29 changes: 29 additions & 0 deletions connectivity/builder/all_egress_deny_knp.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/deny-all-egress-knp.yaml
var denyAllEgressPolicyKNPYAML string

type allEgressDenyKnp struct{}

func (t allEgressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all egresses by default using KNP.
newTest("all-egress-deny-knp", ct).
WithK8SPolicy(denyAllEgressPolicyKNPYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToPodWithEndpoints(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
})
}
29 changes: 29 additions & 0 deletions connectivity/builder/all_entities_deny.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/deny-all-entities.yaml
var denyAllEntitiesPolicyYAML string

type allEntitiesDeny struct{}

func (t allEntitiesDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all entities by default
newTest("all-entities-deny", ct).
WithCiliumPolicy(denyAllEntitiesPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.PodToCIDR(),
).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultPolicyDenyEgressDrop, check.ResultNone
})
}
32 changes: 32 additions & 0 deletions connectivity/builder/all_ingress_deny.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

type allIngressDeny struct{}

func (t allIngressDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default.
//
// 1. Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
// 2. Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
newTest("all-ingress-deny", ct).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithScenarios(tests.PodToPod(), tests.PodToCIDR(tests.WithRetryAll())).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
28 changes: 28 additions & 0 deletions connectivity/builder/all_ingress_deny_from_outside.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

type allIngressDenyFromOutside struct{}

func (t allIngressDenyFromOutside) build(ct *check.ConnectivityTest, _ map[string]string) {
newTest("all-ingress-deny-from-outside", ct).
WithCondition(func() bool { return ct.Params().IncludeUnsafeTests }).
WithCiliumPolicy(denyAllIngressPolicyYAML).
WithFeatureRequirements(features.RequireEnabled(features.NodeWithoutCilium)).
WithIPRoutesFromOutsideToPodCIDRs().
WithScenarios(tests.FromCIDRToPod()).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
39 changes: 39 additions & 0 deletions connectivity/builder/all_ingress_deny_knp.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)

//go:embed manifests/deny-all-ingress-knp.yaml
var denyAllIngressPolicyKNPYAML string

type allIngressDenyKnp struct{}

func (t allIngressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default
newTest("all-ingress-deny-knp", ct).
WithK8SPolicy(denyAllIngressPolicyKNPYAML).
WithScenarios(
// Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
tests.PodToPod(),
// Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
tests.PodToCIDR(tests.WithRetryAll()),
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}
34 changes: 34 additions & 0 deletions connectivity/builder/allow_all_except_world.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
_ "embed"

"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

//go:embed manifests/allow-all-except-world.yaml
var allowAllExceptWorldPolicyYAML string

type allowAllExceptWorld struct{}

func (t allowAllExceptWorld) build(ct *check.ConnectivityTest, _ map[string]string) {
// Test with an allow-all-except-world (and unmanaged) policy.
newTest("allow-all-except-world", ct).
WithCiliumPolicy(allowAllExceptWorldPolicyYAML).
WithScenarios(
tests.PodToPod(),
tests.ClientToClient(),
tests.PodToService(),
// We are skipping the following checks because NodePort is
// intended to be used for N-S traffic, which conflicts with
// policies. See GH-17144.
// tests.PodToRemoteNodePort(),
// tests.PodToLocalNodePort(),
tests.PodToHost(),
tests.PodToExternalWorkload(),
)
}
21 changes: 21 additions & 0 deletions connectivity/builder/allow_all_with_metrics_check.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium

package builder

import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)

type allowAllWithMetricsCheck struct{}

func (t allowAllWithMetricsCheck) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy allows traffic pod to pod and checks if the metric cilium_forward_count_total increases on cilium agent.
newTest("allow-all-with-metrics-check", ct).
WithScenarios(tests.PodToPod()).
WithExpectations(func(_ *check.Action) (egress, ingress check.Result) {
return check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total"),
check.ResultOK.ExpectMetricsIncrease(ct.CiliumAgentMetrics(), "cilium_forward_count_total")
})
}
Loading
Loading