diff --git a/connectivity/check/deployment.go b/connectivity/check/deployment.go index a83cb70a11..2862f459d2 100644 --- a/connectivity/check/deployment.go +++ b/connectivity/check/deployment.go @@ -1017,6 +1017,7 @@ func (ct *ConnectivityTest) deploy(ctx context.Context) error { return fmt.Errorf("unable to create deployment %s: %s", echoExternalNodeDeploymentName, err) } } + } else { ct.Infof("Skipping tests that require a node Without Cilium") } diff --git a/connectivity/manifests/deny-ingress-backend.yaml b/connectivity/manifests/deny-ingress-backend.yaml new file mode 100644 index 0000000000..50dfe7ce73 --- /dev/null +++ b/connectivity/manifests/deny-ingress-backend.yaml @@ -0,0 +1,10 @@ +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: "ingress-backend-deny" +spec: + endpointSelector: {} + egressDeny: + - toEndpoints: + - matchLabels: + kind: echo diff --git a/connectivity/manifests/deny-ingress-entity.yaml b/connectivity/manifests/deny-ingress-entity.yaml new file mode 100644 index 0000000000..51b4c4cd2f --- /dev/null +++ b/connectivity/manifests/deny-ingress-entity.yaml @@ -0,0 +1,9 @@ +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: "ingress-entity-deny" +spec: + endpointSelector: {} + egressDeny: + - toEntities: + - ingress diff --git a/connectivity/suite.go b/connectivity/suite.go index 092dda7f55..37bbcacf2f 100644 --- a/connectivity/suite.go +++ b/connectivity/suite.go @@ -41,6 +41,12 @@ var ( //go:embed manifests/deny-all-entities.yaml denyAllEntitiesPolicyYAML string + //go:embed manifests/deny-ingress-entity.yaml + denyIngressIdentityPolicyYAML string + + //go:embed manifests/deny-ingress-backend.yaml + denyIngressBackendPolicyYAML string + //go:embed manifests/allow-cluster-entity.yaml allowClusterEntityPolicyYAML string @@ -1043,6 +1049,26 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch return check.ResultDefaultDenyEgressDrop, check.ResultNone }) + ct.NewTest("pod-to-ingress-service-deny-ingress-identity"). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithCiliumPolicy(denyIngressIdentityPolicyYAML). + WithScenarios( + tests.PodToIngress(), + ). + WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) + + ct.NewTest("pod-to-ingress-service-deny-backend-service"). + WithFeatureRequirements(features.RequireEnabled(features.IngressController)). + WithCiliumPolicy(denyIngressBackendPolicyYAML). + WithScenarios( + tests.PodToIngress(), + ). + WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) { + return check.ResultDefaultDenyEgressDrop, check.ResultNone + }) + ct.NewTest("pod-to-ingress-service-allow-ingress-identity"). WithFeatureRequirements(features.RequireEnabled(features.IngressController)). WithCiliumPolicy(denyAllIngressPolicyYAML).