connectivity: Add flag --expected-drop-reasons

This new flag can be used to customize the set of expected reasons for packet drops, for the new test that ensure we don't have any unexpected packet drops. Signed-off-by: Paul Chaignon <[email protected]>
cilium · Dec 6, 2023 · 5165fd1 · 5165fd1
1 parent e7c8ab4
commit 5165fd1
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 7 deletions.
diff --git a/connectivity/check/check.go b/connectivity/check/check.go
@@ -74,8 +74,11 @@ type Parameters struct {
 	ConnDisruptTestRestartsPath   string
 	ConnDisruptTestXfrmErrorsPath string
 	ConnDisruptDispatchInterval   time.Duration
-	FlushCT                       bool
-	SecondaryNetworkIface         string
+
+	ExpectedDropReasons []string
+
+	FlushCT               bool
+	SecondaryNetworkIface string
 
 	K8sVersion           string
 	HelmChartDirectory   string

diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -261,7 +261,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 		}
 	}
 
-	ct.NewTest("no-unexpected-packet-drops").WithScenarios(tests.NoUnexpectedPacketDrops())
+	ct.NewTest("no-unexpected-packet-drops").WithScenarios(tests.NoUnexpectedPacketDrops(ct.Params().ExpectedDropReasons))
 
 	// Run all tests without any policies in place.
 	noPoliciesScenarios := []check.Scenario{

diff --git a/connectivity/tests/errors.go b/connectivity/tests/errors.go
@@ -5,6 +5,7 @@ package tests
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"time"
 
@@ -76,21 +77,31 @@ func (n *noErrorsInLogs) Run(ctx context.Context, t *check.Test) {
 
 // NoUnexpectedPacketDrops checks whether there were no drops due to expected
 // packet drops.
-func NoUnexpectedPacketDrops() check.Scenario {
-	return &noUnexpectedPacketDrops{}
+func NoUnexpectedPacketDrops(expectedDrops []string) check.Scenario {
+	return &noUnexpectedPacketDrops{expectedDrops}
 }
 
-type noUnexpectedPacketDrops struct{}
+type noUnexpectedPacketDrops struct {
+	expectedDrops []string
+}
 
 func (n *noUnexpectedPacketDrops) Name() string {
 	return "no-unexpected-packet-drops"
 }
 
 func (n *noUnexpectedPacketDrops) Run(ctx context.Context, t *check.Test) {
 	ct := t.Context()
+
+	filter := ""
+	if len(n.expectedDrops) > 0 {
+		filter = fmt.Sprintf("%q", n.expectedDrops[0])
+		for _, reason := range n.expectedDrops[1:] {
+			filter = fmt.Sprintf("%s, %q", filter, reason)
+		}
+	}
 	cmd := []string{
 		"/bin/sh", "-c",
-		"cilium metrics list -o json | jq '.[] | select((.name == \"cilium_drop_count_total\") and (.labels.reason | IN(\"Policy denied\", \"Policy denied by denylist\") | not))'",
+		fmt.Sprintf("cilium metrics list -o json | jq '.[] | select((.name == \"cilium_drop_count_total\") and (.labels.reason | IN(%s) | not))'", filter),
 	}
 
 	for _, pod := range ct.CiliumPods() {

diff --git a/defaults/defaults.go b/defaults/defaults.go
@@ -190,4 +190,9 @@ var (
 		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator=NotIn",
 		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]=true",
 	}
+
+	ExpectedDropReasons = []string{
+		"Policy denied",
+		"Policy denied by denylist",
+	}
 )
diff --git a/internal/cli/cmd/connectivity.go b/internal/cli/cmd/connectivity.go
@@ -190,6 +190,9 @@ func newCmdConnectivityTest(hooks Hooks) *cobra.Command {
 	cmd.Flags().StringVar(&params.ConnDisruptTestRestartsPath, "conn-disrupt-test-restarts-path", "/tmp/cilium-conn-disrupt-restarts", "Conn disrupt test temporary result file (used internally)")
 	cmd.Flags().StringVar(&params.ConnDisruptTestXfrmErrorsPath, "conn-disrupt-test-xfrm-errors-path", "/tmp/cilium-conn-disrupt-xfrm-errors", "Conn disrupt test temporary result file (used internally)")
 	cmd.Flags().DurationVar(&params.ConnDisruptDispatchInterval, "conn-disrupt-dispatch-interval", 0, "TCP packet dispatch interval")
+
+	cmd.Flags().StringSliceVar(&params.ExpectedDropReasons, "expected-drop-reasons", defaults.ExpectedDropReasons, "List of expected drop reasons")
+
 	cmd.Flags().BoolVar(&params.FlushCT, "flush-ct", false, "Flush conntrack of Cilium on each node")
 	cmd.Flags().MarkHidden("flush-ct")
 	cmd.Flags().StringVar(&params.SecondaryNetworkIface, "secondary-network-iface", "", "Secondary network iface name (e.g., to test NodePort BPF on multiple networks)")