From 8a4cf9b6d6b77f57c1b577d80a3762c4fa766a60 Mon Sep 17 00:00:00 2001
From: Tam Mach <tam.mach@cilium.io>
Date: Fri, 24 Nov 2023 23:01:54 +1100
Subject: [PATCH] connectivity: Add more tests for Ingress Controller

This commit is to cover the cases which the traffic is sent via external
node client (i.e. from node without Cilium) to Ingress service.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
---
 connectivity/manifests/deny-cidr.yaml         | 11 ++++++
 connectivity/manifests/deny-world-entity.yaml |  9 +++++
 connectivity/suite.go                         | 39 +++++++++++++++++++
 connectivity/tests/service.go                 | 32 +++++++++++++++
 4 files changed, 91 insertions(+)
 create mode 100644 connectivity/manifests/deny-cidr.yaml
 create mode 100644 connectivity/manifests/deny-world-entity.yaml

diff --git a/connectivity/manifests/deny-cidr.yaml b/connectivity/manifests/deny-cidr.yaml
new file mode 100644
index 0000000000..b6650f7074
--- /dev/null
+++ b/connectivity/manifests/deny-cidr.yaml
@@ -0,0 +1,11 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: cidr-deny
+spec:
+  endpointSelector: {}
+  ingressDeny:
+  - fromCIDR:
+{{ range $i := .NodesWithoutCiliumIPs }}
+    - {{$i.IP}}/{{$i.Mask}}
+{{ end }}
diff --git a/connectivity/manifests/deny-world-entity.yaml b/connectivity/manifests/deny-world-entity.yaml
new file mode 100644
index 0000000000..ffa3dba9d7
--- /dev/null
+++ b/connectivity/manifests/deny-world-entity.yaml
@@ -0,0 +1,9 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "world-entity-deny"
+spec:
+  endpointSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
diff --git a/connectivity/suite.go b/connectivity/suite.go
index 37bbcacf2f..9303489a6c 100644
--- a/connectivity/suite.go
+++ b/connectivity/suite.go
@@ -44,9 +44,15 @@ var (
 	//go:embed manifests/deny-ingress-entity.yaml
 	denyIngressIdentityPolicyYAML string
 
+	//go:embed manifests/deny-world-entity.yaml
+	denyWorldIdentityPolicyYAML string
+
 	//go:embed manifests/deny-ingress-backend.yaml
 	denyIngressBackendPolicyYAML string
 
+	//go:embed manifests/deny-cidr.yaml
+	denyCIDRPolicyYAML string
+
 	//go:embed manifests/allow-cluster-entity.yaml
 	allowClusterEntityPolicyYAML string
 
@@ -210,6 +216,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 		"clientEgressL7TLSPolicyYAML":              clientEgressL7TLSPolicyYAML,
 		"clientEgressL7HTTPMatchheaderSecretYAML":  clientEgressL7HTTPMatchheaderSecretYAML,
 		"echoIngressFromCIDRYAML":                  echoIngressFromCIDRYAML,
+		"denyCIDRPolicyYAML":                       denyCIDRPolicyYAML,
 	}
 
 	if ct.Params().K8sLocalHostTest {
@@ -1077,6 +1084,38 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 			tests.PodToIngress(),
 		)
 
+	ct.NewTest("outside-to-ingress-service").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		)
+
+	ct.NewTest("outside-to-ingress-service-deny-world-identity").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(denyWorldIdentityPolicyYAML).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
+	ct.NewTest("outside-to-ingress-service-deny-cidr").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(renderedTemplates["denyCIDRPolicyYAML"]).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
 	// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
 	ct.NewTest("dns-only").WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).
diff --git a/connectivity/tests/service.go b/connectivity/tests/service.go
index bc83ed46b3..c8415bd95a 100644
--- a/connectivity/tests/service.go
+++ b/connectivity/tests/service.go
@@ -297,3 +297,35 @@ func (s *outsideToNodePort) Run(ctx context.Context, t *check.Test) {
 		}
 	}
 }
+
+// OutsideToIngressService sends an HTTP request from client pod running on a node w/o
+// Cilium to NodePort services.
+func OutsideToIngressService() check.Scenario {
+	return &outsideToIngressService{}
+}
+
+type outsideToIngressService struct{}
+
+func (s *outsideToIngressService) Name() string {
+	return "outside-to-ingress-service"
+}
+
+func (s *outsideToIngressService) Run(ctx context.Context, t *check.Test) {
+	clientPod := t.Context().HostNetNSPodsByNode()[t.NodesWithoutCilium()[0]]
+	i := 0
+
+	for _, svc := range t.Context().IngressService() {
+		t.NewAction(s, fmt.Sprintf("curl-%d", i), &clientPod, svc, features.IPFamilyAny).Run(func(a *check.Action) {
+			for _, node := range t.Context().Nodes() {
+				node := node
+				a.ExecInPod(ctx, t.Context().CurlCommand(svc.ToNodeportService(node), features.IPFamilyAny))
+
+				a.ValidateFlows(ctx, clientPod, a.GetEgressRequirements(check.FlowParameters{
+					DNSRequired: true,
+					AltDstPort:  svc.Port(),
+				}))
+			}
+		})
+		i++
+	}
+}