connectivity: Add more tests for Ingress Controller

This commit is to cover the cases which the traffic is sent via external node client (i.e. from node without Cilium) to Ingress service. Signed-off-by: Tam Mach <[email protected]>
cilium · Dec 6, 2023 · 8f99c07 · 8f99c07
1 parent c1fa8af
commit 8f99c07
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 0 deletions.
diff --git a/connectivity/manifests/deny-cidr.yaml b/connectivity/manifests/deny-cidr.yaml
@@ -0,0 +1,11 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: cidr-deny
+spec:
+  endpointSelector: {}
+  ingressDeny:
+  - fromCIDR:
+{{ range $i := .NodesWithoutCiliumIPs }}
+    - {{$i.IP}}/{{$i.Mask}}
+{{ end }}
diff --git a/connectivity/manifests/deny-world-entity.yaml b/connectivity/manifests/deny-world-entity.yaml
@@ -0,0 +1,9 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "world-entity-deny"
+spec:
+  endpointSelector: {}
+  ingressDeny:
+    - fromEntities:
+        - world
diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -44,9 +44,15 @@ var (
 	//go:embed manifests/deny-ingress-entity.yaml
 	denyIngressIdentityPolicyYAML string
 
+	//go:embed manifests/deny-world-entity.yaml
+	denyWorldIdentityPolicyYAML string
+
 	//go:embed manifests/deny-ingress-backend.yaml
 	denyIngressBackendPolicyYAML string
 
+	//go:embed manifests/deny-cidr.yaml
+	denyCIDRPolicyYAML string
+
 	//go:embed manifests/allow-cluster-entity.yaml
 	allowClusterEntityPolicyYAML string
 
@@ -210,6 +216,7 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 		"clientEgressL7TLSPolicyYAML":              clientEgressL7TLSPolicyYAML,
 		"clientEgressL7HTTPMatchheaderSecretYAML":  clientEgressL7HTTPMatchheaderSecretYAML,
 		"echoIngressFromCIDRYAML":                  echoIngressFromCIDRYAML,
+		"denyCIDRPolicyYAML":                       denyCIDRPolicyYAML,
 	}
 
 	if ct.Params().K8sLocalHostTest {
@@ -1077,6 +1084,50 @@ func Run(ctx context.Context, ct *check.ConnectivityTest, addExtraTests func(*ch
 			tests.PodToIngress(),
 		)
 
+	ct.NewTest("outside-to-ingress-service").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		)
+
+	ct.NewTest("outside-to-ingress-service-deny-world-identity").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(denyWorldIdentityPolicyYAML).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
+	ct.NewTest("outside-to-ingress-service-deny-cidr").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(renderedTemplates["denyCIDRPolicyYAML"]).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
+	ct.NewTest("outside-to-ingress-service-deny-all-ingress").
+		WithFeatureRequirements(
+			features.RequireEnabled(features.IngressController),
+			features.RequireEnabled(features.NodeWithoutCilium)).
+		WithCiliumPolicy(denyAllIngressPolicyYAML).
+		WithScenarios(
+			tests.OutsideToIngressService(),
+		).
+		WithExpectations(func(a *check.Action) (egress check.Result, ingress check.Result) {
+			return check.ResultDefaultDenyEgressDrop, check.ResultNone
+		})
+
 	// Only allow UDP:53 to kube-dns, no DNS proxy enabled.
 	ct.NewTest("dns-only").WithCiliumPolicy(clientEgressOnlyDNSPolicyYAML).
 		WithFeatureRequirements(features.RequireEnabled(features.L7Proxy)).

diff --git a/connectivity/tests/service.go b/connectivity/tests/service.go
@@ -297,3 +297,35 @@ func (s *outsideToNodePort) Run(ctx context.Context, t *check.Test) {
 		}
 	}
 }
+
+// OutsideToIngressService sends an HTTP request from client pod running on a node w/o
+// Cilium to NodePort services.
+func OutsideToIngressService() check.Scenario {
+	return &outsideToIngressService{}
+}
+
+type outsideToIngressService struct{}
+
+func (s *outsideToIngressService) Name() string {
+	return "outside-to-ingress-service"
+}
+
+func (s *outsideToIngressService) Run(ctx context.Context, t *check.Test) {
+	clientPod := t.Context().HostNetNSPodsByNode()[t.NodesWithoutCilium()[0]]
+	i := 0
+
+	for _, svc := range t.Context().IngressService() {
+		t.NewAction(s, fmt.Sprintf("curl-ingress-service-%d", i), &clientPod, svc, features.IPFamilyAny).Run(func(a *check.Action) {
+			for _, node := range t.Context().Nodes() {
+				node := node
+				a.ExecInPod(ctx, t.Context().CurlCommand(svc.ToNodeportService(node), features.IPFamilyAny))
+
+				a.ValidateFlows(ctx, clientPod, a.GetEgressRequirements(check.FlowParameters{
+					DNSRequired: true,
+					AltDstPort:  svc.Port(),
+				}))
+			}
+		})
+		i++
+	}
+}