-
Notifications
You must be signed in to change notification settings - Fork 192
/
all_ingress_deny_knp.go
39 lines (33 loc) · 1.51 KB
/
all_ingress_deny_knp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package builder
import (
_ "embed"
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)
//go:embed manifests/deny-all-ingress-knp.yaml
var denyAllIngressPolicyKNPYAML string
type allIngressDenyKnp struct{}
func (t allIngressDenyKnp) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies all ingresses by default
newTest("all-ingress-deny-knp", ct).
WithK8SPolicy(denyAllIngressPolicyKNPYAML).
WithScenarios(
// Pod to Pod fails because there is no egress policy (so egress traffic originating from a pod is allowed),
// but then at the destination there is ingress policy that denies the traffic.
tests.PodToPod(),
// Egress to world works because there is no egress policy (so egress traffic originating from a pod is allowed),
// then when replies come back, they are considered as "replies" to the outbound connection.
// so they are not subject to ingress policy.
tests.PodToCIDR(tests.WithRetryAll()),
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP ||
a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultOK, check.ResultNone
}
return check.ResultDrop, check.ResultDefaultDenyIngressDrop
})
}