-
Notifications
You must be signed in to change notification settings - Fork 192
/
client_egress_to_cidr_deny_default.go
29 lines (25 loc) · 1.19 KB
/
client_egress_to_cidr_deny_default.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package builder
import (
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
"github.com/cilium/cilium-cli/utils/features"
)
type clientEgressToCidrDenyDefault struct{}
func (t clientEgressToCidrDenyDefault) build(ct *check.ConnectivityTest, templates map[string]string) {
// This test is same as the previous one, but there is no allowed policy.
// The goal is to test default deny policy
newTest("client-egress-to-cidr-deny-default", ct).
WithCiliumPolicy(templates["clientEgressToCIDRExternalDenyPolicyYAML"]).
WithScenarios(tests.PodToCIDR()). // Denies all traffic to ExternalOtherIP, but allow ExternalIP
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalOtherIP)) == ct.Params().ExternalOtherIP {
return check.ResultPolicyDenyEgressDrop, check.ResultNone
}
if a.Destination().Address(features.GetIPFamily(ct.Params().ExternalIP)) == ct.Params().ExternalIP {
return check.ResultDefaultDenyEgressDrop, check.ResultNone
}
return check.ResultDrop, check.ResultDrop
})
}