-
Notifications
You must be signed in to change notification settings - Fork 192
/
client_ingress_to_echo_named_port_deny.go
34 lines (28 loc) · 1.33 KB
/
client_ingress_to_echo_named_port_deny.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package builder
import (
_ "embed"
"github.com/cilium/cilium-cli/connectivity/check"
"github.com/cilium/cilium-cli/connectivity/tests"
)
//go:embed manifests/client-egress-to-echo-named-port-deny.yaml
var clientEgressToEchoDenyNamedPortPolicyYAML string
type clientIngressToEchoNamedPortDeny struct{}
func (t clientIngressToEchoNamedPortDeny) build(ct *check.ConnectivityTest, _ map[string]string) {
// This policy denies port http-8080 from client to echo, but allows traffic from client2 to echo
newTest("client-ingress-to-echo-named-port-deny", ct).
WithCiliumPolicy(allowAllEgressPolicyYAML). // Allow all egress traffic
WithCiliumPolicy(allowAllIngressPolicyYAML). // Allow all ingress traffic
WithCiliumPolicy(clientEgressToEchoDenyNamedPortPolicyYAML).
WithScenarios(
tests.PodToPod(tests.WithSourceLabelsOption(clientLabel)), // Client to echo should be denied
tests.PodToPod(tests.WithSourceLabelsOption(client2Label)), // Client2 to echo should be allowed
).
WithExpectations(func(a *check.Action) (egress, ingress check.Result) {
if a.Destination().HasLabel("kind", "echo") && a.Source().HasLabel("name", "client") {
return check.ResultDropCurlTimeout, check.ResultPolicyDenyIngressDrop
}
return check.ResultOK, check.ResultOK
})
}