connectivity: Replace allow-all with allow-all-except-world

In the Cilium datapath, the identity "world" is a special case. If traffic cannot be identified, then the datapath falls back to assigning it as "world". Having only "allow-all" in the connectivity test will mask failures in which we have datapath bugs that incorrectly assign traffic as "world", but the traffic is still allowed. One such case is cilium/cilium#17000. This commit replaces the "allow-all" test with "allow-all-except-world" (and unmanaged), thereby covering the datapath special case. We don't want to allow unmanaged traffic either because it could also lead mark underlying datapath bugs, such as a delay in propagation of identities. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
cilium · Aug 10, 2021 · 42b93eb · 42b93eb
1 parent 136e8bf
commit 42b93eb
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/connectivity/manifests/allow-all.yaml → ...ity/manifests/allow-all-except-world.yaml b/connectivity/manifests/allow-all.yaml → ...ity/manifests/allow-all-except-world.yaml
@@ -2,12 +2,20 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   namespace: cilium-test
-  name: allow-all
+  name: allow-all-except-world
 spec:
   endpointSelector: {}
   egress:
   - toEntities:
-    - all
+    - host
+    - remote-node
+    - cluster
+    - init
+    - health
   ingress:
   - fromEntities:
-    - all
+    - host
+    - remote-node
+    - cluster
+    - init
+    - health
diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -23,8 +23,8 @@ import (
 )
 
 var (
-	//go:embed manifests/allow-all.yaml
-	allowAllPolicyYAML string
+	//go:embed manifests/allow-all-except-world.yaml
+	allowAllExceptWorldPolicyYAML string
 
 	//go:embed manifests/client-egress-only-dns.yaml
 	clientEgressOnlyDNSPolicyYAML string
@@ -68,15 +68,14 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 		tests.PodToCIDR(""),
 	)
 
-	// Test with an allow-all policy.
-	ct.NewTest("allow-all").WithPolicy(allowAllPolicyYAML).
+	// Test with an allow-all-except-world (and unmanaged) policy.
+	ct.NewTest("allow-all-except-world").WithPolicy(allowAllExceptWorldPolicyYAML).
 		WithScenarios(
 			tests.PodToPod(""),
 			tests.ClientToClient(""),
 			tests.PodToService(""),
 			tests.PodToRemoteNodePort(""),
 			tests.PodToLocalNodePort(""),
-			tests.PodToWorld(""),
 			tests.PodToHost(""),
 			tests.PodToExternalWorkload(""),
 		)