Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
connectivity: Replace allow-all with allow-all-except-world
In the Cilium datapath, the identity "world" is a special case. If traffic cannot be identified, then the datapath falls back to assigning it as "world". Having only "allow-all" in the connectivity test will mask failures in which we have datapath bugs that incorrectly assign traffic as "world", but the traffic is still allowed. One such case is cilium/cilium#17000. This commit replaces the "allow-all" test with "allow-all-except-world" (and unmanaged), thereby covering the datapath special case. We don't want to allow unmanaged traffic either because it could also lead mark underlying datapath bugs, such as a delay in propagation of identities. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
- Loading branch information