connectivity: Replace allow-all with allow-all-except-world

In the Cilium datapath, the identity "world" is a special case. If traffic cannot be identified, then the datapath falls back to assigning it as "world". Having only "allow-all" in the connectivity test will mask failures in which we have datapath bugs that incorrectly assign traffic as "world", but the traffic is still allowed. One such case is cilium/cilium#17000. This commit replaces the "allow-all" test with "allow-all-except-world" (and unmanaged), thereby covering the datapath special case. We don't want to allow unmanaged traffic either because it could also lead mark underlying datapath bugs, such as a delay in propagation of identities. Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Chris Tarazi <chris@isovalent.com>
cilium · Feb 9, 2022 · 62f5cfe · 62f5cfe
1 parent 614958c
commit 62f5cfe
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 18 deletions.
diff --git a/connectivity/manifests/allow-all-except-world.yaml b/connectivity/manifests/allow-all-except-world.yaml
@@ -0,0 +1,27 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  namespace: cilium-test
+  name: allow-all-except-world
+spec:
+  endpointSelector: {}
+  egress:
+  - toEntities:
+    - host
+    - remote-node
+    - cluster
+    - init
+    - health
+    - kube-apiserver
+  - toEndpoints:
+    - {}
+  ingress:
+  - fromEntities:
+    - host
+    - remote-node
+    - cluster
+    - init
+    - health
+    - kube-apiserver
+  - fromEndpoints:
+    - {}
diff --git a/connectivity/manifests/allow-all.yaml b/connectivity/manifests/allow-all.yaml
diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -12,8 +12,8 @@ import (
 )
 
 var (
-	//go:embed manifests/allow-all.yaml
-	allowAllPolicyYAML string
+	//go:embed manifests/allow-all-except-world.yaml
+	allowAllExceptWorldPolicyYAML string
 
 	//go:embed manifests/client-egress-only-dns.yaml
 	clientEgressOnlyDNSPolicyYAML string
@@ -57,15 +57,14 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 		tests.PodToCIDR(""),
 	)
 
-	// Test with an allow-all policy.
-	ct.NewTest("allow-all").WithPolicy(allowAllPolicyYAML).
+	// Test with an allow-all-except-world (and unmanaged) policy.
+	ct.NewTest("allow-all-except-world").WithPolicy(allowAllExceptWorldPolicyYAML).
 		WithScenarios(
 			tests.PodToPod(""),
 			tests.ClientToClient(""),
 			tests.PodToService(""),
 			tests.PodToRemoteNodePort(""),
 			tests.PodToLocalNodePort(""),
-			tests.PodToWorld(""),
 			tests.PodToHost(""),
 			tests.PodToExternalWorkload(""),
 		)