connectivity: Split allow-all test to test allow-all-except-world

In the Cilium datapath, the identity "world" is a special case. If traffic cannot be identified, then the datapath falls back to assigning it as "world". Having only "allow-all" in the connectivity test will mask failures in which we have datapath bugs that incorrectly assign traffic as "world", but the traffic is still allowed. One such case is cilium/cilium#17000. This commit splits up the "allow-all" test into two, which now does "allow-all" as well as "allow-all-except-world", where non-world traffic is *not* allowed. This should cover the datapath special case. Signed-off-by: Chris Tarazi <chris@isovalent.com>
cilium · Aug 4, 2021 · 68b830c · 68b830c
1 parent 687fa48
commit 68b830c
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 8 deletions.
diff --git a/connectivity/manifests/allow-all-except-world.yaml b/connectivity/manifests/allow-all-except-world.yaml
@@ -0,0 +1,23 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  namespace: cilium-test
+  name: allow-all-except-world
+spec:
+  endpointSelector: {}
+  egress:
+  - toEntities:
+    - host
+    - remote-node
+    - cluster
+    - init
+    - health
+    - unmanaged
+  ingress:
+  - fromEntities:
+    - host
+    - remote-node
+    - cluster
+    - init
+    - health
+    - unmanaged
diff --git a/connectivity/suite.go b/connectivity/suite.go
@@ -26,6 +26,9 @@ var (
 	//go:embed manifests/allow-all.yaml
 	allowAllPolicyYAML string
 
+	//go:embed manifests/allow-all-except-world.yaml
+	allowAllExceptWorldPolicyYAML string
+
 	//go:embed manifests/client-egress-only-dns.yaml
 	clientEgressOnlyDNSPolicyYAML string
 
@@ -68,17 +71,31 @@ func Run(ctx context.Context, ct *check.ConnectivityTest) error {
 		tests.PodToCIDR(""),
 	)
 
+	allowAllCommon := []check.Scenario{
+		tests.PodToPod(""),
+		tests.ClientToClient(""),
+		tests.PodToService(""),
+		tests.PodToRemoteNodePort(""),
+		tests.PodToLocalNodePort(""),
+		tests.PodToHost(""),
+		tests.PodToExternalWorkload(""),
+	}
+
+	// Test with an allow-all policy.
+	ct.NewTest("allow-all-except-world").WithPolicy(allowAllExceptWorldPolicyYAML).
+		WithScenarios(
+			allowAllCommon...,
+		)
+
 	// Test with an allow-all policy.
 	ct.NewTest("allow-all").WithPolicy(allowAllPolicyYAML).
 		WithScenarios(
-			tests.PodToPod(""),
-			tests.ClientToClient(""),
-			tests.PodToService(""),
-			tests.PodToRemoteNodePort(""),
-			tests.PodToLocalNodePort(""),
-			tests.PodToWorld(""),
-			tests.PodToHost(""),
-			tests.PodToExternalWorkload(""),
+			append(
+				[]check.Scenario{
+					tests.PodToWorld(""),
+				},
+				allowAllCommon...,
+			)...,
 		)
 
 	// Only allow UDP:53 to kube-dns, no DNS proxy enabled.