From e79a55d9c09e541366fd3c514f7a6a1c1a67d079 Mon Sep 17 00:00:00 2001 From: Thomas Graf Date: Thu, 18 Mar 2021 10:55:15 +0100 Subject: [PATCH] WIP: connectivity: Support validation of encryption Requires Cilium >=1.9.5 || >=1.8.8 Fixes: #50 Signed-off-by: Thomas Graf --- .github/workflows/kind.yaml | 9 +++++++-- connectivity/check/check.go | 25 +++++++++++++++++++++++++ internal/cli/cmd/connectivity.go | 1 + 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kind.yaml b/.github/workflows/kind.yaml index 420e2ec1cd..252884aa26 100644 --- a/.github/workflows/kind.yaml +++ b/.github/workflows/kind.yaml @@ -60,7 +60,7 @@ jobs: - name: Connectivity Test run: | - cilium connectivity test + cilium connectivity test --print-flows - name: Uninstall cilium run: | @@ -74,9 +74,14 @@ jobs: run: | cilium status --wait + - name: Relay Port Forward + run: | + kubectl port-forward -n kube-system deployment/hubble-relay 4245:4245& + sleep 5s + - name: Connectivity test run: | - cilium connectivity test + cilium connectivity test --expect-encryption --print-flows - name: Cleanup if: ${{ always() }} diff --git a/connectivity/check/check.go b/connectivity/check/check.go index 5c105d9cc1..dfe4fe7668 100644 --- a/connectivity/check/check.go +++ b/connectivity/check/check.go @@ -259,6 +259,10 @@ type TestContext interface { // Report is called to report the outcome of a test Report(r TestResult) + + // ExpectEncryption returns true if all traffic across nodes is + // expected to be encrypted + ExpectEncryption() bool } // TestRun is the state of an individual test run @@ -415,6 +419,22 @@ func (t *TestRun) ValidateFlows(ctx context.Context, pod, podIP string, filterPa goodLog = append(goodLog, "✅ "+msg) } } + + if t.context.ExpectEncryption() { + encryptedFlows := 0 + for _, f := range flows.flows { + flow := f.GetFlow() + if flow.GetIP().Encrypted { + encryptedFlows++ + } else { + t.Failure("Unencrypted flow found for pod %s", pod) + } + } + + if encryptedFlows > 0 { + t.context.Log("✅ %d encrypted flows found for pod %s", encryptedFlows, pod) + } + } } // End is called at the end of a test run to signal completion. It must be @@ -680,6 +700,7 @@ type Parameters struct { PostTestSleepDuration time.Duration FlowSettleSleepDuration time.Duration FlowValidation string + ExpectEncryption bool Writer io.Writer } @@ -1145,6 +1166,10 @@ func (k *K8sConnectivityCheck) PostTestSleepDuration() time.Duration { return k.params.PostTestSleepDuration } +func (k *K8sConnectivityCheck) ExpectEncryption() bool { + return k.params.ExpectEncryption +} + func (k *K8sConnectivityCheck) Report(r TestResult) { if k.results == nil { k.results = TestResults{} diff --git a/internal/cli/cmd/connectivity.go b/internal/cli/cmd/connectivity.go index 78dd0c7d31..3a4cbf3af7 100644 --- a/internal/cli/cmd/connectivity.go +++ b/internal/cli/cmd/connectivity.go @@ -72,6 +72,7 @@ func newCmdConnectivityCheck() *cobra.Command { cmd.Flags().StringVar(&contextName, "context", "", "Kubernetes configuration context") cmd.Flags().StringSliceVar(¶ms.Tests, "test", []string{}, "Run a particular set of tests") cmd.Flags().StringVar(¶ms.FlowValidation, "flow-validation", check.FlowValidationModeWarning, "Enable Hubble flow validation { disabled | warning | strict }") + cmd.Flags().BoolVar(¶ms.ExpectEncryption, "expect-encryption", false, "Expect all traffic to be encrypted and fail if clear text is encountered") return cmd }