tests, services: update pod loopback bpf nodeport tests

After updating the cilium-runtime image we also get a newer bpftool
build which generates a bpf_features.h header that includes the netns
cookie and therefore on bpf-next kernel we must fail this particular
test.

Similarly, doFragmentedRequest() from pod loopback does not make sense
either anymore. Given we performed the earlier testCurlRequestFail()
for a service, there is no point in retesting a fragmented request
again for this address.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

test/k8sT/Services.go

@@ -155,6 +155,18 @@ var _ = Describe("K8sServicesTest", func() {
 		}
 	}
 
+	testCurlRequestFail := func(clientPodLabel, url string) {
+		pods, err := kubectl.GetPodNames(helpers.DefaultNamespace, clientPodLabel)
+		ExpectWithOffset(1, err).Should(BeNil(), "cannot retrieve pod names by filter %q", testDSClient)
+		for _, pod := range pods {
+			res := kubectl.ExecPodCmd(
+				helpers.DefaultNamespace, pod,
+				helpers.CurlFail(url))
+			ExpectWithOffset(1, res).ShouldNot(helpers.CMDSuccess(),
+				"Pod %q can unexpectedly connect to service %q", pod, url)
+		}
+	}
+
 	waitPodsDs := func() {
 		groups := []string{testDS, testDSClient, testDSK8s2}
 		for _, pod := range groups {
@@ -659,13 +671,13 @@ var _ = Describe("K8sServicesTest", func() {
 				// From pod via loopback (host reachable services)
 				httpURL = getHTTPLink("127.0.0.1", data.Spec.Ports[0].NodePort)
 				tftpURL = getTFTPLink("127.0.0.1", data.Spec.Ports[1].NodePort)
-				testCurlRequest(testDSClient, httpURL)
-				testCurlRequest(testDSClient, tftpURL)
+				testCurlRequestFail(testDSClient, httpURL)
+				testCurlRequestFail(testDSClient, tftpURL)
 
 				httpURL = getHTTPLink("::ffff:127.0.0.1", data.Spec.Ports[0].NodePort)
 				tftpURL = getTFTPLink("::ffff:127.0.0.1", data.Spec.Ports[1].NodePort)
-				testCurlRequest(testDSClient, httpURL)
-				testCurlRequest(testDSClient, tftpURL)
+				testCurlRequestFail(testDSClient, httpURL)
+				testCurlRequestFail(testDSClient, tftpURL)
 
 				// From pod via local cilium_host
 				httpURL = getHTTPLink(localCiliumHostIPv4, data.Spec.Ports[0].NodePort)
@@ -875,10 +887,6 @@ var _ = Describe("K8sServicesTest", func() {
 				remoteCiliumHostIPv4, err := kubectl.GetCiliumHostIPv4(context.TODO(), k8s2Name)
 				Expect(err).Should(BeNil(), "Cannot retrieve remote cilium_host ipv4")
 
-				// From pod via loopback (host reachable services)
-				doFragmentedRequest(clientPod, clientIP, helpers.K8s1, serverPort, "127.0.0.1", nodePort)
-				doFragmentedRequest(clientPod, clientIP, helpers.K8s1, serverPort, "::ffff:127.0.0.1", nodePort)
-
 				// From pod via local cilium_host
 				doFragmentedRequest(clientPod, clientIP, helpers.K8s1, serverPort, localCiliumHostIPv4, nodePort)
 				doFragmentedRequest(clientPod, clientIP, helpers.K8s1, serverPort, "::ffff:"+localCiliumHostIPv4, nodePort)