Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better control plane tests for kube-apiserver entities #29432

Closed
squeed opened this issue Nov 28, 2023 · 3 comments
Closed

Better control plane tests for kube-apiserver entities #29432

squeed opened this issue Nov 28, 2023 · 3 comments
Labels
area/CI Continuous Integration testing issue or flake kind/cleanup This includes no functional changes. sig/agent Cilium agent related. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

Comments

@squeed
Copy link
Contributor

squeed commented Nov 28, 2023

The special reserved:kube-apiserver label has an complex interaction. The source of this data is the Endpoints / EndpointSlice watcher. Additionally, the presence of this label on a prefix can result in at least 4 different cases, depending on which IP has the label:

  1. The local node, in which case identity 1 gets the reserved:kube-apiserver label and the identity is mutated (fix).
  2. A remote node, without --policy-cidr-match-mode=nodes, in which case that IP's identity changes from 6 (remote-node) to 7 (`kube-apiserver)
  3. A remote node, with --policy-cidr-match-mode=nodes, in which case that IP gains an additional label and the identity is recalculated
  4. An arbitrary IP, in which case that prefix gains a label and is upserted in to the ipcache.

When the IP in question is not a cluster node, it can be in several states:

  • unknown to Cilium
  • Already allocated via ToCIDR policy
  • Already allocated via FQDN policy

We need to write controlplane tests, using the black-box control plane simulator in test/controlplane, that exercise as many of these state transitions as possible. We should also consider backporting these tests, as older versions also need to support all of these transitions.
@squeed squeed added area/CI Continuous Integration testing issue or flake kind/cleanup This includes no functional changes. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. sig/agent Cilium agent related. labels Nov 28, 2023
@nathanjsweet
Copy link
Member

Will these help?

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2024

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Feb 7, 2024
@github-actions GitHub Actions
Copy link

This issue has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake kind/cleanup This includes no functional changes. sig/agent Cilium agent related. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nathanjsweet @squeed