Skip to content

Add an e2e test to verify that in-cluster traffic is not SNATed #35656

New issue
New issue
Closed as not planned
Closed as not planned
Add an e2e test to verify that in-cluster traffic is not SNATed#35656
Labels
area/CIContinuous Integration testing issue or flakearea/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.feature/snatRelates to SNAT or Masquerading of trafficneeds/e2e-testThis issue is not covered by existing CI tests, but should be.staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
@pippolo84

Description

@pippolo84
pippolo84
opened on Oct 30, 2024

Cilium v1.16 had a regression where in-cluster traffic was incorrectly SNATed and could not be matched to the source's security identity: #34615
Specifically, this affected IPAM modes "eni", "azure" and "alibabacloud" when ipv4-native-routing-CIDR option was not explicitly set.

The issue has been addressed in both v1.16 and main branches with, respectively, #35611 and #35624.

An e2e test should be added to verify that in-cluster traffic is not SNATed, following the repro depicted in #34615 itself (that is, apply a CNP to allow ingress traffic from pods on remote nodes, but not traffic from the remote nodes themselves).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/CIContinuous Integration testing issue or flakearea/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.feature/snatRelates to SNAT or Masquerading of trafficneeds/e2e-testThis issue is not covered by existing CI tests, but should be.staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions