Host firewall tests #12621
Merged
Host firewall tests #12621
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2987c8e to
9bb4503
Compare
This comment has been minimized.
This comment has been minimized.
34 tasks
16b2055 to
2572a2a
Compare
pchaigno
commented
Jul 24, 2020
aanm
reviewed
Jul 25, 2020
My original post was a bit unclear so not sure we're on the same page. The new host firewall tests I added will run regardless of the On the general risk of regressions once we stop testing something, I agree. That is partly why I'm only making this change now that we also have some first host firewall tests. Then, why don't I want the host firewall enabled by default in all tests? Because (1) with #12345, enabling the host firewall changes the path of packets in some cases (pod1@node1>node1 and pod1@node1->node2) and (2) it's not the default setup most users will run. I intend to use the new label to run additional tests on PRs that may impact the host firewall. |
👍
Why can't we deploy Cilium to run with host firewall and run these tests (besides the setups that we already have)? |
|
test-me-please |
brb
reviewed
Jul 27, 2020
2572a2a to
8ae8524
Compare
|
I pushed an update but this is currently blocked by #12834 so switching to draft. |
6d785d9 to
722aeaf
Compare
|
Runtime tests failed with #12862: https://jenkins.cilium.io/job/Cilium-PR-Runtime-4.9/1553/testReport/junit/(root)/Suite-runtime/RuntimePrivilegedUnitTests_Run_Tests/ |
christarazi
approved these changes
Aug 17, 2020
The host firewall is only enabled in CI if label ci/host-firewall is set. The goal is to have default CI options closer to common user environments and host firewall is not enabled by default in those. Signed-off-by: Paul Chaignon <paul@cilium.io>
This commit extends the existing fromCIDR+toPorts policy test to test the same kind of policy for the host firewall. To that end, it: 1. Enables the host firewall. The issue in comment is not relevant anymore since masquerading is disabled. 2. Introduce a helper to get the ID of the host endpoint. This helper will likely be needed for other host firewall tests as well. 3. Load a new DaemonSet to instanciate a host-networking pod on each k8s node. This pod serves as the target for host firewall connectivity tests. 4. Extend the existing test cases with CCNP tests. Signed-off-by: Paul Chaignon <paul@cilium.io>
This commit adds new tests, identical to NodePort tests under vxlan tunneling and direct routing, but with an ingress+egress host policy applied. The host policy only allow communications between nodes and to specific endpoints for readiness probes. Signed-off-by: Paul Chaignon <paul@cilium.io>
722aeaf to
3c86d17
Compare
brb
approved these changes
Aug 25, 2020
|
test-me-please |
pchaigno
added a commit
that referenced
this pull request
Feb 1, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
added a commit
that referenced
this pull request
Feb 4, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
added a commit
that referenced
this pull request
Feb 8, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
borkmann
pushed a commit
that referenced
this pull request
Feb 9, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
lyveng
pushed a commit
to lyveng/cilium
that referenced
this pull request
Mar 4, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - cilium#12621 2 - cilium#14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
vadorovsky
pushed a commit
to vadorovsky/cilium
that referenced
this pull request
May 19, 2021
[ upstream commit 6f59f4f ] We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - cilium#12621 2 - cilium#14255 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
twpayne
pushed a commit
that referenced
this pull request
May 21, 2021
[ upstream commit 6f59f4f ] We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR disables the host firewall by default in CI. It will only be enabled for all tests when the label
ci/host-firewallis set. Tests that specifically enable the host firewall (see below) will still run regardless of the label.The two last commits then add two new tests for the host firewall:
I verified
ci/host-firewallworks by running the tests with that label in #12672.