testing coverage: add matrix / table of what configuration options of daemon we are currently testing (and need to test!)

[ianvernon]

Subtasks

• CI: Add policy test to testPodConnectivityAcrossNodes #11486 - Direct-routing + (L7) policy

Dimensions

Included in matrix below

• Endpoint devices - veth / ipvlan
• Cluster connectivity - direct-routing (endpoint routes) / direct-routing (tailcall) / tunnel-mode
• Service connectivity - kube-proxy nodeport / BPF nodeport
• Traffic security - encryption / no encryption
• Endpoint security - L7 / no L7
• Socket acceleration - sockops / no sockops

Excluded from matrix below

The below are excluded to keep the matrix to a manageable size; their impact on dataplane connectivity is lower than those in the above list.

• Host services - host-reachable / none
• Host security - encrypt-node / none
• IP connectivity - IPv4 / IPv6 / both

Commandline arguments for configuration

• --datapath-mode (veth / ipvlan)
• --ipam (This actually controls not only IPAM, but also ENI mode for CNI)
• --tunnel, --auto-direct-node-routes
• --enable-node-port
• --masquerade
• --enable-host-reachable-services
• --install-iptables-rules (impacts ipsec, L7 policy, NodePort via kube-proxy)
• --enable-ipsec
• --encrypt-interface (should be covered by --enable-ipsec)
• --encrypt-node
• --single-cluster-route (incompatible with tunnel disabled)
• --enable-endpoint-routes
• --sockops-enable
• --enable-ipv4 / --enable-ipv6

Configuration Matrix

Reading the matrix

• The top of the matrix determines settings related to security
• The left of the matrix determines settings related to connectivity

Key

• X -- Invalid combination
• N -- No known testing
• M -- Manually tested during 1.6 cycle
• A -- Automatically regression-tested by CI (basic connectivity)

Matrix

Note, eni is the cluster connectivity device type + configuration, not endpoint device type. ENI is typically onfigured with veth devices. This matrix needs updating.

---	---	---	Socket Acceleration	Disabled	Disabled	Disabled	Disabled	Enabled	Enabled	Enabled	Enabled
---	---	---	Traffic Encryption	No IPsec	No IPsec	IPsec	IPsec	No IPsec	No IPsec	IPsec	IPsec
---	---	---	Endpoint Security	No L7 Policy	L7 Policy applied	No L7 Policy	L7 Policy applied	No L7 Policy	L7 Policy applied	No L7 Policy	L7 Policy applied
Endpoint Devices	Cluster Connectivity	Service Connectivity	---	---	---	---	---	---	---	---	---
veth	Tunnel	No service (to pod)	---	A[0,2]	A[1]	A[2]	N	A[2]	N	N	N
veth	Tunnel	kube-proxy	---	A[3]	A[3]	N	N	N	N	N	N
veth	Tunnel	via BPF	---	X[4]	X[4]	X[4]	X[4]	N	N	N	N
veth	Direct Routing (tailcall)	No service (to pod)	---	A[2]	N	A[2]	N	N	N	N	N
veth	Direct Routing (tailcall)	kube-proxy	---	N	N	N	N	N	N	N	N
veth	Direct Routing (tailcall)	via BPF	---	X[4]	X[4]	X[4]	X[4]	N	N	N	N
veth	Direct Routing (ep-route)	No service (to pod)	---	A[2]	N	N	N	N	N	N	N
veth	Direct Routing (ep-route)	kube-proxy	---	N	N	N	N	N	N	N	N
veth	Direct Routing (ep-route)	via BPF	---	X[4]	X[4]	X[4]	X[4]	N	N	N	N
ipvlan	Tunnel	No service (to pod)	---	X[5]	X[5]	X[5]	X[5]	N	N	N	N
ipvlan	Tunnel	kube-proxy	---	X[5]	X[5]	X[5]	X[5]	N	N	N	N
ipvlan	Tunnel	via BPF	---	X[5]	X[5]	X[5]	X[5]	N	N	N	N
ipvlan	Direct Routing (tailcall)	No service (to pod)	---	A[0]	X[5]	N	X[5]	N	N	N	N
ipvlan	Direct Routing (tailcall)	kube-proxy	---	N	X[5]	N	X[5]	N	N	N	N
ipvlan	Direct Routing (tailcall)	via BPF	---	M	X[5]	N	X[5]	N	N	N	N
ipvlan	Direct Routing (ep-route)	No service (to pod)	---	N	N	N	N	N	N	N	N
ipvlan	Direct Routing (ep-route)	kube-proxy	---	N	N	N	N	N	N	N	N
ipvlan	Direct Routing (ep-route)	via BPF	---	N	N	N	N	N	N	N	N

Footnotes

• [0] via https://github.com/cilium/cilium/blob/master/test/runtime/connectivity.go
• [1] via https://github.com/cilium/cilium/blob/master/test/runtime/Policies.go
• [2] via https://github.com/cilium/cilium/blob/master/test/k8sT/DatapathConfiguration.go
• [3] via https://github.com/cilium/cilium/blob/master/test/k8sT/Services.go
• [4] I can't find any documentation related to this, but I don't think BPF nodeport works with tunneling or veth.
• [5] via https://docs.cilium.io/en/latest/gettingstarted/ipvlan/#ipvlan-based-networking-beta
• [6] I can't find any documentation related to this, but I don't think ENI + Tunnel works. ENI + Tunnel works but it's pretty pointless. I've manually tested it but don't expect anybody to use it.

Notes and limitations

• This matrix is focused on configuration elements that affect datapath configuration such as BPF programs, iptables rules, rule and route configurations. It does not attempt to distinguish policy cases such as in-cluster/out-cluster; L3/L4/L7 Policy (other than for the L7 redirects); etc.
• The datapath configuration tests configure different combinations of the above dimensions, however they do not cover the matrix with L7 policy; nor do they make calls through services; only directly via pod IPs.
• Per-endpoint routes is considered orthogonal to tunnel and only compatible with direct-routing, hence only an option for direct routing in the table above.

[joestringer]

host services / security could be added trivially to the matrix by adding them to the encryption / services column/row, though AFAIK the current status is pretty much that they were presumably manual tested when the feature went in but there is no CI coverage on these features.

[jrfastab]

Thanks for doing this although I don't actually think this statement is correct "The below are excluded to keep the matrix to a manageable size; they are also typically orthogonal to the dataplane connectivity." Sockmap and encryption both change the datapath quite a bit IMO.

[jrfastab]

For encryption I have a patch that can enable encryption for the entire CI run so we may want to consider running this at some cadence, nightly, weekly, at minimum before RC releases?

[jrfastab]

Any objections to adding a test to connectivity tests that also adds L7 policy. For CI this would be good to run in all CI runs so we bounce through proxy in ipsec/sockmap cases.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.