test/K8sServices: Fix externalTrafficPolicy=Local with kube-proxy (on GKE)

[gandro]

This commit fixes the test harness for externalTrafficPolicy=Local in
the case where we are accessing a node IP without a local backend from a
node with host reachable services enabled.

This is a known incompatibility between our kube-proxy replacement and
upstream kube-proxy. The existing test harness assumed that we only need
to handle this case if we are running without kube-proxy. This
assumption however is wrong, as we are running these tests in hybrid
mode, where we are running with both kube-proxy and Cilium's kube-proxy
replacement.

This has not been hit in our existing test suites up until recently,
because we did not have a test setup with both kube-proxy and the
kube-proxy replacement enabled at the same time. As GKE has been
upgraded to Linux 4.19, it is now using the described hybrid setup which has
caused the tests to break.

The test matrix as of writing now looks as follows:

Test Suite	kube-proxy	kube-proxy replacement
K8s-1.18-kernel-4.9	Yes	No (Kernel 4.9.x)
K8s-1.17-Kernel-4.19	No	Yes (Kernel 4.19.57)
K8s-1.12-Kernel-netnext	No	Yes (Kernel 5.8.0-rc1+)
Cilium-PR-Ginkgo-Tests-k8s	Yes	No (Kernel 4.9.x)
Cilium-PR-K8s-GKE	Yes	Yes (Kernel 4.19.112+)

Fixes: 67f85e3 ("tests: enable additional externalTrafficPolicy=Local tests")

[gandro]

test-me-please

[coveralls]

Coverage decreased (-0.009%) to 36.634% when pulling bee0976 on pr/gandro/ci-fix-externaltrafficpolicy-local-tests-on-gke into ea53587 on master.

[nebril]

gke seems to be failing due to unrelated cause, will restart

[nebril]

test-gke

[nebril]

test-gke

[gandro]

test-gke

[brb]

Could you extend the comment saying why it won't work on kube-proxy?

[gandro]

Added the following comment:

// This is a known incompatibility with kube-proxy:
// kube-proxy 1.15+ will only load-balance requests from k8s1 to k8s1,
// but not from k8s2 to k8s1. In the k8s2 to k8s1 case, kube-proxy
// would send traffic to k8s1, where it would be subsequently
// dropped, because k8s1 has no service backend.
// However, if HostReachableServices is enabled, then Cilium does
// the service translation already on the client node, bypassing
// kube-proxy completely.

[brb]

Thanks!

[gandro]

test-me-please

[nebril]

test-gke

[nebril]

test-me-please

[gandro]

Rebased on #12725 - as GKE can not pass otherwise.

Naturally blocked on #12725 getting merged first.

[gandro]

test-me-please

[nebril]

#12725 is merged, please rebase

ninja edit - didn't refresh the pr page

[nebril]

test-gke

[gandro]

Looks like GetCiliumPodOnNode returned an empty string on GKE?

Edit: That function probably doesn't work on GKE anways. Switched to GetCiliumPodOnNodeWithLabel

[gandro]

test-me-please

[gandro]

GKE hit Suite-k8s-1.15.K8sChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running which seems unrelated.

[gandro]

test-gke

[gandro]

Again hit Suite-k8s-1.15.K8sChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running (on GKE)

[gandro]

I'm merging this. It seems like it did fix the externalTrafficPolicy=Local issue on GKE (it passed two times) as well as all other CI. The GKE failure in the Chaos test is unrelated.