Skip to content

Add basic kube-apiserver policy matching e2e test #18333

Merged
pchaigno merged 3 commits intocilium:masterfrom
christarazi:pr/christarazi/kube-apiserver-policy-e2e
Jan 11, 2022
Merged

Add basic kube-apiserver policy matching e2e test #18333
pchaigno merged 3 commits intocilium:masterfrom
christarazi:pr/christarazi/kube-apiserver-policy-e2e

Conversation

@christarazi
Copy link
Copy Markdown
Member

@christarazi christarazi commented Dec 23, 2021
edited
Loading

  • test/helpers: Clarify expected usage of variadic params
  • test/k8sT: Reduce code duplication in Policies suite
  • test/k8sT: add e2e test for kube-apiserver policy matching

Updates: #17829

@christarazi
test/helpers: Clarify expected usage of variadic params
865adef 
It was not clear that the Curl*() helpers were expecting the first
parameter to be a format string (fmt.Sprintf()) if multiple parameters
are passed (for additional args to `curl`).

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi requested a review from a team as a code owner December 23, 2021 19:38
@christarazi christarazi requested a review from a team December 23, 2021 19:38
@christarazi christarazi added area/CI-improvement Topic or proposal to improve the Continuous Integration workflow area/CI Continuous Integration testing issue or flake sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/ci This PR makes changes to the CI. labels Dec 23, 2021
@christarazi christarazi requested a review from pchaigno December 23, 2021 19:38
@maintainer-s-little-helper maintainer-s-little-helper Bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Dec 23, 2021
@christarazi christarazi changed the title pr/christarazi/kube apiserver policy e2e Add basic kube-apiserver policy matching e2e test Dec 23, 2021
@christarazi christarazi mentioned this pull request Dec 23, 2021
Open
7 tasks
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Dec 23, 2021
edited by maintainer-s-little-helper Bot
Loading

/test

Job 'Cilium-PR-K8s-1.21-kernel-5.4' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDatapathConfig AutoDirectNodeRoutes Check connectivity with sockops and direct routing

Failure Output

FAIL: Error creating resource /home/jenkins/workspace/Cilium-PR-K8s-1.21-kernel-5.4/src/github.com/cilium/cilium/test/k8sT/manifests/l3-policy-demo.yaml: Cannot retrieve cilium pod cilium-5hkgq policy revision: cannot get revision from json output 'Defaulted container "cilium-agent" out of: cilium-agent, mount-cgroup (init), clean-cilium-state (init)

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-5.4 so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-1.23-kernel-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer

Failure Output

FAIL: k8s3 host unexpectedly connected to service "10.0.0.241", it should fail

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.23-kernel-net-next so I can create a new GitHub issue to track it.

@christarazi christarazi force-pushed the pr/christarazi/kube-apiserver-policy-e2e branch from 7547b98 to 7c22439 Compare December 28, 2021 01:10
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Dec 28, 2021
edited by maintainer-s-little-helper Bot
Loading

/test

Job 'Cilium-PR-K8s-1.21-kernel-5.4' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer

Failure Output

FAIL: HTTP ingress connectivity to pod "10.0.1.230" from remote node

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-5.4 so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-1.22-kernel-4.19' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer

Failure Output

FAIL: HTTP ingress connectivity to pod "10.0.1.164" from remote node

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.22-kernel-4.19 so I can create a new GitHub issue to track it.

@christarazi christarazi force-pushed the pr/christarazi/kube-apiserver-policy-e2e branch from 7c22439 to ab7b7d5 Compare December 28, 2021 03:05
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Dec 28, 2021
edited by maintainer-s-little-helper Bot
Loading

/test

Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer

Failure Output

FAIL: HTTP ingress connectivity to pod "10.204.2.112" from remote node

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-GKE so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-1.23-kernel-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer

Failure Output

FAIL: failed to ensure kubectl version: failed to run kubectl version

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.23-kernel-net-next so I can create a new GitHub issue to track it.

@christarazi
test/k8sT: Reduce code duplication in Policies suite
de8b2a0 
This commit makes a few changes to the Policies suite which will be
useful in the subsequent commit.

* Extract common functions from Policies suite to be used outside of the
  Describe block
* Converge existing testCurlFromOutside() usage from the Services suite

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/kube-apiserver-policy-e2e branch from ab7b7d5 to 256bb94 Compare December 28, 2021 07:17
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Dec 28, 2021
edited by maintainer-s-little-helper Bot
Loading

/test

Job 'Cilium-PR-Runtime-net-next' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

RuntimeKVStoreTest KVStore tests Etcd KVStore

Failure Output

FAIL: Endpoints are not ready after timeout

If it is a flake, comment /mlh new-flake Cilium-PR-Runtime-net-next so I can create a new GitHub issue to track it.

Job 'Cilium-PR-K8s-1.16-kernel-4.9' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running

Failure Output

FAIL: Timed out after 240.001s.

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.9 so I can create a new GitHub issue to track it.

@christarazi christarazi force-pushed the pr/christarazi/kube-apiserver-policy-e2e branch from 256bb94 to 731a78c Compare December 28, 2021 18:48
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Dec 28, 2021

/test

pchaigno
pchaigno reviewed Jan 3, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only minor comments from me.

Comment thread test/k8sT/Policies.go Outdated
Comment thread test/k8sT/Policies.go Outdated
Comment thread test/k8sT/Policies.go Outdated
Copy link
Copy Markdown
Member

@pchaigno pchaigno Jan 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are those three configs needed?

Copy link
Copy Markdown
Member Author

@christarazi christarazi Jan 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can speak for the last two, but not the first. The last two will help with the sysdump investigation if a test fails. These are the same options configured in the first Describe block as well.

Copy link
Copy Markdown
Member

@pchaigno pchaigno Jan 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not specific to this PR then, but maybe we should enable those options for all tests in helpers/kubectl.go rather than in specific Describes. hubble.enabled=true is already the default there. debug.verbose is sneakily set to flow in the definition of helper function DeployCiliumAndDNS 😬

Copy link
Copy Markdown
Member Author

@christarazi christarazi Jan 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I didn't notice this. I'll followup to clean this up when #18431 is merged. (If that merged before this one, then I'll rebase, otherwise it'll just be another followup PR.)

Comment thread test/k8sT/manifests/cnp-to-entities-kube-apiserver-deny.yaml Outdated
Comment thread test/k8sT/Policies.go Outdated
@christarazi christarazi force-pushed the pr/christarazi/kube-apiserver-policy-e2e branch from be1b0a1 to c9ff7d3 Compare January 4, 2022 21:49
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Jan 4, 2022
edited by maintainer-s-little-helper Bot
Loading

/test

Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDemosTest Tests Star Wars Demo

Failure Output

FAIL: unable to access deathstar.default.svc.cluster.local/v1/exhaust-port when policy allows it; 000

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-GKE so I can create a new GitHub issue to track it.

@christarazi christarazi requested a review from pchaigno January 4, 2022 21:50
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Jan 5, 2022
edited by maintainer-s-little-helper Bot
Loading

/mlh new-flake Cilium-PR-K8s-GKE

👍 created #18374

jrajahalme
jrajahalme approved these changes Jan 10, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nit on a comment only :-)

Comment thread test/k8sT/Policies.go Outdated
@christarazi christarazi mentioned this pull request Jan 10, 2022
Merged
@christarazi
test/k8sT: Add e2e test for kube-apiserver policy matching
e4b670c 
This test covers both cases where the kube-apiserver is within the
cluster or outside of the cluster.

This commit adds a second Describe block to the Policies, see comment on
top of the second Describe block for why.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/kube-apiserver-policy-e2e branch from c9ff7d3 to e4b670c Compare January 10, 2022 22:49
@christarazi
Copy link
Copy Markdown
Member Author

christarazi commented Jan 10, 2022
edited
Loading

Pushed only a change to the comment as mentioned by #18333 (comment). No need to re-run CI. Marking ready to merge.

@christarazi christarazi added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 10, 2022
@pchaigno pchaigno merged commit a6f9905 into cilium:master Jan 11, 2022
@pchaigno pchaigno mentioned this pull request Jan 11, 2022
Merged
@christarazi christarazi deleted the pr/christarazi/kube-apiserver-policy-e2e branch January 11, 2022 19:01
@christarazi christarazi mentioned this pull request Jan 12, 2022
Merged
@aditighag aditighag mentioned this pull request Jan 14, 2022
Merged
@christarazi christarazi added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jan 17, 2022
@joestringer joestringer mentioned this pull request Jan 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pchaigno pchaigno pchaigno approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

Assignees

No one assigned

Labels

area/CI Continuous Integration testing issue or flake area/CI-improvement Topic or proposal to improve the Continuous Integration workflow backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@christarazi @pchaigno @jrajahalme @aditighag