Skip to content

ginkgo: remove ClusterIP cannot be accessed externally when access is disabled#44192

Merged
joestringer merged 3 commits intomainfrom
pr/smagnani96/ginkgo-1
Feb 17, 2026
Merged

ginkgo: remove ClusterIP cannot be accessed externally when access is disabled#44192
joestringer merged 3 commits intomainfrom
pr/smagnani96/ginkgo-1

Conversation

@smagnani96
Copy link
Copy Markdown
Contributor

@smagnani96 smagnani96 commented Feb 4, 2026
edited
Loading

Please refer to commit messages:

  1. simple refactor to explicit an agent flag in clusterip.txtar, no functionale changes
  2. add new BPF test to check this behavior for IPv4/6
  3. remove Ginkgo test.

Related: #44168.

@smagnani96 smagnani96 self-assigned this Feb 4, 2026
@smagnani96 smagnani96 added kind/enhancement This would improve or streamline existing functionality. area/CI Continuous Integration testing issue or flake release-note/misc This PR makes changes that have no direct user impact. release-note/ci This PR makes changes to the CI. and removed release-note/misc This PR makes changes that have no direct user impact. labels Feb 4, 2026
@smagnani96 smagnani96 changed the title ginkgo: remove `ClusterIP cannot be accessed externally when access is disabled ginkgo: remove ClusterIP cannot be accessed externally when access is disabled Feb 4, 2026
@smagnani96 smagnani96 force-pushed the pr/smagnani96/ginkgo-1 branch 3 times, most recently from 48a699f to 5a5654a Compare February 10, 2026 16:40
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 10, 2026

/test

@smagnani96 smagnani96 marked this pull request as ready for review February 11, 2026 09:53
@smagnani96 smagnani96 requested review from a team as code owners February 11, 2026 09:53
@smagnani96 smagnani96 mentioned this pull request Feb 11, 2026
Merged
@smagnani96 smagnani96 force-pushed the pr/smagnani96/ginkgo-1 branch 3 times, most recently from be419c9 to 7df91c6 Compare February 11, 2026 21:19
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 11, 2026

/test

@smagnani96
script:test:lb: explicit deny ClusterIP access when not enabled
b8fed68 
This commit has no functional changes, but it explicitly set the
`--bpf-lb-external-clusterip=false` flag in the test data, to make it
clear and explicit that we don't expect ClusterIP to be routable.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/ginkgo-1 branch 3 times, most recently from bed38a9 to 0d56d14 Compare February 16, 2026 17:52
@smagnani96
bpf:test: add IPv4/6 coverage for nodeport non-routable cluster IP
c7a9d63 
This commits adds `tc_lb{4,6}_nonroutable_clusterip` test that ensures
packets sent from external node to a non-routable ClusterIP service
are dropped with the correct reason code DROP_IS_CLUSTER_IP and
that the metrics are updated correctly.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96
ginkgo: remove `ClusterIP cannot be accessed externally when access i…
262bf7f 
…s disabled`

The Ginkgo test verifies that ClusterIP services are not reachable from
external (i.e., nodeWithoutCilium) when the `bpf-lb-external-clusterip` flag is
disabled. However, this behavior is already covered by:

1. `pkg/loadbalancer/tests/testdata/clusterip.txtar`, where in the LB map
   we expect `FLAGS=ClusterIP+sessionAffinity+non-routable` for the service.
2. `tc_lb{4,6}_nonroutable_clusterip.c`, where we verify that an
   incoming packet destined to a service w/o the SVC_FLAG_ROUTABLE is
   being dropped.

Thus, this Ginkgo test can be simply removed as is.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/ginkgo-1 branch from 0d56d14 to 262bf7f Compare February 16, 2026 17:59
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 16, 2026

/test

ysksuzuki
ysksuzuki approved these changes Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ysksuzuki ysksuzuki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Just a non-blocking question.

@smagnani96 smagnani96 added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 17, 2026
@joestringer joestringer added this pull request to the merge queue Feb 17, 2026
Merged via the queue into main with commit ad489b2 Feb 17, 2026
537 of 544 checks passed
@joestringer joestringer deleted the pr/smagnani96/ginkgo-1 branch February 17, 2026 18:19
@smagnani96 smagnani96 added ci/hyperjump Relates to 2022 test improvement initiative. area/loadbalancing Impacts load-balancing and Kubernetes service implementations area/kpr Anything related to our kube-proxy replacement. labels Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ysksuzuki ysksuzuki ysksuzuki approved these changes

@christarazi christarazi christarazi approved these changes

@Artyop Artyop Artyop approved these changes

Assignees

@smagnani96 smagnani96

Labels

area/CI Continuous Integration testing issue or flake area/kpr Anything related to our kube-proxy replacement. area/loadbalancing Impacts load-balancing and Kubernetes service implementations ci/hyperjump Relates to 2022 test improvement initiative. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@smagnani96 @christarazi @ysksuzuki @Artyop @joestringer @msune