github.com/cilium/cilium@v1.16.2/pkg/policy/visibility_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package policy 5 6 import ( 7 "testing" 8 9 "github.com/stretchr/testify/require" 10 11 ciliumio "github.com/cilium/cilium/pkg/k8s/apis/cilium.io" 12 "github.com/cilium/cilium/pkg/labels" 13 "github.com/cilium/cilium/pkg/policy/api" 14 "github.com/cilium/cilium/pkg/u8proto" 15 ) 16 17 func TestGenerateL7RulesByParser(t *testing.T) { 18 m := generateL7AllowAllRules(ParserTypeHTTP, "", "") 19 require.Nil(t, m) 20 21 m = generateL7AllowAllRules(ParserTypeKafka, "", "") 22 require.Nil(t, m) 23 24 m = generateL7AllowAllRules(ParserTypeDNS, "ns-name", "pod-name") 25 require.NotNil(t, m) 26 require.Equal(t, 1, len(m)) 27 28 for k, v := range m { 29 // Check that we allow all at L7 for DNS for the one rule we should have 30 // generated. 31 require.EqualValues(t, &PerSelectorPolicy{L7Rules: api.L7Rules{DNS: []api.PortRuleDNS{{MatchPattern: "*"}}}}, v) 32 33 require.EqualValues(t, labels.LabelArray{ 34 labels.NewLabel(ciliumio.PolicyLabelDerivedFrom, "PodVisibilityAnnotation", labels.LabelSourceK8s), 35 labels.NewLabel(ciliumio.PodNamespaceLabel, "ns-name", labels.LabelSourceK8s), 36 labels.NewLabel(ciliumio.PodNameLabel, "pod-name", labels.LabelSourceK8s), 37 }, k.GetMetadataLabels()) 38 } 39 40 // test that we are not setting empty metadata labels when provided pod or namespace name is empty 41 m = generateL7AllowAllRules(ParserTypeDNS, "ns-name", "") 42 43 for k := range m { 44 require.EqualValues(t, labels.LabelArray{ 45 labels.NewLabel(ciliumio.PolicyLabelDerivedFrom, "PodVisibilityAnnotation", labels.LabelSourceK8s), 46 labels.NewLabel(ciliumio.PodNamespaceLabel, "ns-name", labels.LabelSourceK8s), 47 }, k.GetMetadataLabels()) 48 } 49 50 m = generateL7AllowAllRules(ParserTypeDNS, "", "pod-name") 51 52 for k := range m { 53 require.EqualValues(t, labels.LabelArray{ 54 labels.NewLabel(ciliumio.PolicyLabelDerivedFrom, "PodVisibilityAnnotation", labels.LabelSourceK8s), 55 labels.NewLabel(ciliumio.PodNameLabel, "pod-name", labels.LabelSourceK8s), 56 }, k.GetMetadataLabels()) 57 } 58 59 m = generateL7AllowAllRules(ParserTypeDNS, "", "") 60 61 for k := range m { 62 require.EqualValues(t, labels.LabelArray{ 63 labels.NewLabel(ciliumio.PolicyLabelDerivedFrom, "PodVisibilityAnnotation", labels.LabelSourceK8s), 64 }, k.GetMetadataLabels()) 65 } 66 } 67 68 func TestVisibilityPolicyCreation(t *testing.T) { 69 70 anno := "<Ingress/80/TCP/HTTP>" 71 vp, err := NewVisibilityPolicy(anno, "", "") 72 require.NotNil(t, vp) 73 require.NoError(t, err) 74 75 require.Equal(t, 1, len(vp.Ingress)) 76 require.Equal(t, &VisibilityMetadata{ 77 Proto: u8proto.TCP, 78 Port: uint16(80), 79 Parser: ParserTypeHTTP, 80 Ingress: true, 81 }, vp.Ingress["80/TCP"]) 82 83 anno = "<Ingress/80/TCP/HTTP>,<Ingress/8080/TCP/HTTP>" 84 vp, err = NewVisibilityPolicy(anno, "", "") 85 require.NotNil(t, vp) 86 require.NoError(t, err) 87 88 require.Equal(t, 2, len(vp.Ingress)) 89 require.Equal(t, &VisibilityMetadata{ 90 Proto: u8proto.TCP, 91 Port: uint16(80), 92 Parser: ParserTypeHTTP, 93 Ingress: true, 94 }, vp.Ingress["80/TCP"]) 95 require.Equal(t, &VisibilityMetadata{ 96 Proto: u8proto.TCP, 97 Port: uint16(8080), 98 Parser: ParserTypeHTTP, 99 Ingress: true, 100 }, vp.Ingress["8080/TCP"]) 101 102 anno = "<Ingress/80/TCP/HTTP>,<Ingress/80/TCP/HTTP>" 103 vp, err = NewVisibilityPolicy(anno, "", "") 104 require.NotNil(t, vp) 105 require.NoError(t, err) 106 107 require.Equal(t, 1, len(vp.Ingress)) 108 require.Equal(t, &VisibilityMetadata{ 109 Proto: u8proto.TCP, 110 Port: uint16(80), 111 Parser: ParserTypeHTTP, 112 Ingress: true, 113 }, vp.Ingress["80/TCP"]) 114 115 anno = "<Ingress/80/TCP/HTTP>,<Ingress/80/TCP/Kafka>" 116 vp, err = NewVisibilityPolicy(anno, "", "") 117 require.Nil(t, vp) 118 require.NotNil(t, err) 119 120 anno = "asdf" 121 vp, err = NewVisibilityPolicy(anno, "", "") 122 require.Nil(t, vp) 123 require.NotNil(t, err) 124 125 anno = "<Ingress/65536/TCP/HTTP>" 126 vp, err = NewVisibilityPolicy(anno, "", "") 127 require.Nil(t, vp) 128 require.NotNil(t, err) 129 130 anno = "<Ingress/65535/TCP/HTTP>" 131 vp, err = NewVisibilityPolicy(anno, "", "") 132 require.NotNil(t, vp) 133 require.NoError(t, err) 134 135 anno = "<Ingress/99999/TCP/HTTP>" 136 vp, err = NewVisibilityPolicy(anno, "", "") 137 require.Nil(t, vp) 138 require.NotNil(t, err) 139 140 anno = "<Ingress/0/TCP/HTTP>" 141 vp, err = NewVisibilityPolicy(anno, "", "") 142 require.Nil(t, vp) 143 require.NotNil(t, err) 144 145 // Do not allow > 5 digits. 146 anno = "<Ingress/123456/TCP/HTTP" 147 vp, err = NewVisibilityPolicy(anno, "", "") 148 require.Nil(t, vp) 149 require.NotNil(t, err) 150 151 // Do not allow leading zeroes. 152 anno = "<Ingress/02345/TCP/HTTP" 153 vp, err = NewVisibilityPolicy(anno, "", "") 154 require.Nil(t, vp) 155 require.NotNil(t, err) 156 157 anno = "<Egress/53/ANY/DNS>" 158 vp, err = NewVisibilityPolicy(anno, "", "") 159 require.NoError(t, err) 160 require.Equal(t, 3, len(vp.Egress)) 161 udp, ok := vp.Egress["53/UDP"] 162 require.True(t, ok) 163 require.Equal(t, u8proto.UDP, udp.Proto) 164 tcp, ok := vp.Egress["53/TCP"] 165 require.Equal(t, u8proto.TCP, tcp.Proto) 166 require.True(t, ok) 167 sctp, ok := vp.Egress["53/SCTP"] 168 require.Equal(t, u8proto.SCTP, sctp.Proto) 169 require.True(t, ok) 170 171 }