github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Remove assertIPTablesRulesEqual from InternalTrafficPolicy test

Browse Source 
Just use the flow tests. Also, add a new test for a missing case.
This commit is contained in:
Dan Winship 2023-07-07 13:55:52 -04:00
parent 43db55e93d
commit d57a51d0a9
1 changed files with 27 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
pkg/proxy/iptables/proxier_test.go
View File

@ -5466,7 +5466,7 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) {
// This test ensures that the iptables proxier supports translating Endpoints to // This test ensures that the iptables proxier supports translating Endpoints to
// iptables output when internalTrafficPolicy is specified // iptables output when internalTrafficPolicy is specified
func TestInternalTrafficPolicyE2E(t *testing.T) { func TestInternalTrafficPolicy(t *testing.T) {
type endpoint struct { type endpoint struct {
ip string ip string
hostname string hostname string
@ -5475,55 +5475,12 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
cluster := v1.ServiceInternalTrafficPolicyCluster cluster := v1.ServiceInternalTrafficPolicyCluster
local := v1.ServiceInternalTrafficPolicyLocal local := v1.ServiceInternalTrafficPolicyLocal
clusterExpectedIPTables := dedent.Dedent(`
*filter
:KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-3JOIVZTXZZRGORX4 - [0:0]
:KUBE-SEP-IO5XOSKPAXIFQXAJ - [0:0]
:KUBE-SEP-XGJFVO3L2O5SRFNT - [0:0]
:KUBE-SVC-AQI2S6QIMU7PVVRP - [0:0]
-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j KUBE-SVC-AQI2S6QIMU7PVVRP
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -s 10.0.1.1 -j KUBE-MARK-MASQ
-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.1:80
-A KUBE-SEP-IO5XOSKPAXIFQXAJ -m comment --comment ns1/svc1 -s 10.0.1.2 -j KUBE-MARK-MASQ
-A KUBE-SEP-IO5XOSKPAXIFQXAJ -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.2:80
-A KUBE-SEP-XGJFVO3L2O5SRFNT -m comment --comment ns1/svc1 -s 10.0.1.3 -j KUBE-MARK-MASQ
-A KUBE-SEP-XGJFVO3L2O5SRFNT -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.3:80
-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.30.1.1 --dport 80 ! -s 10.0.0.0/8 -j KUBE-MARK-MASQ
-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment "ns1/svc1 -> 10.0.1.1:80" -m statistic --mode random --probability 0.3333333333 -j KUBE-SEP-3JOIVZTXZZRGORX4
-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment "ns1/svc1 -> 10.0.1.2:80" -m statistic --mode random --probability 0.5000000000 -j KUBE-SEP-IO5XOSKPAXIFQXAJ
-A KUBE-SVC-AQI2S6QIMU7PVVRP -m comment --comment "ns1/svc1 -> 10.0.1.3:80" -j KUBE-SEP-XGJFVO3L2O5SRFNT
COMMIT
`)
testCases := []struct { testCases := []struct {
name string name string
line int line int
internalTrafficPolicy *v1.ServiceInternalTrafficPolicy internalTrafficPolicy *v1.ServiceInternalTrafficPolicy
endpoints []endpoint endpoints []endpoint
expectEndpointRule bool flowTests []packetFlowTest
expectedIPTablesWithSlice string
flowTests []packetFlowTest
}{ }{
{ {
name: "internalTrafficPolicy is cluster", name: "internalTrafficPolicy is cluster",
@ -5534,8 +5491,6 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
{"10.0.1.2", "host1"}, {"10.0.1.2", "host1"},
{"10.0.1.3", "host2"}, {"10.0.1.3", "host2"},
}, },
expectEndpointRule: true,
expectedIPTablesWithSlice: clusterExpectedIPTables,
flowTests: []packetFlowTest{ flowTests: []packetFlowTest{
{ {
name: "pod to ClusterIP hits all endpoints", name: "pod to ClusterIP hits all endpoints",
@ -5548,7 +5503,7 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
}, },
}, },
{ {
name: "internalTrafficPolicy is local and there are local endpoints", name: "internalTrafficPolicy is local and there is one local endpoint",
line: getLine(), line: getLine(),
internalTrafficPolicy: &local, internalTrafficPolicy: &local,
endpoints: []endpoint{ endpoints: []endpoint{
@ -5556,39 +5511,6 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
{"10.0.1.2", "host1"}, {"10.0.1.2", "host1"},
{"10.0.1.3", "host2"}, {"10.0.1.3", "host2"},
}, },
expectEndpointRule: true,
expectedIPTablesWithSlice: dedent.Dedent(`
*filter
:KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-3JOIVZTXZZRGORX4 - [0:0]
:KUBE-SVL-AQI2S6QIMU7PVVRP - [0:0]
-A KUBE-SERVICES -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j KUBE-SVL-AQI2S6QIMU7PVVRP
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -s 10.0.1.1 -j KUBE-MARK-MASQ
-A KUBE-SEP-3JOIVZTXZZRGORX4 -m comment --comment ns1/svc1 -m tcp -p tcp -j DNAT --to-destination 10.0.1.1:80
-A KUBE-SVL-AQI2S6QIMU7PVVRP -m comment --comment "ns1/svc1 cluster IP" -m tcp -p tcp -d 172.30.1.1 --dport 80 ! -s 10.0.0.0/8 -j KUBE-MARK-MASQ
-A KUBE-SVL-AQI2S6QIMU7PVVRP -m comment --comment "ns1/svc1 -> 10.0.1.1:80" -j KUBE-SEP-3JOIVZTXZZRGORX4
COMMIT
`),
flowTests: []packetFlowTest{ flowTests: []packetFlowTest{
{ {
name: "pod to ClusterIP hits only local endpoint", name: "pod to ClusterIP hits only local endpoint",
@ -5600,6 +5522,26 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
}, },
}, },
}, },
{
name: "internalTrafficPolicy is local and there are multiple local endpoints",
line: getLine(),
internalTrafficPolicy: &local,
endpoints: []endpoint{
{"10.0.1.1", testHostname},
{"10.0.1.2", testHostname},
{"10.0.1.3", "host2"},
},
flowTests: []packetFlowTest{
{
name: "pod to ClusterIP hits all local endpoints",
sourceIP: "10.0.0.2",
destIP: "172.30.1.1",
destPort: 80,
output: "10.0.1.1:80, 10.0.1.2:80",
masq: false,
},
},
},
{ {
name: "internalTrafficPolicy is local and there are no local endpoints", name: "internalTrafficPolicy is local and there are no local endpoints",
line: getLine(), line: getLine(),
@ -5609,33 +5551,6 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
{"10.0.1.2", "host1"}, {"10.0.1.2", "host1"},
{"10.0.1.3", "host2"}, {"10.0.1.3", "host2"},
}, },
expectEndpointRule: false,
expectedIPTablesWithSlice: dedent.Dedent(`
*filter
:KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
-A KUBE-SERVICES -m comment --comment "ns1/svc1 has no local endpoints" -m tcp -p tcp -d 172.30.1.1 --dport 80 -j DROP
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-POSTROUTING - [0:0]
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
COMMIT
`),
flowTests: []packetFlowTest{ flowTests: []packetFlowTest{
{ {
name: "no endpoints", name: "no endpoints",
@ -5695,16 +5610,10 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
fp.OnEndpointSliceAdd(endpointSlice) fp.OnEndpointSliceAdd(endpointSlice)
fp.syncProxyRules() fp.syncProxyRules()
assertIPTablesRulesEqual(t, tc.line, true, tc.expectedIPTablesWithSlice, fp.iptablesData.String())
runPacketFlowTests(t, tc.line, ipt, testNodeIP, tc.flowTests) runPacketFlowTests(t, tc.line, ipt, testNodeIP, tc.flowTests)
fp.OnEndpointSliceDelete(endpointSlice) fp.OnEndpointSliceDelete(endpointSlice)
fp.syncProxyRules() fp.syncProxyRules()
if tc.expectEndpointRule {
fp.OnEndpointSliceDelete(endpointSlice)
fp.syncProxyRules()
assertIPTablesRulesNotEqual(t, tc.line, tc.expectedIPTablesWithSlice, fp.iptablesData.String())
}
runPacketFlowTests(t, tc.line, ipt, testNodeIP, []packetFlowTest{ runPacketFlowTests(t, tc.line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "endpoints deleted", name: "endpoints deleted",