github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 12:15:52 +00:00
Code Issues Projects Releases Wiki Activity

add NET_RAW capability to server container in "should drop INVALID conntrack entries" test

Browse Source 
The boom-server container forges out-of-order TCP packets and injects them into the network. This requires the container to have the CAP_NET_RAW linux capability, otherwise the test will fail.

Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
This commit is contained in:
Riccardo Ravaioli 2021-09-27 19:01:49 +02:00
parent aec9acda68
commit d97a1b8d63
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
test/e2e/network/conntrack.go
View File

@ -285,7 +285,7 @@ var _ = common.SIGDescribe("Conntrack", func() {
// IP could result in the connection being closed with the error "Connection reset by
// peer"
// xref: https://kubernetes.io/blog/2019/03/29/kube-proxy-subtleties-debugging-an-intermittent-connection-reset/
ginkgo.It("should drop INVALID conntrack entries", func() {
ginkgo.It("should drop INVALID conntrack entries [Privileged]", func() {
serverLabel := map[string]string{
"app": "boom-server",
}
@ -325,6 +325,11 @@ var _ = common.SIGDescribe("Conntrack", func() {
},
},
},
SecurityContext: &v1.SecurityContext{
Capabilities: &v1.Capabilities{
Add: []v1.Capability{"NET_RAW"},
},
},
},
},
},
@ -381,19 +386,19 @@ var _ = common.SIGDescribe("Conntrack", func() {
// if conntrack does not drop the invalid packets it will go through without NAT
// so the client will receive an unexpected TCP connection and RST the connection
// the server will log ERROR if that happens
ginkgo.By("checking client pod does not RST the TCP connection because it receives and INVALID packet")
ginkgo.By("checking client pod does not RST the TCP connection because it receives an INVALID packet")
if err := wait.PollImmediate(5*time.Second, time.Minute, logContainsFn("ERROR", "boom-server")); err == nil {
logs, err := e2epod.GetPodLogs(cs, ns, "boom-server", "boom-server")
framework.ExpectNoError(err)
framework.Logf("boom-server pod logs: %s", logs)
framework.Failf("Boom server pod received a RST from the client")
framework.Failf("boom-server pod received a RST from the client")
}
logs, err := e2epod.GetPodLogs(cs, ns, "boom-server", "boom-server")
framework.ExpectNoError(err)
if !strings.Contains(string(logs), "connection established") {
framework.Logf("boom-server pod logs: %s", logs)
framework.Failf("Boom server pod did not sent any bad packet to the client")
framework.Failf("boom-server pod did not send any bad packet to the client")
}
framework.Logf("boom-server pod logs: %s", logs)
framework.Logf("boom-server OK: did not receive any RST packet")