From d97a1b8d630edcdeab302946a553e42ff325c194 Mon Sep 17 00:00:00 2001
From: Riccardo Ravaioli <rravaiol@redhat.com>
Date: Mon, 27 Sep 2021 19:01:49 +0200
Subject: [PATCH] add NET_RAW capability to server container in "should drop
 INVALID conntrack entries" test

The boom-server container forges out-of-order TCP packets and injects them into the network. This requires the container to have the CAP_NET_RAW linux capability, otherwise the test will fail.

Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com>
---
 test/e2e/network/conntrack.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/test/e2e/network/conntrack.go b/test/e2e/network/conntrack.go
index 9bf2718feea..3fd25bbf8c0 100644
--- a/test/e2e/network/conntrack.go
+++ b/test/e2e/network/conntrack.go
@@ -285,7 +285,7 @@ var _ = common.SIGDescribe("Conntrack", func() {
 	// IP could result in the connection being closed with the error "Connection reset by
 	// peer"
 	// xref: https://kubernetes.io/blog/2019/03/29/kube-proxy-subtleties-debugging-an-intermittent-connection-reset/
-	ginkgo.It("should drop INVALID conntrack entries", func() {
+	ginkgo.It("should drop INVALID conntrack entries [Privileged]", func() {
 		serverLabel := map[string]string{
 			"app": "boom-server",
 		}
@@ -325,6 +325,11 @@ var _ = common.SIGDescribe("Conntrack", func() {
 								},
 							},
 						},
+						SecurityContext: &v1.SecurityContext{
+							Capabilities: &v1.Capabilities{
+								Add: []v1.Capability{"NET_RAW"},
+							},
+						},
 					},
 				},
 			},
@@ -381,19 +386,19 @@ var _ = common.SIGDescribe("Conntrack", func() {
 		// if conntrack does not drop the invalid packets it will go through without NAT
 		// so the client will receive an unexpected TCP connection and RST the connection
 		// the server will log ERROR if that happens
-		ginkgo.By("checking client pod does not RST the TCP connection because it receives and INVALID packet")
+		ginkgo.By("checking client pod does not RST the TCP connection because it receives an INVALID packet")
 		if err := wait.PollImmediate(5*time.Second, time.Minute, logContainsFn("ERROR", "boom-server")); err == nil {
 			logs, err := e2epod.GetPodLogs(cs, ns, "boom-server", "boom-server")
 			framework.ExpectNoError(err)
 			framework.Logf("boom-server pod logs: %s", logs)
-			framework.Failf("Boom server pod received a RST from the client")
+			framework.Failf("boom-server pod received a RST from the client")
 		}
 
 		logs, err := e2epod.GetPodLogs(cs, ns, "boom-server", "boom-server")
 		framework.ExpectNoError(err)
 		if !strings.Contains(string(logs), "connection established") {
 			framework.Logf("boom-server pod logs: %s", logs)
-			framework.Failf("Boom server pod did not sent any bad packet to the client")
+			framework.Failf("boom-server pod did not send any bad packet to the client")
 		}
 		framework.Logf("boom-server pod logs: %s", logs)
 		framework.Logf("boom-server OK: did not receive any RST packet")