mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-02 08:17:26 +00:00
Merge all the "reject when no endpoints" tests together
Merge TestClusterIPReject, TestExternalIPsReject, TestNodePortReject, and TestLoadBalancerReject into a single test. Also remove the assertIPTablesRulesEqual tests because the packet flow tests cover all of the details we care about here.
This commit is contained in:
Dan Winship
parent
2435da11d5
commit
f38231d568
@ -2019,11 +2019,16 @@ func TestOverallIPTablesRules(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestClusterIPReject(t *testing.T) {
|
// TestNoEndpointsReject tests that a service with no endpoints rejects connections to
|
||||||
|
// its ClusterIP, ExternalIPs, NodePort, and LoadBalancer IP.
|
||||||
|
func TestNoEndpointsReject(t *testing.T) {
|
||||||
ipt := iptablestest.NewFake()
|
ipt := iptablestest.NewFake()
|
||||||
fp := NewFakeProxier(ipt)
|
fp := NewFakeProxier(ipt)
|
||||||
svcIP := "172.30.0.41"
|
svcIP := "172.30.0.41"
|
||||||
svcPort := 80
|
svcPort := 80
|
||||||
|
svcNodePort := 3001
|
||||||
|
svcExternalIPs := "192.168.99.11"
|
||||||
|
svcLBIP := "1.2.3.4"
|
||||||
svcPortName := proxy.ServicePortName{
|
svcPortName := proxy.ServicePortName{
|
||||||
NamespacedName: makeNSN("ns1", "svc1"),
|
NamespacedName: makeNSN("ns1", "svc1"),
|
||||||
Port: "p80",
|
Port: "p80",
|
||||||
@ -2031,51 +2036,63 @@ func TestClusterIPReject(t *testing.T) {
|
|||||||
|
|
||||||
makeServiceMap(fp,
|
makeServiceMap(fp,
|
||||||
makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
|
makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
|
||||||
|
svc.Spec.Type = v1.ServiceTypeLoadBalancer
|
||||||
svc.Spec.ClusterIP = svcIP
|
svc.Spec.ClusterIP = svcIP
|
||||||
|
svc.Spec.ExternalIPs = []string{svcExternalIPs}
|
||||||
svc.Spec.Ports = []v1.ServicePort{{
|
svc.Spec.Ports = []v1.ServicePort{{
|
||||||
Name: svcPortName.Port,
|
Name: svcPortName.Port,
|
||||||
Port: int32(svcPort),
|
|
||||||
Protocol: v1.ProtocolTCP,
|
Protocol: v1.ProtocolTCP,
|
||||||
|
Port: int32(svcPort),
|
||||||
|
NodePort: int32(svcNodePort),
|
||||||
|
}}
|
||||||
|
svc.Status.LoadBalancer.Ingress = []v1.LoadBalancerIngress{{
|
||||||
|
IP: svcLBIP,
|
||||||
}}
|
}}
|
||||||
}),
|
}),
|
||||||
)
|
)
|
||||||
fp.syncProxyRules()
|
fp.syncProxyRules()
|
||||||
|
|
||||||
expected := dedent.Dedent(`
|
|
||||||
*filter
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
|
||||||
:KUBE-FIREWALL - [0:0]
|
|
||||||
:KUBE-FORWARD - [0:0]
|
|
||||||
:KUBE-PROXY-FIREWALL - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
|
||||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
COMMIT
|
|
||||||
*nat
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-MARK-MASQ - [0:0]
|
|
||||||
:KUBE-POSTROUTING - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
|
|
||||||
COMMIT
|
|
||||||
`)
|
|
||||||
|
|
||||||
assertIPTablesRulesEqual(t, getLine(), true, expected, fp.iptablesData.String())
|
|
||||||
|
|
||||||
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
||||||
{
|
{
|
||||||
name: "cluster IP rejected",
|
name: "pod to cluster IP with no endpoints",
|
||||||
sourceIP: "10.0.0.2",
|
sourceIP: "10.0.0.2",
|
||||||
destIP: "172.30.0.41",
|
destIP: svcIP,
|
||||||
destPort: 80,
|
destPort: svcPort,
|
||||||
|
output: "REJECT",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "external to external IP with no endpoints",
|
||||||
|
sourceIP: testExternalClient,
|
||||||
|
destIP: svcExternalIPs,
|
||||||
|
destPort: svcPort,
|
||||||
|
output: "REJECT",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "pod to NodePort with no endpoints",
|
||||||
|
sourceIP: "10.0.0.2",
|
||||||
|
destIP: testNodeIP,
|
||||||
|
destPort: svcNodePort,
|
||||||
|
output: "REJECT",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "external to NodePort with no endpoints",
|
||||||
|
sourceIP: testExternalClient,
|
||||||
|
destIP: testNodeIP,
|
||||||
|
destPort: svcNodePort,
|
||||||
|
output: "REJECT",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "pod to LoadBalancer IP with no endpoints",
|
||||||
|
sourceIP: "10.0.0.2",
|
||||||
|
destIP: svcLBIP,
|
||||||
|
destPort: svcPort,
|
||||||
|
output: "REJECT",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "external to LoadBalancer IP with no endpoints",
|
||||||
|
sourceIP: testExternalClient,
|
||||||
|
destIP: svcLBIP,
|
||||||
|
destPort: svcPort,
|
||||||
output: "REJECT",
|
output: "REJECT",
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
@ -2718,80 +2735,6 @@ func TestMasqueradeRule(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestExternalIPsReject(t *testing.T) {
|
|
||||||
ipt := iptablestest.NewFake()
|
|
||||||
fp := NewFakeProxier(ipt)
|
|
||||||
svcIP := "172.30.0.41"
|
|
||||||
svcPort := 80
|
|
||||||
svcExternalIPs := "192.168.99.11"
|
|
||||||
svcPortName := proxy.ServicePortName{
|
|
||||||
NamespacedName: makeNSN("ns1", "svc1"),
|
|
||||||
Port: "p80",
|
|
||||||
}
|
|
||||||
|
|
||||||
makeServiceMap(fp,
|
|
||||||
makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
|
|
||||||
svc.Spec.Type = "ClusterIP"
|
|
||||||
svc.Spec.ClusterIP = svcIP
|
|
||||||
svc.Spec.ExternalIPs = []string{svcExternalIPs}
|
|
||||||
svc.Spec.Ports = []v1.ServicePort{{
|
|
||||||
Name: svcPortName.Port,
|
|
||||||
Port: int32(svcPort),
|
|
||||||
Protocol: v1.ProtocolTCP,
|
|
||||||
TargetPort: intstr.FromInt32(int32(svcPort)),
|
|
||||||
}}
|
|
||||||
}),
|
|
||||||
)
|
|
||||||
|
|
||||||
fp.syncProxyRules()
|
|
||||||
|
|
||||||
expected := dedent.Dedent(`
|
|
||||||
*filter
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
|
||||||
:KUBE-FIREWALL - [0:0]
|
|
||||||
:KUBE-FORWARD - [0:0]
|
|
||||||
:KUBE-PROXY-FIREWALL - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 192.168.99.11 --dport 80 -j REJECT
|
|
||||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
COMMIT
|
|
||||||
*nat
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-MARK-MASQ - [0:0]
|
|
||||||
:KUBE-POSTROUTING - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
|
|
||||||
COMMIT
|
|
||||||
`)
|
|
||||||
assertIPTablesRulesEqual(t, getLine(), true, expected, fp.iptablesData.String())
|
|
||||||
|
|
||||||
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
|
||||||
{
|
|
||||||
name: "cluster IP with no endpoints",
|
|
||||||
sourceIP: "10.0.0.2",
|
|
||||||
destIP: svcIP,
|
|
||||||
destPort: svcPort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "external IP with no endpoints",
|
|
||||||
sourceIP: testExternalClient,
|
|
||||||
destIP: svcExternalIPs,
|
|
||||||
destPort: svcPort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestOnlyLocalExternalIPs(t *testing.T) {
|
func TestOnlyLocalExternalIPs(t *testing.T) {
|
||||||
ipt := iptablestest.NewFake()
|
ipt := iptablestest.NewFake()
|
||||||
fp := NewFakeProxier(ipt)
|
fp := NewFakeProxier(ipt)
|
||||||
@ -3013,180 +2956,6 @@ func TestNonLocalExternalIPs(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestNodePortReject(t *testing.T) {
|
|
||||||
ipt := iptablestest.NewFake()
|
|
||||||
fp := NewFakeProxier(ipt)
|
|
||||||
svcIP := "172.30.0.41"
|
|
||||||
svcPort := 80
|
|
||||||
svcNodePort := 3001
|
|
||||||
svcPortName := proxy.ServicePortName{
|
|
||||||
NamespacedName: makeNSN("ns1", "svc1"),
|
|
||||||
Port: "p80",
|
|
||||||
}
|
|
||||||
|
|
||||||
makeServiceMap(fp,
|
|
||||||
makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
|
|
||||||
svc.Spec.Type = "NodePort"
|
|
||||||
svc.Spec.ClusterIP = svcIP
|
|
||||||
svc.Spec.Ports = []v1.ServicePort{{
|
|
||||||
Name: svcPortName.Port,
|
|
||||||
Port: int32(svcPort),
|
|
||||||
Protocol: v1.ProtocolTCP,
|
|
||||||
NodePort: int32(svcNodePort),
|
|
||||||
}}
|
|
||||||
}),
|
|
||||||
)
|
|
||||||
|
|
||||||
fp.syncProxyRules()
|
|
||||||
|
|
||||||
expected := dedent.Dedent(`
|
|
||||||
*filter
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
|
||||||
:KUBE-FIREWALL - [0:0]
|
|
||||||
:KUBE-FORWARD - [0:0]
|
|
||||||
:KUBE-PROXY-FIREWALL - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j REJECT
|
|
||||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
COMMIT
|
|
||||||
*nat
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-MARK-MASQ - [0:0]
|
|
||||||
:KUBE-POSTROUTING - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
|
|
||||||
COMMIT
|
|
||||||
`)
|
|
||||||
assertIPTablesRulesEqual(t, getLine(), true, expected, fp.iptablesData.String())
|
|
||||||
|
|
||||||
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
|
||||||
{
|
|
||||||
name: "pod to cluster IP",
|
|
||||||
sourceIP: "10.0.0.2",
|
|
||||||
destIP: svcIP,
|
|
||||||
destPort: svcPort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "pod to NodePort",
|
|
||||||
sourceIP: "10.0.0.2",
|
|
||||||
destIP: testNodeIP,
|
|
||||||
destPort: svcNodePort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "external to NodePort",
|
|
||||||
sourceIP: testExternalClient,
|
|
||||||
destIP: testNodeIP,
|
|
||||||
destPort: svcNodePort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestLoadBalancerReject(t *testing.T) {
|
|
||||||
ipt := iptablestest.NewFake()
|
|
||||||
fp := NewFakeProxier(ipt)
|
|
||||||
svcIP := "172.30.0.41"
|
|
||||||
svcPort := 80
|
|
||||||
svcNodePort := 3001
|
|
||||||
svcHealthCheckNodePort := 30000
|
|
||||||
svcLBIP := "1.2.3.4"
|
|
||||||
svcPortName := proxy.ServicePortName{
|
|
||||||
NamespacedName: makeNSN("ns1", "svc1"),
|
|
||||||
Port: "p80",
|
|
||||||
Protocol: v1.ProtocolTCP,
|
|
||||||
}
|
|
||||||
svcSessionAffinityTimeout := int32(10800)
|
|
||||||
makeServiceMap(fp,
|
|
||||||
makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *v1.Service) {
|
|
||||||
svc.Spec.Type = "LoadBalancer"
|
|
||||||
svc.Spec.ClusterIP = svcIP
|
|
||||||
svc.Spec.Ports = []v1.ServicePort{{
|
|
||||||
Name: svcPortName.Port,
|
|
||||||
Port: int32(svcPort),
|
|
||||||
Protocol: v1.ProtocolTCP,
|
|
||||||
NodePort: int32(svcNodePort),
|
|
||||||
}}
|
|
||||||
svc.Spec.HealthCheckNodePort = int32(svcHealthCheckNodePort)
|
|
||||||
svc.Status.LoadBalancer.Ingress = []v1.LoadBalancerIngress{{
|
|
||||||
IP: svcLBIP,
|
|
||||||
}}
|
|
||||||
svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyLocal
|
|
||||||
svc.Spec.SessionAffinity = v1.ServiceAffinityClientIP
|
|
||||||
svc.Spec.SessionAffinityConfig = &v1.SessionAffinityConfig{
|
|
||||||
ClientIP: &v1.ClientIPConfig{TimeoutSeconds: &svcSessionAffinityTimeout},
|
|
||||||
}
|
|
||||||
}),
|
|
||||||
)
|
|
||||||
|
|
||||||
fp.syncProxyRules()
|
|
||||||
|
|
||||||
expected := dedent.Dedent(`
|
|
||||||
*filter
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
|
||||||
:KUBE-FIREWALL - [0:0]
|
|
||||||
:KUBE-FORWARD - [0:0]
|
|
||||||
:KUBE-PROXY-FIREWALL - [0:0]
|
|
||||||
-A KUBE-NODEPORTS -m comment --comment "ns1/svc1:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
|
||||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j REJECT
|
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j REJECT
|
|
||||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns1/svc1:p80 has no endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j REJECT
|
|
||||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
|
||||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
|
||||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
COMMIT
|
|
||||||
*nat
|
|
||||||
:KUBE-NODEPORTS - [0:0]
|
|
||||||
:KUBE-SERVICES - [0:0]
|
|
||||||
:KUBE-MARK-MASQ - [0:0]
|
|
||||||
:KUBE-POSTROUTING - [0:0]
|
|
||||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
|
||||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
|
||||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
|
||||||
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
|
|
||||||
COMMIT
|
|
||||||
`)
|
|
||||||
assertIPTablesRulesEqual(t, getLine(), true, expected, fp.iptablesData.String())
|
|
||||||
|
|
||||||
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
|
||||||
{
|
|
||||||
name: "pod to cluster IP",
|
|
||||||
sourceIP: "10.0.0.2",
|
|
||||||
destIP: svcIP,
|
|
||||||
destPort: svcPort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "pod to LoadBalancer IP",
|
|
||||||
sourceIP: "10.0.0.2",
|
|
||||||
destIP: svcLBIP,
|
|
||||||
destPort: svcPort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "external to LoadBalancer IP",
|
|
||||||
sourceIP: testExternalClient,
|
|
||||||
destIP: svcLBIP,
|
|
||||||
destPort: svcPort,
|
|
||||||
output: "REJECT",
|
|
||||||
},
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestOnlyLocalLoadBalancing(t *testing.T) {
|
func TestOnlyLocalLoadBalancing(t *testing.T) {
|
||||||
ipt := iptablestest.NewFake()
|
ipt := iptablestest.NewFake()
|
||||||
fp := NewFakeProxier(ipt)
|
fp := NewFakeProxier(ipt)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user