Add wireserver and metadata connecitivity tests to cilium and swift p…

…ipeline (#2006) * Block wireserver connectivity from pods in cilium cluster * commenting arm build image step * enabling arm image build * fixed wget cmd and added test for overlay * fixed wget-job.yaml * fixed scripts * get job yaml for debugging on failure * Updated scripts. Included wireserver test for swift pipeline Reverted pipeline.yaml changes * update cilium agent to include init container which blocks wireserver access * update cilium agent with init container which blocks wireserver access
Azure · Sep 11, 2023 · 2edb387 · 2edb387
1 parent 8cf52c4
commit 2edb387
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 4 deletions.
diff --git a/.pipelines/singletenancy/aks-swift/e2e-step-template.yaml b/.pipelines/singletenancy/aks-swift/e2e-step-template.yaml
@@ -100,6 +100,13 @@ steps:
     name: "hostportConformance"
     displayName: "Run HostPort Conformance Tests"
 
+  - script: |
+      echo "Run wireserver and metadata connectivity Tests"
+      bash test/network/wireserver_metadata_test.sh
+    retryCountOnTaskFailure: 3
+    name: "WireserverMetadataConnectivityTests"
+    displayName: "Run Wireserver and Metadata Connectivity Tests"
+
   - script: |
       ARTIFACT_DIR=$(Build.ArtifactStagingDirectory)/aks-swift-output/
       echo $ARTIFACT_DIR

diff --git a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml
@@ -55,7 +55,7 @@ steps:
     name: "installCilium"
     displayName: "Install Cilium on AKS Overlay"
 
-  - script: | 
+  - script: |
       echo "install cilium CLI"
       CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
       CLI_ARCH=amd64
@@ -143,7 +143,14 @@ steps:
       bash hack/scripts/validate_state.sh
     name: "validatePods"
     displayName: "Validate Pods"
-  
+
+  - script: |
+      echo "Run wireserver and metadata connectivity Tests"
+      bash test/network/wireserver_metadata_test.sh
+    retryCountOnTaskFailure: 3
+    name: "WireserverMetadataConnectivityTests"
+    displayName: "Run Wireserver and Metadata Connectivity Tests"
+
   - script: |
       ARTIFACT_DIR=$(Build.ArtifactStagingDirectory)/test-output/
       echo $ARTIFACT_DIR

diff --git a/.pipelines/singletenancy/cilium/cilium-e2e-step-template.yaml b/.pipelines/singletenancy/cilium/cilium-e2e-step-template.yaml
@@ -55,7 +55,7 @@ steps:
     name: "installCilium"
     displayName: "Install Cilium"
 
-  - script: | 
+  - script: |
       echo "install cilium CLI"
       CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
       CLI_ARCH=amd64
@@ -138,7 +138,14 @@ steps:
       bash hack/scripts/validate_state.sh
     name: "validatePods"
     displayName: "Validate Pods"
-  
+
+  - script: |
+      echo "Run wireserver and metadata connectivity Tests"
+      bash test/network/wireserver_metadata_test.sh
+    retryCountOnTaskFailure: 3
+    name: "WireserverMetadataConnectivityTests"
+    displayName: "Run Wireserver and Metadata Connectivity Tests"
+
   - script: |
       ARTIFACT_DIR=$(Build.ArtifactStagingDirectory)/test-output/
       echo $ARTIFACT_DIR

diff --git a/test/integration/manifests/cilium/cilium-agent/daemonset.yaml b/test/integration/manifests/cilium/cilium-agent/daemonset.yaml
@@ -337,6 +337,27 @@ spec:
         - mountPath: /host/usr/lib
           name: host-usr-lib
           readOnly: true
+      - name: block-wireserver
+        image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG
+        imagePullPolicy: IfNotPresent
+        command:
+        - /bin/bash
+        - -cx
+        - |
+          iptables -t mangle -C FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+          status=$?
+          set -e
+          if [ $status -eq 0 ]; then
+            echo "Skip adding iptables as it already exists"
+          else
+            iptables -t mangle -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP
+          fi
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            drop:
+            - ALL
       nodeSelector:
         kubernetes.io/os: linux
       priorityClassName: system-node-critical

diff --git a/test/network/wireserver_metadata_test.sh b/test/network/wireserver_metadata_test.sh
@@ -0,0 +1,10 @@
+kubectl run wget -it --rm --image busybox --restart Never -- wget --timeout=3 --header=Metadata:true "http://168.63.129.16/machine/plugins?comp=nmagent&type=getinterfaceinfov1"
+if [ $? -eq 0 ]; then
+    echo "wireserver connectivity expected to fail but succeeded"
+    exit 1
+fi
+
+kubectl run wget -it --rm --image busybox --restart Never -- wget --timeout=3 --header=Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
+if [ $? -ne 0 ]; then
+    echo "metadata server connectivity expected to succeed but failed"
+fi