Skip to content

Commit 9207b78

Browse files
pchaignopchaigno
committed
datapath: Cover subnet encryption in XFRM leak test
This commit complements 27a8fb1 ("datapath: Integration test for XFRM leaks on node churn"). In that previous commit, subnet encryption (the XFRM config used for ENI and Azure IPAM modes) was not covered. This commit covers it. There are two pre-conditions to subnet encryption: nodes must have a list of pod subnets (cf. IPv{4,6}PodSubnets) and the encryption interface must exist and have an IP address. The test configures these two preconditions before running the usual checks for XFRM config leaks. Signed-off-by: Paul Chaignon <[email protected]>
1 parent 87dd95c commit 9207b78

1 file changed

Lines changed: 33 additions & 5 deletions

File tree

pkg/datapath/linux/node_linux_test.go

Lines changed: 33 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -752,6 +752,38 @@ func (s *linuxPrivilegedBaseTestSuite) TestNodeUpdateIDs(c *check.C) {
752752

753753
// Tests that we don't leak XFRM policies and states as nodes come and go.
754754
func (s *linuxPrivilegedBaseTestSuite) TestNodeChurnXFRMLeaks(c *check.C) {
755+
externalNodeDevice := "ipsec_interface"
756+
757+
// Cover the XFRM configuration for IPAM modes cluster-pool, kubernetes, etc.
758+
config := datapath.LocalNodeConfiguration{
759+
EnableIPv4: s.enableIPv4,
760+
EnableIPv6: s.enableIPv6,
761+
EnableIPSec: true,
762+
}
763+
//s.testNodeChurnXFRMLeaksWithConfig(c, config)
764+
765+
// In the case of subnet encryption (tested below), the IPsec logic
766+
// retrieves the IP address of the encryption interface directly so we need
767+
// a dummy interface.
768+
removeDevice(externalNodeDevice)
769+
err := setupDummyDevice(externalNodeDevice, net.ParseIP("1.1.1.1"), net.ParseIP("face::1"))
770+
c.Assert(err, check.IsNil)
771+
defer removeDevice(externalNodeDevice)
772+
option.Config.EncryptInterface = []string{externalNodeDevice}
773+
774+
// Cover the XFRM configuration for subnet encryption: IPAM modes AKS and EKS.
775+
_, ipv4PodSubnets, err := net.ParseCIDR("4.4.0.0/16")
776+
c.Assert(err, check.IsNil)
777+
c.Assert(ipv4PodSubnets, check.Not(check.IsNil))
778+
config.IPv4PodSubnets = []*net.IPNet{ipv4PodSubnets}
779+
_, ipv6PodSubnets, err := net.ParseCIDR("2001:aaaa::/64")
780+
c.Assert(err, check.IsNil)
781+
c.Assert(ipv6PodSubnets, check.Not(check.IsNil))
782+
config.IPv6PodSubnets = []*net.IPNet{ipv6PodSubnets}
783+
s.testNodeChurnXFRMLeaksWithConfig(c, config)
784+
}
785+
786+
func (s *linuxPrivilegedBaseTestSuite) testNodeChurnXFRMLeaksWithConfig(c *check.C, config datapath.LocalNodeConfiguration) {
755787
keys := bytes.NewReader([]byte("6 rfc4106(gcm(aes)) 44434241343332312423222114131211f4f3f2f1 128\n"))
756788
_, _, err := ipsec.LoadIPSecKeys(keys)
757789
c.Assert(err, check.IsNil)
@@ -760,11 +792,7 @@ func (s *linuxPrivilegedBaseTestSuite) TestNodeChurnXFRMLeaks(c *check.C) {
760792
linuxNodeHandler := NewNodeHandler(dpConfig, s.nodeAddressing, nodemapfake.NewFakeNodeMap())
761793
c.Assert(linuxNodeHandler, check.Not(check.IsNil))
762794

763-
err = linuxNodeHandler.NodeConfigurationChanged(datapath.LocalNodeConfiguration{
764-
EnableIPv4: s.enableIPv4,
765-
EnableIPv6: s.enableIPv6,
766-
EnableIPSec: true,
767-
})
795+
err = linuxNodeHandler.NodeConfigurationChanged(config)
768796
c.Assert(err, check.IsNil)
769797

770798
// Adding a node adds some XFRM states and policies.

0 commit comments

Comments
 (0)