TestLoadBalancer and TestHealthCheckNodePort still had iptables rules
checks, but they also have sufficient runPacketFlowTests checks to
cover everything we care about.
(This leaves only TestOverallIPTablesRules and
TestSyncProxyRulesRepeated using assertIPTablesRulesEqual.)
For consistency with TestExternalTrafficPolicyLocal, test all of the
Cluster external traffic policy cases together here (ensuring that
masquerading happens where needed). Drop the assertIPTablesRulesEqual
test in favor of runPacketFlowTests.
Merge TestOnlyLocalExternalIPs, TestOnlyLocalLoadBalancing, and
TestOnlyLocalNodePorts together into TestExternalTrafficPolicyLocal.
Drop the assertIPTablesRulesEqual tests in favor of
runPacketFlowTests.
Remove TestOnlyLocalNodePortsNoClusterCIDR; the relevant bits of the
"no local detector" case are already fully covered by
TestInternalExternalMasquerade.
Previously we had TestNodePort, which tested basic NodePort behavior,
plus Test{Enable,Disable}LocalhostNodePorts{IPv4,IPv6} to test the
behavior of --localhost-nodeports under IPv4 and IPv6, plus
TestDisableLocalhostNodePortsIPv4WithNodeAddress to test
--nodeport-addresses.
Merge all of these together into TestNodePorts, and use
runPacketFlowTests to check the results rather than
assertIPTablesRulesEqual.
The packet tracer is not full-featured enough to be able to check the
"anti martian packet spoofing" rule, so we check the iptables dump for
that manually.
(This also fixes the --localhost-nodeport tests to use the same IP
ranges as most of the other tests now.)
Merge TestClusterIPReject, TestExternalIPsReject, TestNodePortReject,
and TestLoadBalancerReject into a single test.
Also remove the assertIPTablesRulesEqual tests because the packet flow
tests cover all of the details we care about here.
Create some ClusterIP services and use runPacketFlowTests to test
general functionality:
- normal connection
- hairpin connection
- multiple endpoints
- port != targetPort
- multiple protocols on same port
Remove the assertIPTablesRulesEqual test because the packet flow tests
cover all of the details we care about here.
Previously this was used to assert "something changed since the last
sync", but we already have packet flow tests in all of those cases now
to assert that the *specific* something we care about changed.
Rename TestOverallIPTablesRulesWithMultipleServices to just
TestOverallIPTablesRules, and add one rule type we weren't previously
testing (session affinity).
Conntrack invalid packets may cause unexpected and subtle bugs
on esblished connections, because of that we install by default an
iptables rules that drops the packets with this conntrack state.
However, there are network scenarios, specially those that use multihoming
nodes, that may have legit traffic that is detected by conntrack as
invalid, hence these iptables rules are causing problems dropping this
traffic.
An alternative to solve the spurious problems caused by the invalid
connectrack packets is to set the sysctl nf_conntrack_tcp_be_liberal
option, but this is a system wide setting and we don't want kube-proxy
to be opinionated about the whole node networking configuration.
Kube-proxy will only install the DROP rules for invalid conntrack states
if the nf_conntrack_tcp_be_liberal is not set.
Change-Id: I5eb326931ed915f5ae74d210f0a375842b6a790e
Instead of using two metrics use just one metrics with multiple labels,
since the labels can only get 2 values, 200 or 503 there is no risk of
carindality explosion and are simple to represent in graphs.
Change-Id: I0e9cbd6ec2051de44d277d673dc20f02b96aa4d1
When I first wrote TestInternalExternalMasquerade, I put "FIXME"
comments in all of the cases that seemed wrong to me, most of which
got removed as we fixed the corner cases. But there were two cases
where we decided that the implemented behavior, though odd, was
correct, and those FIXMEs never got removed.
All the code to deal with enabling/disabling the feature gate is gone,
but some of the tests were still specifying "this test case assumes
PTE is enabled".
Remove "EndpointSlice" from some unit test names, because they don't
need to clarify that they use EndpointSlices now, because all of the
tests use EndpointSlices now.
Likewise, remove TestEndpointSliceE2E entirely; it was originally an
EndpointSlice version of one of the other tests, but the other test
uses EndpointSlices now too.
