diff --git a/test/extended/networking/egress_firewall.go b/test/extended/networking/egress_firewall.go index 30f02651d775..b9cd06d2c277 100644 --- a/test/extended/networking/egress_firewall.go +++ b/test/extended/networking/egress_firewall.go @@ -156,11 +156,32 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI out, err := oc.Run("exec").Args(pod, "--", "ping", "-c", "1", "1.1.1.1").Output() expectError(err, "ping to 1.1.1.1 should fail: %s", out) } + + //Shreyas(S) ================================================================ // Test curl to redhat.com should pass // because we have allow dns rule for redhat.com - g.By("sending traffic that matches allow dns rule") - _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://redhat.com").Output() - expectNoError(err) + g.By("Shreyas- sending traffic that matches allow dns rule") + + // First, try to resolve DNS to see what IP would be used + e2e.Logf("Shreyas- Resolving redhat.com DNS...") + dnsOutRedhat, dnsErrRedhat := oc.Run("exec").Args(pod, "--", "nslookup", "redhat.com").Output() + if dnsErrRedhat == nil { + e2e.Logf("Shreyas- DNS Resolution for redhat.com:\n%s", dnsOutRedhat) + } else { + e2e.Logf("Shreyas- DNS Resolution failed: %v\nOutput: %s", dnsErrRedhat, dnsOutRedhat) + } + + // Try curl with verbose output to see connection details and IP address + e2e.Logf("Shreyas- Attempting curl to redhat.com (expected to succeed)...") + outRedhat, errRedhat := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://redhat.com").Output() + e2e.Logf("Shreyas- Curl output (stdout+stderr):\n%s", outRedhat) + + // Also try to get the resolved IP using curl's --write-out option + ipOutRedhat, ipErrRedhat := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://redhat.com").Output() + e2e.Logf("Shreyas- Curl IP info: %s (error: %v)", ipOutRedhat, ipErrRedhat) + + expectNoError(errRedhat) + //Shreyas(E) ================================================================ // Test curl to amazon.com should pass // because we have allow dns rule for amazon.com @@ -180,11 +201,38 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI expectNoError(err) } + //Shreyas(S) ================================================================ // Test curl to www.redhat.com should fail // because we don't have allow dns rule for www.redhat.com - g.By("sending traffic that does not match allow dns rule") - _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.redhat.com").Output() + g.By("Shreyas- sending traffic that does not match allow dns rule for www.redhat.com") + + // First, try to resolve DNS to see what IP would be used + e2e.Logf("Shreyas- Resolving www.redhat.com DNS...") + dnsOutWww, dnsErrWww := oc.Run("exec").Args(pod, "--", "nslookup", "www.redhat.com").Output() + if dnsErrWww == nil { + e2e.Logf("Shreyas- DNS Resolution for www.redhat.com:\n%s", dnsOutWww) + } else { + e2e.Logf("Shreyas- DNS Resolution failed: %v\nOutput: %s", dnsErrWww, dnsOutWww) + } + + // Try curl with verbose output to see connection details and IP address + e2e.Logf("Shreyas- Attempting curl to www.redhat.com (expected to fail)...") + outWww, errWww := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://www.redhat.com").Output() + e2e.Logf("Shreyas- Curl output (stdout+stderr):\n%s", outWww) + + // Also try to get the resolved IP using curl's --write-out option + ipOutWww, ipErrWww := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://www.redhat.com").Output() + e2e.Logf("Shreyas- Curl IP info: %s (error: %v)", ipOutWww, ipErrWww) + // One Line Added for Debugging + // www.redhat.com not in allow list, connection should fail + expectError(errWww) + + // Test curl to www.apple.com should fail + // because we don't have allow dns rule for www.apple.com + g.By("Shreyas- sending traffic that does not match allow dns rule for www.apple.com") + _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.apple.com").Output() expectError(err) + //Shreyas(E) ================================================================ if nodeSelectorSupport { // Access to control plane nodes should work diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml index da7846302650..d7ac26c6da41 100644 --- a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml @@ -24,6 +24,9 @@ spec: nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: '' - - type: Deny + - type: Deny # IPv4 default deny-all to: cidrSelector: 0.0.0.0/0 + - type: Deny # IPv6 default deny-all + to: + cidrSelector: ::/0 diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml index 972eede69366..c4da92487464 100644 --- a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml @@ -21,6 +21,9 @@ spec: nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: '' - - type: Deny + - type: Deny # IPv4 default deny-all to: cidrSelector: 0.0.0.0/0 + - type: Deny # IPv6 default deny-all + to: + cidrSelector: ::/0 \ No newline at end of file