From 83f0cf16065fb674fb64c7542595d208ed37cfb6 Mon Sep 17 00:00:00 2001 From: Shreyas Be <52690686+shreyasbe@users.noreply.github.com> Date: Fri, 8 May 2026 09:05:37 +0530 Subject: [PATCH 1/5] test/extended/networking: OCPBUGS-82501 - Fix DualStack EgressFirewall CI fail on AWS Signed-off-by: Shreyas B Signed-off-by: Shreyas Be <52690686+shreyasbe@users.noreply.github.com> --- test/extended/networking/egress_firewall.go | 48 +++++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/test/extended/networking/egress_firewall.go b/test/extended/networking/egress_firewall.go index 30f02651d775..7211d3965358 100644 --- a/test/extended/networking/egress_firewall.go +++ b/test/extended/networking/egress_firewall.go @@ -156,11 +156,30 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI out, err := oc.Run("exec").Args(pod, "--", "ping", "-c", "1", "1.1.1.1").Output() expectError(err, "ping to 1.1.1.1 should fail: %s", out) } + // Test curl to redhat.com should pass // because we have allow dns rule for redhat.com g.By("sending traffic that matches allow dns rule") - _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://redhat.com").Output() - expectNoError(err) + + // First, try to resolve DNS to see what IP would be used + e2e.Logf("Resolving redhat.com DNS...") + dnsOutRedhat, dnsErrRedhat := oc.Run("exec").Args(pod, "--", "nslookup", "redhat.com").Output() + if dnsErrRedhat == nil { + e2e.Logf("DNS Resolution for redhat.com:\n%s", dnsOutRedhat) + } else { + e2e.Logf("DNS Resolution failed: %v\nOutput: %s", dnsErrRedhat, dnsOutRedhat) + } + + // Try curl with verbose output to see connection details and IP address + e2e.Logf("Attempting curl to redhat.com (expected to succeed)...") + outRedhat, errRedhat := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://redhat.com").Output() + e2e.Logf("Curl output (stdout+stderr):\n%s", outRedhat) + + // Also try to get the resolved IP using curl's --write-out option + ipOutRedhat, ipErrRedhat := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://redhat.com").Output() + e2e.Logf("Curl IP info: %s (error: %v)", ipOutRedhat, ipErrRedhat) + + expectNoError(errRedhat) // Test curl to amazon.com should pass // because we have allow dns rule for amazon.com @@ -183,7 +202,30 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI // Test curl to www.redhat.com should fail // because we don't have allow dns rule for www.redhat.com g.By("sending traffic that does not match allow dns rule") - _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.redhat.com").Output() + + // First, try to resolve DNS to see what IP would be used + e2e.Logf("Resolving www.redhat.com DNS...") + dnsOutWww, dnsErrWww := oc.Run("exec").Args(pod, "--", "nslookup", "www.redhat.com").Output() + if dnsErrWww == nil { + e2e.Logf("DNS Resolution for www.redhat.com:\n%s", dnsOutWww) + } else { + e2e.Logf("DNS Resolution failed: %v\nOutput: %s", dnsErrWww, dnsOutWww) + } + + // Try curl with verbose output to see connection details and IP address + e2e.Logf("Attempting curl to www.redhat.com (expected to fail)...") + outWww, errWww := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://www.redhat.com").Output() + e2e.Logf("Curl output (stdout+stderr):\n%s", outWww) + + // Also try to get the resolved IP using curl's --write-out option + ipOutWww, ipErrWww := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://www.redhat.com").Output() + e2e.Logf("Curl IP info: %s (error: %v)", ipOutWww, ipErrWww) + expectError(errWww) + + // Test curl to www.apple.com should fail + // because we don't have allow dns rule for www.apple.com + g.By("sending traffic that does not match allow dns rule") + _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.apple.com").Output() expectError(err) if nodeSelectorSupport { From bd80d856fe8f15bbe3f8b87ded72f559c9ce96a4 Mon Sep 17 00:00:00 2001 From: Shreyas Be <52690686+shreyasbe@users.noreply.github.com> Date: Sat, 9 May 2026 09:47:10 +0530 Subject: [PATCH 2/5] Commit#2 OCPBUGS-82501 - Adding More Debug --- test/extended/networking/egress_firewall.go | 36 ++++++++++++--------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/test/extended/networking/egress_firewall.go b/test/extended/networking/egress_firewall.go index 7211d3965358..c78a6828ae47 100644 --- a/test/extended/networking/egress_firewall.go +++ b/test/extended/networking/egress_firewall.go @@ -157,29 +157,31 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI expectError(err, "ping to 1.1.1.1 should fail: %s", out) } + //Shreyas(S) ================================================================ // Test curl to redhat.com should pass // because we have allow dns rule for redhat.com - g.By("sending traffic that matches allow dns rule") + g.By("Shreyas- sending traffic that matches allow dns rule") // First, try to resolve DNS to see what IP would be used - e2e.Logf("Resolving redhat.com DNS...") + e2e.Logf("Shreyas- Resolving redhat.com DNS...") dnsOutRedhat, dnsErrRedhat := oc.Run("exec").Args(pod, "--", "nslookup", "redhat.com").Output() if dnsErrRedhat == nil { - e2e.Logf("DNS Resolution for redhat.com:\n%s", dnsOutRedhat) + e2e.Logf("Shreyas- DNS Resolution for redhat.com:\n%s", dnsOutRedhat) } else { - e2e.Logf("DNS Resolution failed: %v\nOutput: %s", dnsErrRedhat, dnsOutRedhat) + e2e.Logf("Shreyas- DNS Resolution failed: %v\nOutput: %s", dnsErrRedhat, dnsOutRedhat) } // Try curl with verbose output to see connection details and IP address - e2e.Logf("Attempting curl to redhat.com (expected to succeed)...") + e2e.Logf("Shreyas- Attempting curl to redhat.com (expected to succeed)...") outRedhat, errRedhat := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://redhat.com").Output() - e2e.Logf("Curl output (stdout+stderr):\n%s", outRedhat) + e2e.Logf("Shreyas- Curl output (stdout+stderr):\n%s", outRedhat) // Also try to get the resolved IP using curl's --write-out option ipOutRedhat, ipErrRedhat := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://redhat.com").Output() - e2e.Logf("Curl IP info: %s (error: %v)", ipOutRedhat, ipErrRedhat) + e2e.Logf("Shreyas- Curl IP info: %s (error: %v)", ipOutRedhat, ipErrRedhat) expectNoError(errRedhat) + //Shreyas(E) ================================================================ // Test curl to amazon.com should pass // because we have allow dns rule for amazon.com @@ -199,34 +201,38 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI expectNoError(err) } + //Shreyas(S) ================================================================ // Test curl to www.redhat.com should fail // because we don't have allow dns rule for www.redhat.com - g.By("sending traffic that does not match allow dns rule") + g.By("Shreyas- sending traffic that does not match allow dns rule") // First, try to resolve DNS to see what IP would be used - e2e.Logf("Resolving www.redhat.com DNS...") + e2e.Logf("Shreyas- Resolving www.redhat.com DNS...") dnsOutWww, dnsErrWww := oc.Run("exec").Args(pod, "--", "nslookup", "www.redhat.com").Output() if dnsErrWww == nil { - e2e.Logf("DNS Resolution for www.redhat.com:\n%s", dnsOutWww) + e2e.Logf("Shreyas- DNS Resolution for www.redhat.com:\n%s", dnsOutWww) } else { - e2e.Logf("DNS Resolution failed: %v\nOutput: %s", dnsErrWww, dnsOutWww) + e2e.Logf("Shreyas- DNS Resolution failed: %v\nOutput: %s", dnsErrWww, dnsOutWww) } // Try curl with verbose output to see connection details and IP address - e2e.Logf("Attempting curl to www.redhat.com (expected to fail)...") + e2e.Logf("Shreyas- Attempting curl to www.redhat.com (expected to fail)...") outWww, errWww := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://www.redhat.com").Output() - e2e.Logf("Curl output (stdout+stderr):\n%s", outWww) + e2e.Logf("Shreyas- Curl output (stdout+stderr):\n%s", outWww) // Also try to get the resolved IP using curl's --write-out option ipOutWww, ipErrWww := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://www.redhat.com").Output() - e2e.Logf("Curl IP info: %s (error: %v)", ipOutWww, ipErrWww) + e2e.Logf("Shreyas- Curl IP info: %s (error: %v)", ipOutWww, ipErrWww) + // One Line Added for Debugging + // www.redhat.com not in allow list, connection should fail expectError(errWww) // Test curl to www.apple.com should fail // because we don't have allow dns rule for www.apple.com - g.By("sending traffic that does not match allow dns rule") + g.By("Shreyas- sending traffic that does not match allow dns rule") _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.apple.com").Output() expectError(err) + //Shreyas(E) ================================================================ if nodeSelectorSupport { // Access to control plane nodes should work From bc43323d762fb2a5ed8a950fbd1ca7041a0b63c5 Mon Sep 17 00:00:00 2001 From: Shreyas Be <52690686+shreyasbe@users.noreply.github.com> Date: Sun, 10 May 2026 16:14:54 +0530 Subject: [PATCH 3/5] Commit#2 OCPBUGS-82501 - Adding Debug Logs for www.apple.com --- test/extended/networking/egress_firewall.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/extended/networking/egress_firewall.go b/test/extended/networking/egress_firewall.go index c78a6828ae47..b9cd06d2c277 100644 --- a/test/extended/networking/egress_firewall.go +++ b/test/extended/networking/egress_firewall.go @@ -204,7 +204,7 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI //Shreyas(S) ================================================================ // Test curl to www.redhat.com should fail // because we don't have allow dns rule for www.redhat.com - g.By("Shreyas- sending traffic that does not match allow dns rule") + g.By("Shreyas- sending traffic that does not match allow dns rule for www.redhat.com") // First, try to resolve DNS to see what IP would be used e2e.Logf("Shreyas- Resolving www.redhat.com DNS...") @@ -229,7 +229,7 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI // Test curl to www.apple.com should fail // because we don't have allow dns rule for www.apple.com - g.By("Shreyas- sending traffic that does not match allow dns rule") + g.By("Shreyas- sending traffic that does not match allow dns rule for www.apple.com") _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.apple.com").Output() expectError(err) //Shreyas(E) ================================================================ From 0840610776bf5f3d296f4083e328ecdda793f901 Mon Sep 17 00:00:00 2001 From: Shreyas Be <52690686+shreyasbe@users.noreply.github.com> Date: Thu, 14 May 2026 10:39:33 +0530 Subject: [PATCH 4/5] Commit#4 Fix to IPv6 deny-all default --- .../testdata/egress-firewall/ovnk-egressfirewall-test.yaml | 5 ++++- .../egress-firewall/ovnk-egressfirewall-wildcard-test.yaml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml index da7846302650..2c0c4201e3d8 100644 --- a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml @@ -24,6 +24,9 @@ spec: nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: '' - - type: Deny + - type: Deny # IPv4 deny-all to: cidrSelector: 0.0.0.0/0 + - type: Deny # IPv6 deny-all + to: + cidrSelector: ::/0 diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml index 972eede69366..b0173ccad51a 100644 --- a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml @@ -21,6 +21,9 @@ spec: nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: '' - - type: Deny + - type: Deny # IPv4 deny-all to: cidrSelector: 0.0.0.0/0 + - type: Deny # IPv6 deny-all + to: + cidrSelector: ::/0 \ No newline at end of file From c7e5ce8b3089d78d593b88628967d5bb723a7f23 Mon Sep 17 00:00:00 2001 From: Shreyas Be <52690686+shreyasbe@users.noreply.github.com> Date: Thu, 14 May 2026 11:01:33 +0530 Subject: [PATCH 5/5] Commit#5 Fix to IPv6 deny-all default --- .../testdata/egress-firewall/ovnk-egressfirewall-test.yaml | 4 ++-- .../egress-firewall/ovnk-egressfirewall-wildcard-test.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml index 2c0c4201e3d8..d7ac26c6da41 100644 --- a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml @@ -24,9 +24,9 @@ spec: nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: '' - - type: Deny # IPv4 deny-all + - type: Deny # IPv4 default deny-all to: cidrSelector: 0.0.0.0/0 - - type: Deny # IPv6 deny-all + - type: Deny # IPv6 default deny-all to: cidrSelector: ::/0 diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml index b0173ccad51a..c4da92487464 100644 --- a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml @@ -21,9 +21,9 @@ spec: nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: '' - - type: Deny # IPv4 deny-all + - type: Deny # IPv4 default deny-all to: cidrSelector: 0.0.0.0/0 - - type: Deny # IPv6 deny-all + - type: Deny # IPv6 default deny-all to: cidrSelector: ::/0 \ No newline at end of file