mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2026-05-05 14:46:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
kube-router/pkg/controllers/proxy/network_services_controller_test.go
Aaron U'Ren a1f0b2eea3
fix: validate external IPs and LB IPs against configured ranges 
Moves all Service VIP range configurations into pkg/svcip this is where
validation and querying of ranges goes rather than passing each range to
each controller.

It also centralizes the validation logic since NRC and NSC need
basically equivalent logic. It additionally adds a RangeQuerier
interface for the NPC and LBC controllers which require knowing the
literal ranges.
2026-03-15 20:46:54 -05:00

2091 lines
83 KiB
Go
Raw Permalink Blame History

package proxy
import (
"context"
"fmt"
"net"
"sync"
"testing"
"time"
"github.com/cloudnativelabs/kube-router/v2/internal/testutils"
"github.com/cloudnativelabs/kube-router/v2/pkg/svcip"
"github.com/cloudnativelabs/kube-router/v2/pkg/utils"
"github.com/moby/ipvs"
"github.com/stretchr/testify/assert"
"github.com/vishvananda/netlink"
v1core "k8s.io/api/core/v1"
discoveryv1 "k8s.io/api/discovery/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/client-go/kubernetes/fake"
)
// getServicesFromAddServiceCalls formats ipvsAddService calls as strings for comparison
func getServicesFromAddServiceCalls(mock *LinuxNetworkingMock) []string {
var services []string
for _, args := range mock.ipvsAddServiceCalls() {
services = append(services, fmt.Sprintf("%v:%v:%v:%v:%v",
args.Vip, args.Protocol, args.Port, args.Persistent, args.Scheduler))
}
return services
}
// getEndpointsFromAddServerCalls formats ipvsAddServer calls as strings for comparison
func getEndpointsFromAddServerCalls(mock *LinuxNetworkingMock) []string {
var endpoints []string
for _, args := range mock.ipvsAddServerCalls() {
svc := args.IpvsSvc
dst := args.IpvsDst
endpoints = append(endpoints, fmt.Sprintf("%v:%v->%v:%v",
svc.Address, svc.Port, dst.Address, dst.Port))
}
return endpoints
}
func TestNetworkServicesController_syncIpvsServices(t *testing.T) {
// Default traffic policies used in tests
intTrafficPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extTrafficPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
tests := []struct {
name string
service *v1core.Service
endpointSlice *discoveryv1.EndpointSlice
injectPreExistingIpvsSvc bool
expectedIPs []string
expectedServices []string
expectedEndpoints []string
verifyDSRSetup bool // whether to verify DSR-related mock calls
verifyPreExistingDeleted bool // whether to verify pre-existing services were deleted
}{
{
name: "service with externalIPs and no endpoints",
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-1"},
Spec: v1core.ServiceSpec{
Type: "ClusterIP",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "port-1", Port: 8080, Protocol: "TCP"},
},
},
},
endpointSlice: &discoveryv1.EndpointSlice{},
injectPreExistingIpvsSvc: true,
expectedIPs: []string{"10.0.0.1", "1.1.1.1", "2.2.2.2"},
expectedServices: []string{
"10.0.0.1:6:8080:false:rr",
"1.1.1.1:6:8080:false:rr",
"2.2.2.2:6:8080:false:rr",
},
verifyDSRSetup: true,
verifyPreExistingDeleted: true,
},
{
name: "service with loadbalancer IPs",
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-1"},
Spec: v1core.ServiceSpec{
Type: "LoadBalancer",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "port-1", Protocol: "TCP", Port: 8080},
},
},
Status: v1core.ServiceStatus{
LoadBalancer: v1core.LoadBalancerStatus{
Ingress: []v1core.LoadBalancerIngress{
{IP: "10.255.0.1"},
{IP: "10.255.0.2"},
},
},
},
},
endpointSlice: &discoveryv1.EndpointSlice{},
expectedIPs: []string{"10.0.0.1", "1.1.1.1", "2.2.2.2", "10.255.0.1", "10.255.0.2"},
expectedServices: []string{
"10.0.0.1:6:8080:false:rr",
"1.1.1.1:6:8080:false:rr",
"2.2.2.2:6:8080:false:rr",
"10.255.0.1:6:8080:false:rr",
"10.255.0.2:6:8080:false:rr",
},
},
{
name: "service with loadbalancer IPs and skiplbips annotation",
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{
Name: "svc-1",
Annotations: map[string]string{
"kube-router.io/service.skiplbips": "true",
},
},
Spec: v1core.ServiceSpec{
Type: "LoadBalancer",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "port-1", Protocol: "TCP", Port: 8080},
},
},
Status: v1core.ServiceStatus{
LoadBalancer: v1core.LoadBalancerStatus{
Ingress: []v1core.LoadBalancerIngress{
{IP: "10.255.0.1"},
{IP: "10.255.0.2"},
},
},
},
},
endpointSlice: &discoveryv1.EndpointSlice{},
expectedIPs: []string{"10.0.0.1", "1.1.1.1", "2.2.2.2"},
expectedServices: []string{
"10.0.0.1:6:8080:false:rr",
"1.1.1.1:6:8080:false:rr",
"2.2.2.2:6:8080:false:rr",
},
},
{
name: "service with loadbalancer hostname only (no IPs)",
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-1"},
Spec: v1core.ServiceSpec{
Type: "LoadBalancer",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "port-1", Protocol: "TCP", Port: 8080},
},
},
Status: v1core.ServiceStatus{
LoadBalancer: v1core.LoadBalancerStatus{
Ingress: []v1core.LoadBalancerIngress{
{Hostname: "foo-bar.zone.elb.example.com"},
},
},
},
},
endpointSlice: &discoveryv1.EndpointSlice{},
expectedIPs: []string{"10.0.0.1", "1.1.1.1", "2.2.2.2"},
expectedServices: []string{
"10.0.0.1:6:8080:false:rr",
"1.1.1.1:6:8080:false:rr",
"2.2.2.2:6:8080:false:rr",
},
},
{
name: "node has endpoints for service",
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-1", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: "ClusterIP",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "port-1", Protocol: "TCP", Port: 8080},
},
},
},
endpointSlice: &discoveryv1.EndpointSlice{
ObjectMeta: metav1.ObjectMeta{
Name: "svc-1-slice",
Namespace: "default",
Labels: map[string]string{
"kubernetes.io/service-name": "svc-1",
},
},
AddressType: discoveryv1.AddressTypeIPv4,
Endpoints: []discoveryv1.Endpoint{
{
Addresses: []string{"172.20.1.1"},
NodeName: testutils.ValToPtr("node-1"),
Conditions: discoveryv1.EndpointConditions{Ready: testutils.ValToPtr(true)},
},
{
Addresses: []string{"172.20.1.2"},
NodeName: testutils.ValToPtr("node-2"),
Conditions: discoveryv1.EndpointConditions{Ready: testutils.ValToPtr(true)},
},
},
Ports: []discoveryv1.EndpointPort{
{Name: testutils.ValToPtr("port-1"), Port: testutils.ValToPtr[int32](80), Protocol: testutils.ValToPtr(v1core.ProtocolTCP)},
},
},
expectedIPs: []string{"10.0.0.1", "1.1.1.1", "2.2.2.2"},
expectedServices: []string{
"10.0.0.1:6:8080:false:rr",
"1.1.1.1:6:8080:false:rr",
"2.2.2.2:6:8080:false:rr",
},
expectedEndpoints: []string{
"10.0.0.1:8080->172.20.1.1:80",
"1.1.1.1:8080->172.20.1.1:80",
"2.2.2.2:8080->172.20.1.1:80",
"10.0.0.1:8080->172.20.1.2:80",
"1.1.1.1:8080->172.20.1.2:80",
"2.2.2.2:8080->172.20.1.2:80",
},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
ipvsState, mock, nsc := setupTestController(t, tc.service, tc.endpointSlice)
// Inject pre-existing IPVS services if requested (to test deletion)
var fooSvc1, fooSvc2 *ipvs.Service
if tc.injectPreExistingIpvsSvc {
fooSvc1 = ipvsState.addService(net.ParseIP("1.2.3.4"), 6, 1234)
fooSvc2 = ipvsState.addService(net.ParseIP("5.6.7.8"), 6, 5678)
}
// Wait for endpoint slice if we have one with data
if tc.endpointSlice != nil && tc.endpointSlice.Name != "" {
waitForListerWithTimeout(t, nsc.epSliceLister, time.Second*10)
nsc.endpointsMap = nsc.buildEndpointSliceInfo()
}
// Execute
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err, "syncIpvsServices should succeed")
// Verify DSR setup calls if requested
if tc.verifyDSRSetup {
assert.Len(t, mock.setupPolicyRoutingForDSRCalls(), 1,
"setupPolicyRoutingForDSR should be called once")
assert.NotEmpty(t, mock.getKubeDummyInterfaceCalls(),
"getKubeDummyInterface should be called at least once")
assert.NotEmpty(t, mock.setupRoutesForExternalIPForDSRCalls(),
"setupRoutesForExternalIPForDSR should be called")
}
// Verify IP addresses added
actualIPs := getIPsFromAddrAddCalls(mock)
assert.ElementsMatch(t, tc.expectedIPs, actualIPs,
"ipAddrAdd should be called for expected IPs")
// Verify IPVS services created
actualServices := getServicesFromAddServiceCalls(mock)
assert.ElementsMatch(t, tc.expectedServices, actualServices,
"ipvsAddService should be called for expected services")
// Verify endpoints if expected
if len(tc.expectedEndpoints) > 0 {
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.ElementsMatch(t, tc.expectedEndpoints, actualEndpoints,
"ipvsAddServer should be called for expected endpoints")
}
// Verify pre-existing services were deleted if requested
if tc.verifyPreExistingDeleted {
deleteCalls := mock.ipvsDelServiceCalls()
assert.Len(t, deleteCalls, 2, "should delete 2 pre-existing services")
// Verify the correct services were deleted (by pointer comparison)
deletedPtrs := fmt.Sprintf("[{%p} {%p}]", fooSvc1, fooSvc2)
actualPtrs := fmt.Sprintf("%v", deleteCalls)
assert.Equal(t, deletedPtrs, actualPtrs,
"should delete the correct pre-existing services")
}
})
}
}
// TestNetworkServicesController_syncIpvsServices_DSRCallsWithServiceMap verifies that
// setupRoutesForExternalIPForDSR is called with the correct serviceInfoMap
func TestNetworkServicesController_syncIpvsServices_DSRCallsWithServiceMap(t *testing.T) {
intTrafficPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extTrafficPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-1"},
Spec: v1core.ServiceSpec{
Type: "ClusterIP",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"1.1.1.1"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "port-1", Port: 8080, Protocol: "TCP"},
},
},
}
_, mock, nsc := setupTestController(t, service, &discoveryv1.EndpointSlice{})
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify setupRoutesForExternalIPForDSR was called with the service map
dsrCalls := mock.setupRoutesForExternalIPForDSRCalls()
assert.Len(t, dsrCalls, 1, "setupRoutesForExternalIPForDSR should be called once")
// The call should contain a non-empty service map
assert.NotEmpty(t, dsrCalls[0].ServiceInfo,
"setupRoutesForExternalIPForDSR should be called with non-empty serviceInfoMap")
}
// =============================================================================
// Traffic Policy Tests
//
// These tests verify that internalTrafficPolicy and externalTrafficPolicy are
// correctly applied to route traffic to the appropriate endpoints.
//
// Key behaviors being tested:
// - internalTrafficPolicy controls ClusterIP traffic routing
// - externalTrafficPolicy controls NodePort/ExternalIP/LoadBalancer traffic routing
// - These policies work INDEPENDENTLY (critical for issue #818)
// - When policy=Local and no local endpoints exist, the service is skipped entirely
//
// NOTE: kube-router skips creating IPVS services when policy=Local and no local endpoints.
// This is more aggressive than upstream kube-proxy (which creates service but drops traffic),
// but is valid and more efficient. Upstream e2e tests verify connection errors from clients;
// these unit tests verify the service is never created.
// =============================================================================
// TestTrafficPolicy_InternalCluster_AllEndpoints verifies that with internalTrafficPolicy=Cluster,
// ClusterIP traffic is routed to ALL ready endpoints (both local and remote).
func TestTrafficPolicy_InternalCluster_AllEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-itp-cluster", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.1.1",
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1"}, // local endpoint
[]string{"172.20.2.1"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify ClusterIP service was created
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.1.1:6:8080:false:rr",
"ClusterIP service should be created")
// Verify BOTH endpoints are added (Cluster policy routes to all)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, actualEndpoints, "10.100.1.1:8080->172.20.1.1:80",
"local endpoint should be added to ClusterIP")
assert.Contains(t, actualEndpoints, "10.100.1.1:8080->172.20.2.1:80",
"remote endpoint should be added to ClusterIP with Cluster policy")
}
// TestTrafficPolicy_InternalLocal_OnlyLocalEndpoints verifies that with internalTrafficPolicy=Local,
// ClusterIP traffic is routed ONLY to node-local endpoints.
func TestTrafficPolicy_InternalLocal_OnlyLocalEndpoints(t *testing.T) {
intPolicyLocal := v1core.ServiceInternalTrafficPolicyLocal
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-itp-local", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.1.2",
InternalTrafficPolicy: &intPolicyLocal,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.2", "172.20.1.3"}, // local endpoints
[]string{"172.20.2.2"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify ClusterIP service was created
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.1.2:6:8080:false:rr",
"ClusterIP service should be created")
// Verify ONLY local endpoints are added (Local policy filters remote)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, actualEndpoints, "10.100.1.2:8080->172.20.1.2:80",
"first local endpoint should be added")
assert.Contains(t, actualEndpoints, "10.100.1.2:8080->172.20.1.3:80",
"second local endpoint should be added")
assert.NotContains(t, actualEndpoints, "10.100.1.2:8080->172.20.2.2:80",
"remote endpoint should NOT be added with Local policy")
}
// TestTrafficPolicy_InternalLocal_NoLocalEndpoints_SkipsService verifies that with
// internalTrafficPolicy=Local and NO local endpoints, the ClusterIP service is skipped entirely.
func TestTrafficPolicy_InternalLocal_NoLocalEndpoints_SkipsService(t *testing.T) {
intPolicyLocal := v1core.ServiceInternalTrafficPolicyLocal
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-itp-nolocal", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.1.3",
InternalTrafficPolicy: &intPolicyLocal,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
nil, // NO local endpoints
[]string{"172.20.2.3"}) // only remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify NO ClusterIP service was created (early exit due to no local endpoints)
actualServices := getServicesFromAddServiceCalls(mock)
for _, svc := range actualServices {
assert.NotContains(t, svc, "10.100.1.3",
"ClusterIP service should NOT be created when no local endpoints exist")
}
// Verify NO IPs were added for this service
actualIPs := getIPsFromAddrAddCalls(mock)
assert.NotContains(t, actualIPs, "10.100.1.3",
"ClusterIP should NOT be added to dummy interface when service is skipped")
}
// TestTrafficPolicy_ExternalCluster_NodePort_AllEndpoints verifies that with externalTrafficPolicy=Cluster,
// NodePort traffic is routed to ALL ready endpoints.
func TestTrafficPolicy_ExternalCluster_NodePort_AllEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-etp-cluster-np", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeNodePort,
ClusterIP: "10.100.2.1",
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, NodePort: 30001, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.4"}, // local endpoint
[]string{"172.20.2.4"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify both ClusterIP and NodePort services were created
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.2.1:6:8080:false:rr",
"ClusterIP service should be created")
// For NodePort, we check if endpoints are added for the NodePort
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// Both endpoints should be routed to for ClusterIP (internalTrafficPolicy=Cluster)
assert.Contains(t, actualEndpoints, "10.100.2.1:8080->172.20.1.4:80",
"local endpoint should be added to ClusterIP")
assert.Contains(t, actualEndpoints, "10.100.2.1:8080->172.20.2.4:80",
"remote endpoint should be added to ClusterIP")
}
// TestTrafficPolicy_ExternalLocal_NodePort_OnlyLocalEndpoints verifies that with externalTrafficPolicy=Local,
// NodePort traffic is routed ONLY to node-local endpoints.
func TestTrafficPolicy_ExternalLocal_NodePort_OnlyLocalEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-etp-local-np", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeNodePort,
ClusterIP: "10.100.2.2",
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, NodePort: 30002, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.5"}, // local endpoint
[]string{"172.20.2.5", "172.20.2.6"}) // remote endpoints
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// ClusterIP should have ALL endpoints (internalTrafficPolicy=Cluster)
assert.Contains(t, actualEndpoints, "10.100.2.2:8080->172.20.1.5:80",
"local endpoint should be added to ClusterIP")
assert.Contains(t, actualEndpoints, "10.100.2.2:8080->172.20.2.5:80",
"remote endpoint should be added to ClusterIP (internal policy is Cluster)")
assert.Contains(t, actualEndpoints, "10.100.2.2:8080->172.20.2.6:80",
"second remote endpoint should be added to ClusterIP")
// Note: NodePort endpoint verification would require checking NodePort-specific
// IPVS services, which bind to node IPs. The filtering happens at the endpoint
// addition level in syncIpvsServices.
}
// TestTrafficPolicy_ExternalLocal_NodePort_NoLocalEndpoints_SkipsService verifies that with
// externalTrafficPolicy=Local and NO local endpoints, the NodePort service is skipped.
func TestTrafficPolicy_ExternalLocal_NodePort_NoLocalEndpoints_SkipsService(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-etp-nolocal-np", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeNodePort,
ClusterIP: "10.100.2.3",
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, NodePort: 30003, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
nil, // NO local endpoints
[]string{"172.20.2.7"}) // only remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// ClusterIP should still be created (internalTrafficPolicy=Cluster doesn't require local)
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.2.3:6:8080:false:rr",
"ClusterIP service should still be created")
// Verify remote endpoint IS added to ClusterIP (internalTrafficPolicy=Cluster allows remote)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, actualEndpoints, "10.100.2.3:8080->172.20.2.7:80",
"remote endpoint should be added to ClusterIP (internal policy is Cluster)")
// Verify NO NodePort endpoints were added (externalTrafficPolicy=Local with no local endpoints)
// The syncNodePortIpvsServices function has early exit logic for this case
for _, endpoint := range actualEndpoints {
assert.NotContains(t, endpoint, "30003",
"NodePort should not have any endpoints when externalTrafficPolicy=Local and no local endpoints exist")
}
}
// TestTrafficPolicy_ExternalCluster_ExternalIP_AllEndpoints verifies that with externalTrafficPolicy=Cluster,
// ExternalIP traffic is routed to ALL ready endpoints.
func TestTrafficPolicy_ExternalCluster_ExternalIP_AllEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-etp-cluster-eip", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.3.1",
ExternalIPs: []string{"203.0.113.1"},
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.6"}, // local endpoint
[]string{"172.20.2.8"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify both ClusterIP and ExternalIP services were created
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.3.1:6:8080:false:rr",
"ClusterIP service should be created")
assert.Contains(t, actualServices, "203.0.113.1:6:8080:false:rr",
"ExternalIP service should be created")
// Verify both endpoints are added to ExternalIP (externalTrafficPolicy=Cluster)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, actualEndpoints, "203.0.113.1:8080->172.20.1.6:80",
"local endpoint should be added to ExternalIP")
assert.Contains(t, actualEndpoints, "203.0.113.1:8080->172.20.2.8:80",
"remote endpoint should be added to ExternalIP with Cluster policy")
}
// TestTrafficPolicy_ExternalLocal_ExternalIP_OnlyLocalEndpoints verifies that with externalTrafficPolicy=Local,
// ExternalIP traffic is routed ONLY to node-local endpoints.
func TestTrafficPolicy_ExternalLocal_ExternalIP_OnlyLocalEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-etp-local-eip", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.3.2",
ExternalIPs: []string{"203.0.113.2"},
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.7", "172.20.1.8"}, // local endpoints
[]string{"172.20.2.9"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// ClusterIP should have ALL endpoints (internalTrafficPolicy=Cluster)
assert.Contains(t, actualEndpoints, "10.100.3.2:8080->172.20.1.7:80",
"first local endpoint should be added to ClusterIP")
assert.Contains(t, actualEndpoints, "10.100.3.2:8080->172.20.2.9:80",
"remote endpoint should be added to ClusterIP (internal policy is Cluster)")
// ExternalIP should have ONLY local endpoints (externalTrafficPolicy=Local)
assert.Contains(t, actualEndpoints, "203.0.113.2:8080->172.20.1.7:80",
"first local endpoint should be added to ExternalIP")
assert.Contains(t, actualEndpoints, "203.0.113.2:8080->172.20.1.8:80",
"second local endpoint should be added to ExternalIP")
assert.NotContains(t, actualEndpoints, "203.0.113.2:8080->172.20.2.9:80",
"remote endpoint should NOT be added to ExternalIP with Local policy")
}
// TestTrafficPolicy_ExternalLocal_ExternalIP_NoLocalEndpoints_SkipsService verifies that with
// externalTrafficPolicy=Local and NO local endpoints, the ExternalIP service is skipped.
func TestTrafficPolicy_ExternalLocal_ExternalIP_NoLocalEndpoints_SkipsService(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-etp-nolocal-eip", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.3.3",
ExternalIPs: []string{"203.0.113.3"},
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
nil, // NO local endpoints
[]string{"172.20.2.10"}) // only remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// ClusterIP should still be created (internalTrafficPolicy=Cluster)
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.3.3:6:8080:false:rr",
"ClusterIP service should still be created")
// Verify remote endpoint IS added to ClusterIP (internalTrafficPolicy=Cluster allows remote)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, actualEndpoints, "10.100.3.3:8080->172.20.2.10:80",
"remote endpoint should be added to ClusterIP (internal policy is Cluster)")
// ExternalIP should be skipped due to no local endpoints with Local policy
// Verify that the remote endpoint is NOT added to the ExternalIP
assert.NotContains(t, actualEndpoints, "203.0.113.3:8080->172.20.2.10:80",
"remote endpoint should NOT be added to ExternalIP with Local policy")
}
// =============================================================================
// Mixed Policy Tests - CRITICAL for Issue #818
//
// These tests verify that internalTrafficPolicy and externalTrafficPolicy work
// INDEPENDENTLY. Issue #818 was caused by externalTrafficPolicy=Local incorrectly
// affecting ClusterIP (internal) traffic routing.
//
// NOTE: Upstream Kubernetes e2e tests do NOT have mixed policy tests.
// These tests fill a gap in upstream testing and are critical for preventing
// regression of issue #818.
// =============================================================================
// TestTrafficPolicy_Mixed_LocalInternal_ClusterExternal verifies that policies work independently:
// - internalTrafficPolicy=Local should route ClusterIP to local endpoints only
// - externalTrafficPolicy=Cluster should route NodePort to ALL endpoints
func TestTrafficPolicy_Mixed_LocalInternal_ClusterExternal(t *testing.T) {
intPolicyLocal := v1core.ServiceInternalTrafficPolicyLocal
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-mixed-1", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeNodePort,
ClusterIP: "10.100.4.1",
InternalTrafficPolicy: &intPolicyLocal,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, NodePort: 30004, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.9"}, // local endpoint
[]string{"172.20.2.11"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// ClusterIP should have ONLY local endpoint (internalTrafficPolicy=Local)
assert.Contains(t, actualEndpoints, "10.100.4.1:8080->172.20.1.9:80",
"local endpoint should be added to ClusterIP")
assert.NotContains(t, actualEndpoints, "10.100.4.1:8080->172.20.2.11:80",
"remote endpoint should NOT be added to ClusterIP with Local internal policy")
// This is the CRITICAL check for issue #818:
// externalTrafficPolicy=Cluster should NOT affect ClusterIP routing
// The ClusterIP should only have the local endpoint, not be affected by external policy
}
// TestTrafficPolicy_Mixed_ClusterInternal_LocalExternal verifies the reverse scenario:
// - internalTrafficPolicy=Cluster should route ClusterIP to ALL endpoints
// - externalTrafficPolicy=Local should route ExternalIP to local endpoints only
func TestTrafficPolicy_Mixed_ClusterInternal_LocalExternal(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-mixed-2", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeNodePort,
ClusterIP: "10.100.4.2",
ExternalIPs: []string{"203.0.113.4"},
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, NodePort: 30005, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.10"}, // local endpoint
[]string{"172.20.2.12"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// ClusterIP should have ALL endpoints (internalTrafficPolicy=Cluster)
assert.Contains(t, actualEndpoints, "10.100.4.2:8080->172.20.1.10:80",
"local endpoint should be added to ClusterIP")
assert.Contains(t, actualEndpoints, "10.100.4.2:8080->172.20.2.12:80",
"remote endpoint should be added to ClusterIP with Cluster internal policy")
// ExternalIP should have ONLY local endpoint (externalTrafficPolicy=Local)
assert.Contains(t, actualEndpoints, "203.0.113.4:8080->172.20.1.10:80",
"local endpoint should be added to ExternalIP")
assert.NotContains(t, actualEndpoints, "203.0.113.4:8080->172.20.2.12:80",
"remote endpoint should NOT be added to ExternalIP with Local external policy")
}
// TestTrafficPolicy_Mixed_BothLocal verifies that when BOTH policies are Local,
// both ClusterIP and ExternalIP route only to local endpoints.
func TestTrafficPolicy_Mixed_BothLocal(t *testing.T) {
intPolicyLocal := v1core.ServiceInternalTrafficPolicyLocal
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-mixed-3", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeNodePort,
ClusterIP: "10.100.4.3",
ExternalIPs: []string{"203.0.113.5"},
InternalTrafficPolicy: &intPolicyLocal,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, NodePort: 30006, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.11"}, // local endpoint
[]string{"172.20.2.13", "172.20.2.14"}) // remote endpoints
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// ClusterIP should have ONLY local endpoint
assert.Contains(t, actualEndpoints, "10.100.4.3:8080->172.20.1.11:80",
"local endpoint should be added to ClusterIP")
assert.NotContains(t, actualEndpoints, "10.100.4.3:8080->172.20.2.13:80",
"first remote endpoint should NOT be added to ClusterIP")
assert.NotContains(t, actualEndpoints, "10.100.4.3:8080->172.20.2.14:80",
"second remote endpoint should NOT be added to ClusterIP")
// ExternalIP should have ONLY local endpoint
assert.Contains(t, actualEndpoints, "203.0.113.5:8080->172.20.1.11:80",
"local endpoint should be added to ExternalIP")
assert.NotContains(t, actualEndpoints, "203.0.113.5:8080->172.20.2.13:80",
"first remote endpoint should NOT be added to ExternalIP")
assert.NotContains(t, actualEndpoints, "203.0.113.5:8080->172.20.2.14:80",
"second remote endpoint should NOT be added to ExternalIP")
}
// =============================================================================
// Edge Case Tests
// =============================================================================
// TestTrafficPolicy_LocalPolicy_AllEndpointsLocal verifies that when all endpoints
// are local, Local policy works correctly (no filtering needed).
func TestTrafficPolicy_LocalPolicy_AllEndpointsLocal(t *testing.T) {
intPolicyLocal := v1core.ServiceInternalTrafficPolicyLocal
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-edge-alllocal", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.5.1",
InternalTrafficPolicy: &intPolicyLocal,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.12", "172.20.1.13"}, // all local endpoints
nil) // no remote endpoints
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify service was created
actualServices := getServicesFromAddServiceCalls(mock)
assert.Contains(t, actualServices, "10.100.5.1:6:8080:false:rr",
"ClusterIP service should be created")
// Verify both local endpoints are added
actualEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, actualEndpoints, "10.100.5.1:8080->172.20.1.12:80",
"first local endpoint should be added")
assert.Contains(t, actualEndpoints, "10.100.5.1:8080->172.20.1.13:80",
"second local endpoint should be added")
}
// TestTrafficPolicy_LocalPolicy_ZeroEndpoints verifies that when there are no endpoints
// at all (not just no local endpoints), the service is handled correctly.
func TestTrafficPolicy_LocalPolicy_ZeroEndpoints(t *testing.T) {
intPolicyLocal := v1core.ServiceInternalTrafficPolicyLocal
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-edge-noeps", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.5.2",
InternalTrafficPolicy: &intPolicyLocal,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
nil, // no local endpoints
nil) // no remote endpoints
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// With internalTrafficPolicy=Local and no local endpoints, service should be skipped
actualServices := getServicesFromAddServiceCalls(mock)
for _, svc := range actualServices {
assert.NotContains(t, svc, "10.100.5.2",
"ClusterIP service should NOT be created when no local endpoints exist")
}
}
// TestTrafficPolicy_LoadBalancer_MixedPolicies verifies that LoadBalancer services
// correctly apply both traffic policies.
func TestTrafficPolicy_LoadBalancer_MixedPolicies(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-edge-lb", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeLoadBalancer,
ClusterIP: "10.100.5.3",
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyLocal,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP},
},
},
Status: v1core.ServiceStatus{
LoadBalancer: v1core.LoadBalancerStatus{
Ingress: []v1core.LoadBalancerIngress{
{IP: "198.51.100.1"},
},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.14"}, // local endpoint
[]string{"172.20.2.15"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
actualEndpoints := getEndpointsFromAddServerCalls(mock)
// ClusterIP should have ALL endpoints (internalTrafficPolicy=Cluster)
assert.Contains(t, actualEndpoints, "10.100.5.3:8080->172.20.1.14:80",
"local endpoint should be added to ClusterIP")
assert.Contains(t, actualEndpoints, "10.100.5.3:8080->172.20.2.15:80",
"remote endpoint should be added to ClusterIP with Cluster internal policy")
// LoadBalancer IP should have ONLY local endpoint (externalTrafficPolicy=Local)
assert.Contains(t, actualEndpoints, "198.51.100.1:8080->172.20.1.14:80",
"local endpoint should be added to LoadBalancer IP")
assert.NotContains(t, actualEndpoints, "198.51.100.1:8080->172.20.2.15:80",
"remote endpoint should NOT be added to LoadBalancer IP with Local external policy")
}
// =============================================================================
// DSR (Direct Server Return) Configuration Tests
//
// These tests verify DSR functionality for external IPs, which enables direct
// server return for improved performance. DSR uses FWMARK-based IPVS services
// and requires special configuration (VIP-less director, mangle table rules).
//
// Key behaviors being tested:
// - DSR annotation enables FWMARK-based IPVS instead of IP:port services
// - DSR services don't add VIP to dummy interface (VIP-less director)
// - DSR respects externalTrafficPolicy (Cluster vs Local)
// - FWMARK collision detection and uniqueness
// - IP family handling (IPv4/IPv6)
// - HostNetwork pod detection and handling
//
// Historical issues prevented by these tests:
// - #1328: DSR functionality broken by refactoring
// - #1045: FWMARK hash collisions for certain IP+port combinations
// - #1995: IPv6 DSR issues
// - #1671: Multiple services on same IP with DSR
//
// TEST IMPLEMENTATION:
// These tests use a comprehensive NetLink mocking layer (see mock_netlink_state_test.go)
// that simulates all netlink operations (interfaces, addresses, routes, rules) in-memory.
// This allows DSR tests to run fully without requiring privileges or CAP_NET_ADMIN.
//
// The mock infrastructure enables testing:
// 1. Complete DSR code paths including policy routing setup
// 2. FWMARK service creation and management
// 3. VIP-less director logic with traffic routing
// 4. Traffic policy filtering for both local and cluster modes
// 5. Container DSR receiver configuration
//
// All DSR functionality is fully tested without any test skipping or conditional logic.
// =============================================================================
// Helper functions for DSR tests
// createDSRService creates a service with DSR annotation enabled
// All tests use "default" namespace for simplicity and consistency
//
//nolint:unparam // namespace parameter kept for API clarity and potential future multi-namespace tests
func createDSRService(name, namespace, clusterIP, externalIP string, port int32,
intPolicy *v1core.ServiceInternalTrafficPolicy,
extPolicy v1core.ServiceExternalTrafficPolicyType) *v1core.Service {
return &v1core.Service{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
"kube-router.io/service.dsr": "tunnel",
},
},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: clusterIP,
ExternalIPs: []string{externalIP},
InternalTrafficPolicy: intPolicy,
ExternalTrafficPolicy: extPolicy,
Ports: []v1core.ServicePort{
{Name: "http", Port: port, Protocol: v1core.ProtocolTCP, TargetPort: intstr.FromInt(80)},
},
},
}
}
// verifyFWMarkServiceCreated verifies that a FWMARK-based IPVS service was created
func verifyFWMarkServiceCreated(t *testing.T, mock *LinuxNetworkingMock, expectedCount int) []uint32 {
t.Helper()
calls := mock.ipvsAddFWMarkServiceCalls()
assert.Len(t, calls, expectedCount, "FWMARK service calls should match expected count")
// Extract and return FWMARKs for further verification
fwmarks := make([]uint32, len(calls))
for i, call := range calls {
fwmarks[i] = call.FwMark
assert.NotZero(t, call.FwMark, "FWMARK should be non-zero")
}
return fwmarks
}
// verifyVIPNotOnInterface verifies that external IP was NOT added to dummy interface (VIP-less director)
func verifyVIPNotOnInterface(t *testing.T, mock *LinuxNetworkingMock, externalIP string) {
t.Helper()
// DSR requires VIP-less director, so external IP should be deleted from interface
delCalls := mock.ipAddrDelCalls()
found := false
for _, call := range delCalls {
if call.IP == externalIP {
found = true
break
}
}
assert.True(t, found, "External IP %s should be deleted from dummy interface for DSR", externalIP)
// Verify external IP was NOT added to interface
addCalls := mock.ipAddrAddCalls()
for _, call := range addCalls {
assert.NotEqual(t, externalIP, call.IP,
"External IP %s should NOT be added to interface for DSR (VIP-less director)", externalIP)
}
}
// verifyUniqueFWMarks verifies that all FWMARKs are unique
func verifyUniqueFWMarks(t *testing.T, fwmarks []uint32) {
t.Helper()
seen := make(map[uint32]bool)
for _, fwmark := range fwmarks {
assert.False(t, seen[fwmark], "FWMARK %d should be unique", fwmark)
seen[fwmark] = true
}
}
// getEndpointsForFWMarkServices returns endpoints added to FWMARK-based IPVS services (DSR).
// This filters out endpoints added to regular IP:port services (like ClusterIP).
// FWMARK services can be identified by having a non-zero FWMark field.
func getEndpointsForFWMarkServices(t *testing.T, mock *LinuxNetworkingMock) []string {
t.Helper()
// Get all endpoint additions
serverCalls := mock.ipvsAddServerCalls()
var endpoints []string
for _, call := range serverCalls {
// FWMARK services have FWMark set (non-zero)
// Regular services (like ClusterIP) have Address set instead
if call.IpvsSvc != nil && call.IpvsSvc.FWMark != 0 {
endpoint := call.IpvsDst.Address.String()
endpoints = append(endpoints, endpoint)
}
}
return endpoints
}
// =============================================================================
// Priority 1: DSR Annotation Handling (Basic Functionality)
// =============================================================================
// TestDSR_ServiceCreatesFWMarkBasedIPVSService verifies that a service with DSR annotation
// creates a FWMARK-based IPVS service instead of an IP:port based service.
func TestDSR_ServiceCreatesFWMarkBasedIPVSService(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := createDSRService("dsr-svc", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyCluster)
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1", "172.20.1.2"}, // local endpoints
[]string{}) // no remote endpoints
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify FWMARK service was created
fwmarks := verifyFWMarkServiceCreated(t, mock, 1)
assert.NotZero(t, fwmarks[0], "FWMARK should be non-zero")
// Verify regular IP:port service was NOT created for external IP
// (ClusterIP will still get a regular service)
svcs := getServicesFromAddServiceCalls(mock)
for _, svc := range svcs {
assert.NotContains(t, svc, "1.1.1.1",
"External IP should not have regular IP:port IPVS service with DSR")
}
}
// TestDSR_ServiceDoesNotAddVIPToDummyInterface verifies that DSR services do not add
// the external IP to the dummy interface (VIP-less director requirement).
func TestDSR_ServiceDoesNotAddVIPToDummyInterface(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := createDSRService("dsr-svc", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyCluster)
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1"},
[]string{})
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify VIP-less director: external IP should be deleted, not added
verifyVIPNotOnInterface(t, mock, "1.1.1.1")
}
// TestDSR_NonDSRServiceUsesRegularIPPortService verifies that services WITHOUT DSR annotation
// use the regular IP:port IPVS service path and add VIP to dummy interface.
func TestDSR_NonDSRServiceUsesRegularIPPortService(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
// Service WITHOUT DSR annotation
service := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{
Name: "non-dsr-svc",
Namespace: "default",
// No DSR annotation
},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.1.1",
ExternalIPs: []string{"1.1.1.1"},
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 8080, Protocol: v1core.ProtocolTCP, TargetPort: intstr.FromInt(80)},
},
},
}
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1"},
[]string{})
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify NO FWMARK service was created
fwmarkCalls := mock.ipvsAddFWMarkServiceCalls()
assert.Len(t, fwmarkCalls, 0, "Non-DSR service should not create FWMARK service")
// Verify regular IP:port service WAS created for external IP
svcs := getServicesFromAddServiceCalls(mock)
assert.Contains(t, svcs, "1.1.1.1:6:8080:false:rr",
"External IP should have regular IP:port IPVS service without DSR")
// Verify VIP was added to interface (not VIP-less)
addCalls := mock.ipAddrAddCalls()
found := false
for _, call := range addCalls {
if call.IP == "1.1.1.1" {
found = true
break
}
}
assert.True(t, found, "External IP should be added to dummy interface for non-DSR service")
}
// TestDSR_PolicyRoutingCalledOncePerSync verifies that DSR policy routing setup
// is called once per sync, regardless of the number of DSR services.
func TestDSR_PolicyRoutingCalledOncePerSync(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
// Create two DSR services
service1 := createDSRService("dsr-svc-1", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyCluster)
service2 := createDSRService("dsr-svc-2", "default", "10.100.1.2", "2.2.2.2", 9090,
&intPolicyCluster, extPolicyCluster)
ipvsState := newMockIPVSState()
netlinkState := newMockNetlinkState()
// Mock the standalone routeVIPTrafficToDirector function
routeVIPTrafficToDirector = createMockRouteVIPTrafficToDirector(netlinkState)
mock := &LinuxNetworkingMock{
getKubeDummyInterfaceFunc: createMockGetKubeDummyInterface(netlinkState),
ipAddrAddFunc: createMockIPAddrAdd(netlinkState),
ipAddrDelFunc: createMockIPAddrDel(netlinkState),
setupPolicyRoutingForDSRFunc: createMockSetupPolicyRoutingForDSR(netlinkState),
setupRoutesForExternalIPForDSRFunc: createMockSetupRoutesForExternalIPForDSR(netlinkState),
configureContainerForDSRFunc: createMockConfigureContainerForDSR(netlinkState),
getContainerPidWithDockerFunc: createMockGetContainerPidWithDocker(netlinkState),
getContainerPidWithCRIFunc: createMockGetContainerPidWithCRI(netlinkState),
findIfaceLinkForPidFunc: createMockFindIfaceLinkForPid(netlinkState),
ipvsAddServerFunc: func(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination) error {
return nil
},
ipvsAddServiceFunc: func(svcs []*ipvs.Service, vip net.IP, protocol uint16, port uint16,
persistent bool, persistentTimeout int32, scheduler string,
flags schedFlags) ([]*ipvs.Service, *ipvs.Service, error) {
svc := &ipvs.Service{
Address: vip,
Protocol: protocol,
Port: port,
}
ipvsState.services = append(ipvsState.services, svc)
return svcs, svc, nil
},
ipvsAddFWMarkServiceFunc: func(svcs []*ipvs.Service, fwMark uint32, family uint16, protocol uint16,
port uint16, persistent bool, persistentTimeout int32, scheduler string,
flags schedFlags) (*ipvs.Service, error) {
return &ipvs.Service{FWMark: fwMark}, nil
},
ipvsDelServiceFunc: func(ipvsSvc *ipvs.Service) error {
return nil
},
ipvsGetDestinationsFunc: func(ipvsSvc *ipvs.Service) ([]*ipvs.Destination, error) {
return []*ipvs.Destination{}, nil
},
ipvsGetServicesFunc: func() ([]*ipvs.Service, error) {
svcsCopy := make([]*ipvs.Service, len(ipvsState.services))
copy(svcsCopy, ipvsState.services)
return svcsCopy, nil
},
}
clientset := fake.NewSimpleClientset()
// Create both services
_, err := clientset.CoreV1().Services("default").Create(
context.Background(), service1, metav1.CreateOptions{})
assert.NoError(t, err)
_, err = clientset.CoreV1().Services("default").Create(
context.Background(), service2, metav1.CreateOptions{})
assert.NoError(t, err)
// Create endpoints for both
endpointSlice1 := &discoveryv1.EndpointSlice{
ObjectMeta: metav1.ObjectMeta{
Name: "dsr-svc-1-slice",
Namespace: "default",
Labels: map[string]string{
discoveryv1.LabelServiceName: "dsr-svc-1",
},
},
AddressType: discoveryv1.AddressTypeIPv4,
Endpoints: []discoveryv1.Endpoint{
{
Addresses: []string{"172.20.1.1"},
NodeName: testutils.ValToPtr("localnode-1"),
Conditions: discoveryv1.EndpointConditions{Ready: testutils.ValToPtr(true)},
},
},
Ports: []discoveryv1.EndpointPort{
{Name: testutils.ValToPtr("http"), Port: testutils.ValToPtr(int32(80)), Protocol: testutils.ValToPtr(v1core.ProtocolTCP)},
},
}
_, err = clientset.DiscoveryV1().EndpointSlices("default").Create(
context.Background(), endpointSlice1, metav1.CreateOptions{})
assert.NoError(t, err)
endpointSlice2 := &discoveryv1.EndpointSlice{
ObjectMeta: metav1.ObjectMeta{
Name: "dsr-svc-2-slice",
Namespace: "default",
Labels: map[string]string{
discoveryv1.LabelServiceName: "dsr-svc-2",
},
},
AddressType: discoveryv1.AddressTypeIPv4,
Endpoints: []discoveryv1.Endpoint{
{
Addresses: []string{"172.20.1.2"},
NodeName: testutils.ValToPtr("localnode-1"),
Conditions: discoveryv1.EndpointConditions{Ready: testutils.ValToPtr(true)},
},
},
Ports: []discoveryv1.EndpointPort{
{Name: testutils.ValToPtr("http"), Port: testutils.ValToPtr(int32(80)), Protocol: testutils.ValToPtr(v1core.ProtocolTCP)},
},
}
_, err = clientset.DiscoveryV1().EndpointSlices("default").Create(
context.Background(), endpointSlice2, metav1.CreateOptions{})
assert.NoError(t, err)
// Create pods for the endpoints (required for DSR container configuration)
pod1 := &v1core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "pod-1",
Namespace: "default",
},
Spec: v1core.PodSpec{
Containers: []v1core.Container{{Name: "container-1"}},
},
Status: v1core.PodStatus{
PodIP: "172.20.1.1",
PodIPs: []v1core.PodIP{{IP: "172.20.1.1"}},
HostIP: "10.0.0.0",
ContainerStatuses: []v1core.ContainerStatus{
{ContainerID: "docker://abc123"},
},
},
}
_, err = clientset.CoreV1().Pods("default").Create(
context.Background(), pod1, metav1.CreateOptions{})
assert.NoError(t, err)
pod2 := &v1core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "pod-2",
Namespace: "default",
},
Spec: v1core.PodSpec{
Containers: []v1core.Container{{Name: "container-2"}},
},
Status: v1core.PodStatus{
PodIP: "172.20.1.2",
PodIPs: []v1core.PodIP{{IP: "172.20.1.2"}},
HostIP: "10.0.0.0",
ContainerStatuses: []v1core.ContainerStatus{
{ContainerID: "docker://def456"},
},
},
}
_, err = clientset.CoreV1().Pods("default").Create(
context.Background(), pod2, metav1.CreateOptions{})
assert.NoError(t, err)
krNode := &utils.LocalKRNode{
KRNode: utils.KRNode{
NodeName: "localnode-1",
PrimaryIP: net.ParseIP("10.0.0.0"),
},
}
// Create iptables mocks for DSR support
ipv4Mock := &utils.IPTablesHandlerMock{
AppendUniqueFunc: func(table string, chain string, rulespec ...string) error {
return nil
},
ExistsFunc: func(table string, chain string, rulespec ...string) (bool, error) {
return false, nil
},
DeleteFunc: func(table string, chain string, rulespec ...string) error {
return nil
},
}
ipv6Mock := &utils.IPTablesHandlerMock{
AppendUniqueFunc: func(table string, chain string, rulespec ...string) error {
return nil
},
ExistsFunc: func(table string, chain string, rulespec ...string) (bool, error) {
return false, nil
},
DeleteFunc: func(table string, chain string, rulespec ...string) error {
return nil
},
}
nsc := &NetworkServicesController{
krNode: krNode,
ln: mock,
nphc: NewNodePortHealthCheck(),
ipsetMutex: &sync.Mutex{},
client: clientset,
fwMarkMap: make(map[uint32]string),
iptablesCmdHandlers: map[v1core.IPFamily]utils.IPTablesHandler{
v1core.IPv4Protocol: ipv4Mock,
v1core.IPv6Protocol: ipv6Mock,
},
}
startInformersForServiceProxy(t, nsc, clientset)
waitForListerWithTimeout(t, nsc.svcLister, time.Second*10)
waitForListerWithTimeout(t, nsc.epSliceLister, time.Second*10)
waitForListerWithTimeout(t, nsc.podLister, time.Second*10)
nsc.setServiceMap(nsc.buildServicesInfo())
nsc.endpointsMap = nsc.buildEndpointSliceInfo()
err = nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify setupPolicyRoutingForDSR called exactly once
dsrPolicyCall := mock.setupPolicyRoutingForDSRCalls()
assert.Len(t, dsrPolicyCall, 1, "setupPolicyRoutingForDSR should be called once, not once per service")
// Verify setupRoutesForExternalIPForDSR called exactly once
dsrRoutesCall := mock.setupRoutesForExternalIPForDSRCalls()
assert.Len(t, dsrRoutesCall, 1, "setupRoutesForExternalIPForDSR should be called once, not once per service")
// Verify both FWMARK services were created
verifyFWMarkServiceCreated(t, mock, 2)
}
// =============================================================================
// Priority 2: DSR + Traffic Policy Interaction
// =============================================================================
// TestDSR_ExternalTrafficPolicyCluster_AllEndpoints verifies that DSR services with
// externalTrafficPolicy=Cluster add all endpoints (both local and remote).
func TestDSR_ExternalTrafficPolicyCluster_AllEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
service := createDSRService("dsr-svc", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyCluster)
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1"}, // local endpoint
[]string{"172.20.2.1"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify FWMARK service was created
verifyFWMarkServiceCreated(t, mock, 1)
// Verify BOTH endpoints were added (Cluster policy)
serverCalls := mock.ipvsAddServerCalls()
// Should have endpoints for ClusterIP + ExternalIP DSR
assert.GreaterOrEqual(t, len(serverCalls), 2,
"Should add endpoints for both ClusterIP and DSR external IP")
// Check that we have calls for the external IP (DSR uses FWMARK service)
foundLocal := false
foundRemote := false
for _, call := range serverCalls {
if call.IpvsDst.Address.String() == "172.20.1.1" {
foundLocal = true
}
if call.IpvsDst.Address.String() == "172.20.2.1" {
foundRemote = true
}
}
assert.True(t, foundLocal, "Local endpoint should be added for DSR with Cluster policy")
assert.True(t, foundRemote, "Remote endpoint should be added for DSR with Cluster policy")
}
// TestDSR_ExternalTrafficPolicyLocal_OnlyLocalEndpoints verifies that DSR services with
// externalTrafficPolicy=Local add only local endpoints.
func TestDSR_ExternalTrafficPolicyLocal_OnlyLocalEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := createDSRService("dsr-svc", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyLocal)
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1"}, // local endpoint
[]string{"172.20.2.1"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify FWMARK service was created
verifyFWMarkServiceCreated(t, mock, 1)
// Verify only local endpoint was added for DSR (not ClusterIP)
// Use helper to filter only FWMARK service endpoints (DSR), not ClusterIP endpoints
dsrEndpoints := getEndpointsForFWMarkServices(t, mock)
// Note: If DSR setup fails due to netlink permissions, dsrEndpoints will be empty
// This is acceptable in unit tests - we're validating the logic, not the full execution
if len(dsrEndpoints) > 0 {
foundLocal := false
foundRemote := false
for _, endpoint := range dsrEndpoints {
if endpoint == "172.20.1.1" {
foundLocal = true
}
if endpoint == "172.20.2.1" {
foundRemote = true
}
}
assert.True(t, foundLocal, "Local endpoint should be added to DSR FWMARK service with Local policy")
assert.False(t, foundRemote, "Remote endpoint should NOT be added to DSR FWMARK service with Local policy")
} else {
t.Log("DSR endpoint setup skipped (likely due to netlink permission requirements)")
}
// Also verify ClusterIP gets both endpoints (internalTrafficPolicy=Cluster)
allEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, allEndpoints, "10.100.1.1:8080->172.20.1.1:80",
"ClusterIP should have local endpoint")
assert.Contains(t, allEndpoints, "10.100.1.1:8080->172.20.2.1:80",
"ClusterIP should have remote endpoint (internalTrafficPolicy=Cluster)")
}
// TestDSR_ExternalTrafficPolicyLocal_NoLocalEndpoints verifies that DSR services with
// externalTrafficPolicy=Local and no local endpoints skip service setup.
func TestDSR_ExternalTrafficPolicyLocal_NoLocalEndpoints(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := createDSRService("dsr-svc", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyLocal)
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{}, // NO local endpoints
[]string{"172.20.2.1"}) // only remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify NO FWMARK service was created (no local endpoints with Local policy)
fwmarkCalls := mock.ipvsAddFWMarkServiceCalls()
assert.Len(t, fwmarkCalls, 0,
"DSR service with Local policy and no local endpoints should not create FWMARK service")
// ClusterIP should still work (it uses internalTrafficPolicy=Cluster)
svcs := getServicesFromAddServiceCalls(mock)
assert.Contains(t, svcs, "10.100.1.1:6:8080:false:rr",
"ClusterIP service should still be created")
// Verify remote endpoint IS added to ClusterIP (internalTrafficPolicy=Cluster allows remote)
allEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, allEndpoints, "10.100.1.1:8080->172.20.2.1:80",
"remote endpoint should be added to ClusterIP (internal policy is Cluster)")
}
// TestDSR_ClusterIPUnaffectedByExternalTrafficPolicy verifies that DSR annotation only affects
// external IPs, and ClusterIP behavior is controlled by internalTrafficPolicy.
func TestDSR_ClusterIPUnaffectedByExternalTrafficPolicy(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyLocal := v1core.ServiceExternalTrafficPolicyLocal
service := createDSRService("dsr-svc", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyLocal)
_, mock, nsc := setupTestControllerWithEndpoints(t, service,
[]string{"172.20.1.1"}, // local endpoint
[]string{"172.20.2.1"}) // remote endpoint
err := nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify ClusterIP service gets BOTH endpoints (internalTrafficPolicy=Cluster)
allEndpoints := getEndpointsFromAddServerCalls(mock)
assert.Contains(t, allEndpoints, "10.100.1.1:8080->172.20.1.1:80",
"ClusterIP should have local endpoint")
assert.Contains(t, allEndpoints, "10.100.1.1:8080->172.20.2.1:80",
"ClusterIP should have remote endpoint (internalTrafficPolicy=Cluster)")
// Verify External IP (DSR) gets only local endpoint (externalTrafficPolicy=Local)
// Use helper to filter only FWMARK service endpoints (DSR)
dsrEndpoints := getEndpointsForFWMarkServices(t, mock)
// Note: If DSR setup fails due to netlink permissions, dsrEndpoints will be empty
// This is acceptable in unit tests - we're validating the logic, not the full execution
if len(dsrEndpoints) > 0 {
foundLocalInDSR := false
foundRemoteInDSR := false
for _, endpoint := range dsrEndpoints {
if endpoint == "172.20.1.1" {
foundLocalInDSR = true
}
if endpoint == "172.20.2.1" {
foundRemoteInDSR = true
}
}
// Local should be added to DSR (externalTrafficPolicy=Local allows local)
assert.True(t, foundLocalInDSR, "Local endpoint should be added to DSR FWMARK service")
// Remote should NOT be added to DSR (externalTrafficPolicy=Local blocks remote)
assert.False(t, foundRemoteInDSR, "Remote endpoint should NOT be added to DSR FWMARK service with Local policy")
} else {
t.Log("DSR endpoint setup skipped (likely due to netlink permission requirements)")
}
}
// =============================================================================
// Priority 3: Multiple Services with Same External IP
// =============================================================================
// TestDSR_TwoDSRServicesSameIPDifferentPorts verifies that multiple DSR services
// on the same external IP with different ports get unique FWMARKs.
func TestDSR_TwoDSRServicesSameIPDifferentPorts(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
// Create two services with same external IP, different ports
service1 := createDSRService("dsr-svc-1", "default", "10.100.1.1", "1.1.1.1", 8080,
&intPolicyCluster, extPolicyCluster)
service2 := createDSRService("dsr-svc-2", "default", "10.100.1.2", "1.1.1.1", 9090,
&intPolicyCluster, extPolicyCluster)
ipvsState := newMockIPVSState()
netlinkState := newMockNetlinkState()
// Mock the standalone routeVIPTrafficToDirector function
routeVIPTrafficToDirector = createMockRouteVIPTrafficToDirector(netlinkState)
mock := &LinuxNetworkingMock{
getKubeDummyInterfaceFunc: createMockGetKubeDummyInterface(netlinkState),
ipAddrAddFunc: createMockIPAddrAdd(netlinkState),
ipAddrDelFunc: createMockIPAddrDel(netlinkState),
setupPolicyRoutingForDSRFunc: createMockSetupPolicyRoutingForDSR(netlinkState),
setupRoutesForExternalIPForDSRFunc: createMockSetupRoutesForExternalIPForDSR(netlinkState),
configureContainerForDSRFunc: createMockConfigureContainerForDSR(netlinkState),
getContainerPidWithDockerFunc: createMockGetContainerPidWithDocker(netlinkState),
getContainerPidWithCRIFunc: createMockGetContainerPidWithCRI(netlinkState),
findIfaceLinkForPidFunc: createMockFindIfaceLinkForPid(netlinkState),
ipvsAddServerFunc: func(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination) error {
return nil
},
ipvsAddServiceFunc: func(svcs []*ipvs.Service, vip net.IP, protocol uint16, port uint16,
persistent bool, persistentTimeout int32, scheduler string,
flags schedFlags) ([]*ipvs.Service, *ipvs.Service, error) {
svc := &ipvs.Service{
Address: vip,
Protocol: protocol,
Port: port,
}
ipvsState.services = append(ipvsState.services, svc)
return svcs, svc, nil
},
ipvsAddFWMarkServiceFunc: func(svcs []*ipvs.Service, fwMark uint32, family uint16, protocol uint16,
port uint16, persistent bool, persistentTimeout int32, scheduler string,
flags schedFlags) (*ipvs.Service, error) {
return &ipvs.Service{FWMark: fwMark}, nil
},
ipvsDelServiceFunc: func(ipvsSvc *ipvs.Service) error {
return nil
},
ipvsGetDestinationsFunc: func(ipvsSvc *ipvs.Service) ([]*ipvs.Destination, error) {
return []*ipvs.Destination{}, nil
},
ipvsGetServicesFunc: func() ([]*ipvs.Service, error) {
svcsCopy := make([]*ipvs.Service, len(ipvsState.services))
copy(svcsCopy, ipvsState.services)
return svcsCopy, nil
},
}
clientset := fake.NewSimpleClientset()
_, err := clientset.CoreV1().Services("default").Create(context.Background(), service1, metav1.CreateOptions{})
assert.NoError(t, err)
_, err = clientset.CoreV1().Services("default").Create(context.Background(), service2, metav1.CreateOptions{})
assert.NoError(t, err)
// Create endpoints for both services
for i, svcName := range []string{"dsr-svc-1", "dsr-svc-2"} {
endpointSlice := &discoveryv1.EndpointSlice{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("%s-slice", svcName),
Namespace: "default",
Labels: map[string]string{discoveryv1.LabelServiceName: svcName},
},
AddressType: discoveryv1.AddressTypeIPv4,
Endpoints: []discoveryv1.Endpoint{
{
Addresses: []string{fmt.Sprintf("172.20.1.%d", i+1)},
NodeName: testutils.ValToPtr("localnode-1"),
Conditions: discoveryv1.EndpointConditions{Ready: testutils.ValToPtr(true)},
},
},
Ports: []discoveryv1.EndpointPort{
{Name: testutils.ValToPtr("http"), Port: testutils.ValToPtr(int32(80)), Protocol: testutils.ValToPtr(v1core.ProtocolTCP)},
},
}
_, err = clientset.DiscoveryV1().EndpointSlices("default").Create(context.Background(), endpointSlice, metav1.CreateOptions{})
assert.NoError(t, err)
}
// Create pods for the endpoints (required for DSR container configuration)
for i := 1; i <= 2; i++ {
pod := &v1core.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("pod-%d", i),
Namespace: "default",
},
Spec: v1core.PodSpec{
Containers: []v1core.Container{{Name: fmt.Sprintf("container-%d", i)}},
},
Status: v1core.PodStatus{
PodIP: fmt.Sprintf("172.20.1.%d", i),
PodIPs: []v1core.PodIP{{IP: fmt.Sprintf("172.20.1.%d", i)}},
HostIP: "10.0.0.1",
ContainerStatuses: []v1core.ContainerStatus{
{ContainerID: fmt.Sprintf("docker://container-%d-id", i)},
},
},
}
_, err = clientset.CoreV1().Pods("default").Create(context.Background(), pod, metav1.CreateOptions{})
assert.NoError(t, err)
}
krNode := &utils.LocalKRNode{KRNode: utils.KRNode{NodeName: "localnode-1", PrimaryIP: net.ParseIP("10.0.0.1")}}
ipv4Mock := &utils.IPTablesHandlerMock{
AppendUniqueFunc: func(table string, chain string, rulespec ...string) error { return nil },
ExistsFunc: func(table string, chain string, rulespec ...string) (bool, error) { return false, nil },
DeleteFunc: func(table string, chain string, rulespec ...string) error { return nil },
}
ipv6Mock := &utils.IPTablesHandlerMock{
AppendUniqueFunc: func(table string, chain string, rulespec ...string) error { return nil },
ExistsFunc: func(table string, chain string, rulespec ...string) (bool, error) { return false, nil },
DeleteFunc: func(table string, chain string, rulespec ...string) error { return nil },
}
nsc := &NetworkServicesController{
krNode: krNode,
ln: mock,
nphc: NewNodePortHealthCheck(),
ipsetMutex: &sync.Mutex{},
client: clientset,
fwMarkMap: make(map[uint32]string),
iptablesCmdHandlers: map[v1core.IPFamily]utils.IPTablesHandler{v1core.IPv4Protocol: ipv4Mock, v1core.IPv6Protocol: ipv6Mock},
}
startInformersForServiceProxy(t, nsc, clientset)
waitForListerWithTimeout(t, nsc.svcLister, time.Second*10)
waitForListerWithTimeout(t, nsc.epSliceLister, time.Second*10)
nsc.setServiceMap(nsc.buildServicesInfo())
nsc.endpointsMap = nsc.buildEndpointSliceInfo()
err = nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify two FWMARK services created with unique FWMARKs
fwmarkCalls := mock.ipvsAddFWMarkServiceCalls()
if len(fwmarkCalls) >= 2 {
fwmarks := verifyFWMarkServiceCreated(t, mock, 2)
verifyUniqueFWMarks(t, fwmarks)
} else {
t.Logf("Only %d FWMARK service(s) created - DSR setup may have failed due to test environment", len(fwmarkCalls))
t.SkipNow()
}
}
// =============================================================================
// Priority 4: FWMARK Generation and Collision Handling
// =============================================================================
// TestDSR_FWMarkCollisionCase_Issue1045 tests the specific collision case from issue #1045.
// This test verifies that the collision detection and handling works correctly.
func TestDSR_FWMarkCollisionCase_Issue1045(t *testing.T) {
intPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
// These specific IP+port+protocol combinations were reported to collide in issue #1045
service1 := createDSRService("collision-svc-1", "default", "10.100.1.1", "147.160.180.44", 8080,
&intPolicyCluster, extPolicyCluster)
service2 := &v1core.Service{
ObjectMeta: metav1.ObjectMeta{
Name: "collision-svc-2",
Namespace: "default",
Annotations: map[string]string{"kube-router.io/service.dsr": "tunnel"},
},
Spec: v1core.ServiceSpec{
Type: v1core.ServiceTypeClusterIP,
ClusterIP: "10.100.1.2",
ExternalIPs: []string{"147.160.180.44"},
InternalTrafficPolicy: &intPolicyCluster,
ExternalTrafficPolicy: extPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "udp", Port: 80, Protocol: v1core.ProtocolUDP, TargetPort: intstr.FromInt(80)},
},
},
}
ipvsState := newMockIPVSState()
mock := &LinuxNetworkingMock{
getKubeDummyInterfaceFunc: func() (netlink.Link, error) { return netlink.LinkByName("lo") },
ipAddrAddFunc: func(iface netlink.Link, ip string, nodeIP string, addRoute bool) error { return nil },
ipAddrDelFunc: func(iface netlink.Link, ip string, nodeIP string) error { return nil },
ipvsAddServerFunc: func(ipvsSvc *ipvs.Service, ipvsDst *ipvs.Destination) error { return nil },
ipvsAddServiceFunc: func(svcs []*ipvs.Service, vip net.IP, protocol uint16, port uint16, persistent bool, persistentTimeout int32, scheduler string, flags schedFlags) ([]*ipvs.Service, *ipvs.Service, error) {
svc := &ipvs.Service{Address: vip, Protocol: protocol, Port: port}
ipvsState.services = append(ipvsState.services, svc)
return svcs, svc, nil
},
ipvsAddFWMarkServiceFunc: func(svcs []*ipvs.Service, fwMark uint32, family uint16, protocol uint16, port uint16, persistent bool, persistentTimeout int32, scheduler string, flags schedFlags) (*ipvs.Service, error) {
svc := &ipvs.Service{FWMark: fwMark}
ipvsState.services = append(ipvsState.services, svc)
return svc, nil
},
ipvsDelServiceFunc: func(ipvsSvc *ipvs.Service) error { return nil },
ipvsGetDestinationsFunc: func(ipvsSvc *ipvs.Service) ([]*ipvs.Destination, error) { return []*ipvs.Destination{}, nil },
ipvsGetServicesFunc: func() ([]*ipvs.Service, error) {
svcsCopy := make([]*ipvs.Service, len(ipvsState.services))
copy(svcsCopy, ipvsState.services)
return svcsCopy, nil
},
setupPolicyRoutingForDSRFunc: func(setupIPv4 bool, setupIPv6 bool) error { return nil },
setupRoutesForExternalIPForDSRFunc: func(serviceInfo serviceInfoMap, setupIPv4 bool, setupIPv6 bool) error { return nil },
}
clientset := fake.NewSimpleClientset()
_, err := clientset.CoreV1().Services("default").Create(context.Background(), service1, metav1.CreateOptions{})
assert.NoError(t, err)
_, err = clientset.CoreV1().Services("default").Create(context.Background(), service2, metav1.CreateOptions{})
assert.NoError(t, err)
// Create minimal endpoints
for i, svcName := range []string{"collision-svc-1", "collision-svc-2"} {
endpointSlice := &discoveryv1.EndpointSlice{
ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("%s-slice", svcName), Namespace: "default", Labels: map[string]string{discoveryv1.LabelServiceName: svcName}},
AddressType: discoveryv1.AddressTypeIPv4,
Endpoints: []discoveryv1.Endpoint{{Addresses: []string{fmt.Sprintf("172.20.1.%d", i+1)}, NodeName: testutils.ValToPtr("localnode-1"), Conditions: discoveryv1.EndpointConditions{Ready: testutils.ValToPtr(true)}}},
Ports: []discoveryv1.EndpointPort{{Name: testutils.ValToPtr("port"), Port: testutils.ValToPtr(int32(80)), Protocol: testutils.ValToPtr(v1core.ProtocolTCP)}},
}
_, err = clientset.DiscoveryV1().EndpointSlices("default").Create(context.Background(), endpointSlice, metav1.CreateOptions{})
assert.NoError(t, err)
}
krNode := &utils.LocalKRNode{KRNode: utils.KRNode{NodeName: "localnode-1", PrimaryIP: net.ParseIP("10.0.0.1")}}
ipv4Mock := &utils.IPTablesHandlerMock{AppendUniqueFunc: func(table string, chain string, rulespec ...string) error { return nil }, ExistsFunc: func(table string, chain string, rulespec ...string) (bool, error) { return false, nil }, DeleteFunc: func(table string, chain string, rulespec ...string) error { return nil }}
ipv6Mock := &utils.IPTablesHandlerMock{AppendUniqueFunc: func(table string, chain string, rulespec ...string) error { return nil }, ExistsFunc: func(table string, chain string, rulespec ...string) (bool, error) { return false, nil }, DeleteFunc: func(table string, chain string, rulespec ...string) error { return nil }}
nsc := &NetworkServicesController{krNode: krNode, ln: mock, nphc: NewNodePortHealthCheck(), ipsetMutex: &sync.Mutex{}, client: clientset, fwMarkMap: make(map[uint32]string), iptablesCmdHandlers: map[v1core.IPFamily]utils.IPTablesHandler{v1core.IPv4Protocol: ipv4Mock, v1core.IPv6Protocol: ipv6Mock}}
startInformersForServiceProxy(t, nsc, clientset)
waitForListerWithTimeout(t, nsc.svcLister, time.Second*10)
waitForListerWithTimeout(t, nsc.epSliceLister, time.Second*10)
nsc.setServiceMap(nsc.buildServicesInfo())
nsc.endpointsMap = nsc.buildEndpointSliceInfo()
err = nsc.syncIpvsServices(nsc.getServiceMap(), nsc.endpointsMap)
assert.NoError(t, err)
// Verify FWMARKs are different (collision was handled)
fwmarkCalls := mock.ipvsAddFWMarkServiceCalls()
if len(fwmarkCalls) >= 2 {
fwmarks := verifyFWMarkServiceCreated(t, mock, 2)
verifyUniqueFWMarks(t, fwmarks)
assert.NotEqual(t, fwmarks[0], fwmarks[1], "Issue #1045: FWMARKs must be unique despite hash collision")
} else {
t.Logf("Only %d FWMARK service(s) created - DSR setup may have failed due to test environment", len(fwmarkCalls))
t.SkipNow()
}
}
// =============================================================================
// ExternalIP / LoadBalancerIP Validation Integration Tests
//
// Unit tests for FilterExternalIPs and FilterLoadBalancerIPs are in pkg/svcip/validator_test.go.
// These integration tests verify that buildServicesInfo correctly uses the svcip.Filter to
// filter IPs when building the service map.
// =============================================================================
func TestBuildServicesInfoWithStrictValidation(t *testing.T) {
intTrafficPolicyCluster := v1core.ServiceInternalTrafficPolicyCluster
extTrafficPolicyCluster := v1core.ServiceExternalTrafficPolicyCluster
tests := []struct {
name string
strictMode bool
externalIPRanges []string
lbIPRanges []string
clusterIPRanges []string
service *v1core.Service
expectedExternalIPs []string
expectedLBIPs []string
}{
{
name: "strict mode filters out-of-range externalIPs",
strictMode: true,
externalIPRanges: []string{"10.243.0.0/24"},
lbIPRanges: []string{"10.255.0.0/24"},
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-strict", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: "ClusterIP",
ClusterIP: "10.0.0.1",
ExternalIPs: []string{"10.243.0.1", "192.168.100.50"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 80, Protocol: "TCP"},
},
},
},
expectedExternalIPs: []string{"10.243.0.1"},
expectedLBIPs: []string{},
},
{
name: "strict mode filters out-of-range loadBalancerIPs",
strictMode: true,
externalIPRanges: []string{"10.243.0.0/24"},
lbIPRanges: []string{"10.255.0.0/24"},
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-strict-lb", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: "LoadBalancer",
ClusterIP: "10.0.0.2",
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 80, Protocol: "TCP"},
},
},
Status: v1core.ServiceStatus{
LoadBalancer: v1core.LoadBalancerStatus{
Ingress: []v1core.LoadBalancerIngress{
{IP: "10.255.0.1"},
{IP: "8.8.8.8"},
},
},
},
},
expectedExternalIPs: []string{},
expectedLBIPs: []string{"10.255.0.1"},
},
{
name: "strict mode rejects externalIP that conflicts with clusterIP range",
strictMode: true,
externalIPRanges: []string{"10.0.0.0/8"},
clusterIPRanges: []string{"10.96.0.0/12"},
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-conflict", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: "ClusterIP",
ClusterIP: "10.96.0.1",
ExternalIPs: []string{"10.96.0.10", "10.243.0.1"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 80, Protocol: "TCP"},
},
},
},
expectedExternalIPs: []string{"10.243.0.1"},
expectedLBIPs: nil,
},
{
name: "strict mode off - all IPs pass through",
strictMode: false,
service: &v1core.Service{
ObjectMeta: metav1.ObjectMeta{Name: "svc-nostrict", Namespace: "default"},
Spec: v1core.ServiceSpec{
Type: "LoadBalancer",
ClusterIP: "10.0.0.3",
ExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
InternalTrafficPolicy: &intTrafficPolicyCluster,
ExternalTrafficPolicy: extTrafficPolicyCluster,
Ports: []v1core.ServicePort{
{Name: "http", Port: 80, Protocol: "TCP"},
},
},
Status: v1core.ServiceStatus{
LoadBalancer: v1core.LoadBalancerStatus{
Ingress: []v1core.LoadBalancerIngress{
{IP: "10.255.0.1"},
},
},
},
},
expectedExternalIPs: []string{"1.1.1.1", "2.2.2.2"},
expectedLBIPs: []string{"10.255.0.1"},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
clientset := fake.NewSimpleClientset()
_, err := clientset.CoreV1().Services("default").Create(
context.Background(), tc.service, metav1.CreateOptions{})
if err != nil {
t.Fatalf("failed to create service: %v", err)
}
// Build svcip.Config from test case data
clusterIPCIDRs := tc.clusterIPRanges
if len(clusterIPCIDRs) == 0 {
clusterIPCIDRs = []string{"10.96.0.0/12"}
}
validator, validatorErr := svcip.NewValidator(svcip.Config{
ExternalIPCIDRs: tc.externalIPRanges,
LoadBalancerCIDRs: tc.lbIPRanges,
ClusterIPCIDRs: clusterIPCIDRs,
StrictValidation: tc.strictMode,
EnableIPv4: true,
})
if validatorErr != nil {
t.Fatalf("failed to create validator: %v", validatorErr)
}
krNode := &utils.LocalKRNode{
KRNode: utils.KRNode{
NodeName: "node-1",
PrimaryIP: net.ParseIP("10.0.0.0"),
},
}
nsc := &NetworkServicesController{
krNode: krNode,
ipFilter: validator,
ipsetMutex: &sync.Mutex{},
client: clientset,
fwMarkMap: make(map[uint32]string),
}
startInformersForServiceProxy(t, nsc, clientset)
waitForListerWithTimeout(t, nsc.svcLister, time.Second*10)
serviceMap := nsc.buildServicesInfo()
// Find the service info for the first (and only) port
var svcInfo *serviceInfo
for _, si := range serviceMap {
svcInfo = si
break
}
if svcInfo == nil {
t.Fatalf("expected service info to be present in the map")
}
assert.Equal(t, tc.expectedExternalIPs, svcInfo.externalIPs,
"externalIPs should be filtered correctly")
assert.Equal(t, tc.expectedLBIPs, svcInfo.loadBalancerIPs,
"loadBalancerIPs should be filtered correctly")
})
}
}
Reference in New Issue View Git Blame Copy Permalink