diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf index 5b7c62d47fc..e59d62a441b 100644 --- a/build/charts/antrea/conf/antrea-agent.conf +++ b/build/charts/antrea/conf/antrea-agent.conf @@ -179,9 +179,12 @@ trafficEncryptionMode: {{ .Values.trafficEncryptionMode | quote }} # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: {{ .Values.enableBridgingMode }} -# Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the -# datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. -# It affects Pods running on Linux Nodes only. +# Disable TX checksum offloading for container network interfaces and the host gateway interface (default: +# antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, +# which causes packets to be dropped due to bad checksum. +# If this option is later set to false, Antrea does nothing to the affected container network interfaces +# and the host gateway interface. +# This option affects Linux Nodes only. disableTXChecksumOffload: {{ .Values.disableTXChecksumOffload }} # Default MTU to use for the host gateway interface and the network interface of each Pod. diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 9f85f6cf239..22de8a05062 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -4143,9 +4143,12 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. + # Disable TX checksum offloading for container network interfaces and the host gateway interface (default: + # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, + # which causes packets to be dropped due to bad checksum. + # If this option is later set to false, Antrea does nothing to the affected container network interfaces + # and the host gateway interface. + # This option affects Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. @@ -5426,7 +5429,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1 + checksum/config: 388e56a854eeea208528639b25d3312a7f5b5faf03356d3280708cb5cc8e12e4 labels: app: antrea component: antrea-agent @@ -5670,7 +5673,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1 + checksum/config: 388e56a854eeea208528639b25d3312a7f5b5faf03356d3280708cb5cc8e12e4 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index c878bd61a32..ee42c0df047 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -4143,9 +4143,12 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. + # Disable TX checksum offloading for container network interfaces and the host gateway interface (default: + # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, + # which causes packets to be dropped due to bad checksum. + # If this option is later set to false, Antrea does nothing to the affected container network interfaces + # and the host gateway interface. + # This option affects Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. @@ -5426,7 +5429,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1 + checksum/config: 388e56a854eeea208528639b25d3312a7f5b5faf03356d3280708cb5cc8e12e4 labels: app: antrea component: antrea-agent @@ -5671,7 +5674,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1 + checksum/config: 388e56a854eeea208528639b25d3312a7f5b5faf03356d3280708cb5cc8e12e4 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index f4ef7a4224e..b8be9e5a7a4 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -4143,9 +4143,12 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. + # Disable TX checksum offloading for container network interfaces and the host gateway interface (default: + # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, + # which causes packets to be dropped due to bad checksum. + # If this option is later set to false, Antrea does nothing to the affected container network interfaces + # and the host gateway interface. + # This option affects Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. @@ -5426,7 +5429,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: adf1e0f238974d7f83bd321a403f1613ae7e695f06b5366cee645a39141872db + checksum/config: c0243ccae6ee70d94575d6f6ef1fcb6e1a883013aa7f388ff21cc224d099dc1a labels: app: antrea component: antrea-agent @@ -5668,7 +5671,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: adf1e0f238974d7f83bd321a403f1613ae7e695f06b5366cee645a39141872db + checksum/config: c0243ccae6ee70d94575d6f6ef1fcb6e1a883013aa7f388ff21cc224d099dc1a labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 22a7422381d..a65d69e5bd6 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -4156,9 +4156,12 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. + # Disable TX checksum offloading for container network interfaces and the host gateway interface (default: + # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, + # which causes packets to be dropped due to bad checksum. + # If this option is later set to false, Antrea does nothing to the affected container network interfaces + # and the host gateway interface. + # This option affects Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. @@ -5439,7 +5442,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9b14e08a59181e975a2326f4ef4a7c55a1640027bda93ad0ee09fe2ef18b7491 + checksum/config: d8019562e8ef204a75dc7b3966ff7f1e7e4e47d86161171fe1d43a13600a78f5 checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4 labels: app: antrea @@ -5727,7 +5730,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: 9b14e08a59181e975a2326f4ef4a7c55a1640027bda93ad0ee09fe2ef18b7491 + checksum/config: d8019562e8ef204a75dc7b3966ff7f1e7e4e47d86161171fe1d43a13600a78f5 labels: app: antrea component: antrea-controller diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index ba3935fa4c1..88dc0b34158 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -4143,9 +4143,12 @@ data: # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. enableBridgingMode: false - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. + # Disable TX checksum offloading for container network interfaces and the host gateway interface (default: + # antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, + # which causes packets to be dropped due to bad checksum. + # If this option is later set to false, Antrea does nothing to the affected container network interfaces + # and the host gateway interface. + # This option affects Linux Nodes only. disableTXChecksumOffload: false # Default MTU to use for the host gateway interface and the network interface of each Pod. @@ -5426,7 +5429,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: afc566f7a719f6dd3ff30e3b495df2e4f5991e5a8d0696f891dc9c77ce795e2f + checksum/config: d4cab5020ef7dc2de75299b210a1e1caa92508fac99db48d44f0ae141b5ad9fb labels: app: antrea component: antrea-agent @@ -5668,7 +5671,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: afc566f7a719f6dd3ff30e3b495df2e4f5991e5a8d0696f891dc9c77ce795e2f + checksum/config: d4cab5020ef7dc2de75299b210a1e1caa92508fac99db48d44f0ae141b5ad9fb labels: app: antrea component: antrea-controller diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go index dfd740ed2e0..56e627ca4c6 100644 --- a/cmd/antrea-agent/agent.go +++ b/cmd/antrea-agent/agent.go @@ -318,7 +318,8 @@ func run(o *Options) error { connectUplinkToBridge, o.enableAntreaProxy, l7NetworkPolicyEnabled, - l7FlowExporterEnabled) + l7FlowExporterEnabled, + o.config.DisableTXChecksumOffload) err = agentInitializer.Initialize() if err != nil { return fmt.Errorf("error initializing agent: %v", err) diff --git a/docs/antrea-l7-network-policy.md b/docs/antrea-l7-network-policy.md index 62fecd80d20..fec1fae31b2 100644 --- a/docs/antrea-l7-network-policy.md +++ b/docs/antrea-l7-network-policy.md @@ -34,8 +34,12 @@ This guide demonstrates how to configure layer 7 NetworkPolicy. Layer 7 NetworkPolicy was introduced in v1.10 as an alpha feature and is disabled by default. A feature gate, `L7NetworkPolicy`, must be enabled in antrea-controller.conf and antrea-agent.conf in the `antrea-config` ConfigMap. -Additionally, due to the constraint of the application detection engine, TX checksum offloading must be disabled via the -`disableTXChecksumOffload` option in antrea-agent.conf for the feature to work. An example configuration is as below: +Additionally, to ensure proper functionality, TX checksum offloading must be disabled for container network interfaces +and the host gateway interface (default: antrea-gw0) due to the constraint of the application detection engine. Ths can +be configured using the `disableTXChecksumOffload` option in antrea-agent.conf. Disabling TX checksum offloading ensures +that TCP connections traverse these interfaces correctly, preventing connection failures and packet loss. + +An example configuration is as below: ```yaml apiVersion: v1 diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go index 7faa6dd90e2..053325b47aa 100644 --- a/pkg/agent/agent.go +++ b/pkg/agent/agent.go @@ -109,27 +109,28 @@ var ( // Initializer knows how to setup host networking, OpenVSwitch, and Openflow. type Initializer struct { - client clientset.Interface - crdClient versioned.Interface - ovsBridgeClient ovsconfig.OVSBridgeClient - ovsCtlClient ovsctl.OVSCtlClient - ofClient openflow.Client - routeClient route.Interface - wireGuardClient wireguard.Interface - ifaceStore interfacestore.InterfaceStore - ovsBridge string - hostGateway string // name of gateway port on the OVS bridge - mtu int - networkConfig *config.NetworkConfig - nodeConfig *config.NodeConfig - wireGuardConfig *config.WireGuardConfig - egressConfig *config.EgressConfig - serviceConfig *config.ServiceConfig - l7NetworkPolicyConfig *config.L7NetworkPolicyConfig - enableL7NetworkPolicy bool - enableL7FlowExporter bool - connectUplinkToBridge bool - enableAntreaProxy bool + client clientset.Interface + crdClient versioned.Interface + ovsBridgeClient ovsconfig.OVSBridgeClient + ovsCtlClient ovsctl.OVSCtlClient + ofClient openflow.Client + routeClient route.Interface + wireGuardClient wireguard.Interface + ifaceStore interfacestore.InterfaceStore + ovsBridge string + hostGateway string // name of gateway port on the OVS bridge + mtu int + networkConfig *config.NetworkConfig + nodeConfig *config.NodeConfig + wireGuardConfig *config.WireGuardConfig + egressConfig *config.EgressConfig + serviceConfig *config.ServiceConfig + l7NetworkPolicyConfig *config.L7NetworkPolicyConfig + enableL7NetworkPolicy bool + enableL7FlowExporter bool + connectUplinkToBridge bool + enableAntreaProxy bool + disableTXChecksumOffload bool // podNetworkWait should be decremented once the Node's network is ready. // The CNI server will wait for it before handling any CNI Add requests. podNetworkWait *utilwait.Group @@ -166,32 +167,34 @@ func NewInitializer( enableAntreaProxy bool, enableL7NetworkPolicy bool, enableL7FlowExporter bool, + disableTXChecksumOffload bool, ) *Initializer { return &Initializer{ - ovsBridgeClient: ovsBridgeClient, - ovsCtlClient: ovsCtlClient, - client: k8sClient, - crdClient: crdClient, - ifaceStore: ifaceStore, - ofClient: ofClient, - routeClient: routeClient, - ovsBridge: ovsBridge, - hostGateway: hostGateway, - mtu: mtu, - networkConfig: networkConfig, - wireGuardConfig: wireGuardConfig, - egressConfig: egressConfig, - serviceConfig: serviceConfig, - l7NetworkPolicyConfig: &config.L7NetworkPolicyConfig{}, - podNetworkWait: podNetworkWait, - flowRestoreCompleteWait: flowRestoreCompleteWait, - stopCh: stopCh, - nodeType: nodeType, - externalNodeNamespace: externalNodeNamespace, - connectUplinkToBridge: connectUplinkToBridge, - enableAntreaProxy: enableAntreaProxy, - enableL7NetworkPolicy: enableL7NetworkPolicy, - enableL7FlowExporter: enableL7FlowExporter, + ovsBridgeClient: ovsBridgeClient, + ovsCtlClient: ovsCtlClient, + client: k8sClient, + crdClient: crdClient, + ifaceStore: ifaceStore, + ofClient: ofClient, + routeClient: routeClient, + ovsBridge: ovsBridge, + hostGateway: hostGateway, + mtu: mtu, + networkConfig: networkConfig, + wireGuardConfig: wireGuardConfig, + egressConfig: egressConfig, + serviceConfig: serviceConfig, + l7NetworkPolicyConfig: &config.L7NetworkPolicyConfig{}, + podNetworkWait: podNetworkWait, + flowRestoreCompleteWait: flowRestoreCompleteWait, + stopCh: stopCh, + nodeType: nodeType, + externalNodeNamespace: externalNodeNamespace, + connectUplinkToBridge: connectUplinkToBridge, + enableAntreaProxy: enableAntreaProxy, + enableL7NetworkPolicy: enableL7NetworkPolicy, + enableL7FlowExporter: enableL7FlowExporter, + disableTXChecksumOffload: disableTXChecksumOffload, } } @@ -706,6 +709,9 @@ func (i *Initializer) setupGatewayInterface() error { return err } } + if err := i.setTXChecksumOffloadOnGateway(); err != nil { + return err + } return nil } diff --git a/pkg/agent/agent_linux.go b/pkg/agent/agent_linux.go index 95c5e6311d1..13f62a0482a 100644 --- a/pkg/agent/agent_linux.go +++ b/pkg/agent/agent_linux.go @@ -29,6 +29,7 @@ import ( "antrea.io/antrea/pkg/agent/config" "antrea.io/antrea/pkg/agent/interfacestore" "antrea.io/antrea/pkg/agent/util" + "antrea.io/antrea/pkg/agent/util/ethtool" "antrea.io/antrea/pkg/apis/crd/v1alpha1" "antrea.io/antrea/pkg/ovs/ovsconfig" utilip "antrea.io/antrea/pkg/util/ip" @@ -262,3 +263,13 @@ func (i *Initializer) prepareL7EngineInterfaces() error { } return nil } + +func (i *Initializer) setTXChecksumOffloadOnGateway() error { + if i.disableTXChecksumOffload { + if err := ethtool.EthtoolTXHWCsumOff(i.hostGateway); err != nil { + return fmt.Errorf("error when disabling TX checksum offload on %s: %v", i.hostGateway, err) + } + klog.InfoS("Disabled TX checksum offload on host gateway interface", "hostGateway", i.hostGateway) + } + return nil +} diff --git a/pkg/agent/agent_windows.go b/pkg/agent/agent_windows.go index 1429b95c6da..23e55de03dc 100644 --- a/pkg/agent/agent_windows.go +++ b/pkg/agent/agent_windows.go @@ -512,3 +512,7 @@ func (i *Initializer) installVMInitialFlows() error { func (i *Initializer) prepareL7EngineInterfaces() error { return nil } + +func (i *Initializer) setTXChecksumOffloadOnGateway() error { + return nil +} diff --git a/pkg/config/agent/config.go b/pkg/config/agent/config.go index d87e11d6fc8..8060601afb7 100644 --- a/pkg/config/agent/config.go +++ b/pkg/config/agent/config.go @@ -120,9 +120,13 @@ type AgentConfig struct { // IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, // `trafficEncapMode` is `noEncap`, and `noSNAT` is true. EnableBridgingMode bool `yaml:"enableBridgingMode,omitempty"` - // Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - // datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - // It affects Pods running on Linux Nodes only. + // Disable TX checksum offloading for container network interfaces and the host gateway interface (default: + // antrea-gw0). It's supposed to be set to true when the datapath doesn't support TX checksum offloading, + // which causes packets to be dropped due to bad checksum. + // If this option is later set to false, Antrea does nothing to the affected container network interfaces + // and the host gateway interface. To restore the default TX checksum state of the affected interfaces, + // it is recommended to delete them and recreate. + // This option affects Linux Nodes only. DisableTXChecksumOffload bool `yaml:"disableTXChecksumOffload,omitempty"` // APIPort is the port for the antrea-agent APIServer to serve on. // Defaults to 10350. diff --git a/test/e2e/l7networkpolicy_test.go b/test/e2e/l7networkpolicy_test.go index be0cf549c10..da047232523 100644 --- a/test/e2e/l7networkpolicy_test.go +++ b/test/e2e/l7networkpolicy_test.go @@ -23,6 +23,7 @@ import ( "reflect" "regexp" "slices" + "strconv" "strings" "testing" "time" @@ -59,6 +60,9 @@ func TestL7NetworkPolicy(t *testing.T) { } }() + t.Run("HTTP with large response", func(t *testing.T) { + testL7NetworkPolicyHTTPLargeResponse(t, data) + }) t.Run("HTTP", func(t *testing.T) { testL7NetworkPolicyHTTP(t, data) }) @@ -209,6 +213,7 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { require.NoError(t, NewPodBuilder(clientPodName, data.testNamespace, agnhostImage).OnNode(nodeName(0)).WithLabels(clientPodLabels).Create(data)) _, err := data.podWaitForIPs(defaultTimeout, clientPodName, data.testNamespace) require.NoError(t, err, "Expected IP for Pod '%s'", clientPodName) + defer data.DeletePod(data.testNamespace, clientPodName) serverPodName := "test-l7-http-server" serverPodLabels := map[string]string{"test-l7-http-e2e": "server"} @@ -216,6 +221,7 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { require.NoError(t, NewPodBuilder(serverPodName, data.testNamespace, agnhostImage).OnNode(nodeName(0)).WithCommand(cmd).WithLabels(serverPodLabels).Create(data)) podIPs, err := data.podWaitForIPs(defaultTimeout, serverPodName, data.testNamespace) require.NoError(t, err, "Expected IP for Pod '%s'", serverPodName) + defer data.DeletePod(data.testNamespace, serverPodName) serverIPs := podIPs.AsSlice() l7ProtocolAllowsPathHostname := []crdv1beta1.L7Protocol{ @@ -289,6 +295,78 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) { }) } +func testL7NetworkPolicyHTTPLargeResponse(t *testing.T, data *TestData) { + clientPodName := "test-l7-http-client-selected" + clientPodLabels := map[string]string{"test-l7-http-e2e": "client"} + + // Create a client Pod on a Node, with the Pod being selected by the test L7 NetworkPolicy as target. + require.NoError(t, NewPodBuilder(clientPodName, data.testNamespace, agnhostImage).OnNode(nodeName(0)).WithLabels(clientPodLabels).Create(data)) + _, err := data.podWaitForIPs(defaultTimeout, clientPodName, data.testNamespace) + require.NoError(t, err, "Expected IP for Pod '%s'", clientPodName) + defer data.DeletePod(data.testNamespace, clientPodName) + + // Create a hostNetwork server Pod on the same Node, with the Pod being selected by the test NetworkPolicy as the + // destination. As a result, the test traffic will go through antrea-gw0. + serverPodName := "test-l7-http-server" + serverPodLabels := map[string]string{"test-l7-http-e2e": "server"} + cmd := []string{"/agnhost", "netexec", "--http-port=8081"} + require.NoError(t, NewPodBuilder(serverPodName, data.testNamespace, agnhostImage). + WithHostNetwork(true). + OnNode(nodeName(0)). + WithCommand(cmd). + WithLabels(serverPodLabels). + Create(data)) + podIPs, err := data.podWaitForIPs(defaultTimeout, serverPodName, data.testNamespace) + require.NoError(t, err, "Expected IP for Pod '%s'", serverPodName) + defer data.DeletePod(data.testNamespace, serverPodName) + serverIPs := podIPs.AsSlice() + + l7ProtocolAllowsPathShell := []crdv1beta1.L7Protocol{ + { + HTTP: &crdv1beta1.HTTPProtocol{ + Method: "GET", + Path: "/shell*", + }, + }, + } + policyAllowPathShellName := "test-l7-http-allow-path-shell" + createL7NetworkPolicy(t, data, true, policyAllowPathShellName, 1, clientPodLabels, serverPodLabels, ProtocolTCP, p8081, l7ProtocolAllowsPathShell) + time.Sleep(networkPolicyDelay) + + for _, ip := range serverIPs { + baseURL := net.JoinHostPort(ip.String(), strconv.Itoa(int(p8081))) + // Verify that the test L7 NetworkPolicy denies access to the "/hostname" path. + assert.Eventually(t, func() bool { + cmd := []string{"wget", "-O", "-", fmt.Sprintf("%s/%s", baseURL, "hostname"), "-T", "1", "-t", "1"} + _, _, err := data.RunCommandFromPod(data.testNamespace, clientPodName, agnhostContainerName, cmd) + return err != nil + }, 5*time.Second, time.Second) + + // Verify that the test L7 NetworkPolicy allows access to the "/shell" path with large body payload. + assert.EventuallyWithT(t, func(t *assert.CollectT) { + // Get the MTU of the test client Pod, assuming it's the MTU of the K8s cluster. + cmd := []string{"cat", "/sys/class/net/eth0/mtu"} + mtuStdout, _, err := data.RunCommandFromPod(data.testNamespace, clientPodName, agnhostContainerName, cmd) + if !assert.NoError(t, err) { + return + } + mtu, err := strconv.Atoi(strings.TrimSpace(mtuStdout)) + if !assert.NoError(t, err) { + return + } + + // Run the command that makes the test server send an HTTP response with a body larger than the MTU on the + // test client Pod. + testBodySize := mtu * 2 + cmd = []string{"curl", "--data-urlencode", fmt.Sprintf(`cmd=head -c %d