def tearDown(self):
# Delete deployment
self.delete_and_confirm(self.ns_name, "ns")
# Change pool to use IPIP
default_pool = json.loads(calicoctl("get ippool default-ipv4-ippool -o json"))
default_pool["spec"]["vxlanMode"] = "Never"
default_pool["spec"]["ipipMode"] = "Always"
calicoctl_apply_dict(default_pool)
# restart calico-nodes
kubectl("delete po -n kube-system -l k8s-app=calico-node")
kubectl("wait --timeout=2m --for=condition=ready" +
" pods -l k8s-app=calico-node -n kube-system")
def test_ipip_spoof(self):
with DiagsCollector():
# Change pool to use IPIP if necessary
default_pool = json.loads(
calicoctl("get ippool default-ipv4-ippool -o json"))
if default_pool["spec"]["vxlanMode"] != "Never" or default_pool[
"spec"]["ipipMode"] != "Always":
default_pool["spec"]["vxlanMode"] = "Never"
default_pool["spec"]["ipipMode"] = "Always"
calicoctl_apply_dict(default_pool)
# restart calico-nodes
kubectl("delete po -n kube-system -l k8s-app=calico-node")
kubectl("wait --timeout=2m --for=condition=ready" +
" pods -l k8s-app=calico-node -n kube-system")
# get busybox pod IP
remote_pod_ip = retry_until_success(
self.get_pod_ip, function_args=["access", self.ns_name])
print(remote_pod_ip)
# clear conntrack table on all hosts
self.clear_conntrack()
# test connectivity works pod-pod
retry_until_success(self.send_and_check,
function_args=["ipip-normal", remote_pod_ip])
# clear conntrack table on all hosts
self.clear_conntrack()
def send_and_check_ipip_spoof():
self.send_spoofed_ipip_packet(self.ns_name, "scapy",
"10.192.0.3", remote_pod_ip,
"ipip-spoofed")
kubectl(
"exec -t -n %s access grep -- ipip-spoofed /root/snoop.txt"
% self.ns_name)
def assert_cannot_spoof_ipip():
failed = True
try:
send_and_check_ipip_spoof()
except subprocess.CalledProcessError:
failed = False
if failed:
print("ERROR - succeeded in sending spoofed IPIP packet")
raise ConnectionError
# test connectivity does NOT work when spoofing
retry_until_success(assert_cannot_spoof_ipip)