Merge pull request #1353 from kmesh-net/revert-1349-auth

kmesh-bot · web-flow · commit 1844e9eb72a2 · 2025-04-28T20:31:09.000+08:00
Revert "e2e test for l4 authorization"
diff --git a/test/e2e/baseline_test.go b/test/e2e/baseline_test.go
@@ -28,7 +28,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"os/exec"
 	"sort"
 	"strings"
 	"testing"
@@ -1156,141 +1155,6 @@ spec:
 		})
 }
 
-func TestAuthorizationL4(t *testing.T) {
-	framework.NewTest(t).Run(func(t framework.TestContext) {
-		t.NewSubTest("L4 Authorization").Run(func(t framework.TestContext) {
-			// Enable authorizaiton offload to xdp.
-
-			if len(apps.ServiceWithWaypointAtServiceGranularity) == 0 {
-				t.Fatal(fmt.Errorf("need at least 1 instance of apps.ServiceWithWaypointAtServiceGranularity"))
-			}
-			src := apps.ServiceWithWaypointAtServiceGranularity[0]
-
-			clients := src.WorkloadsOrFail(t)
-			dst := apps.EnrolledToKmesh
-
-			addresses := clients.Addresses()
-			if len(addresses) < 2 {
-				t.Fatal(fmt.Errorf("need at least 2 clients"))
-			}
-			selectedAddress := addresses[0]
-
-			authzCases := []struct {
-				name string
-				spec string
-			}{
-				{
-					name: "allow",
-					spec: `
-  action: ALLOW
-`,
-				},
-				{
-					name: "deny",
-					spec: `
-  action: DENY
-`,
-				},
-			}
-
-			chooseChecker := func(action string, ip string) echo.Checker {
-				switch action {
-				case "allow":
-					if ip != selectedAddress {
-						return check.NotOK()
-					} else {
-						return check.OK()
-					}
-				case "deny":
-					if ip != selectedAddress {
-						return check.OK()
-					} else {
-						return check.NotOK()
-					}
-				default:
-					t.Fatal("invalid action")
-				}
-
-				return check.OK()
-			}
-
-			count := 0
-			workloads := dst.WorkloadsOrFail(t)
-			for _, client := range workloads {
-				if count == len(workloads) {
-					break
-				}
-				podName := client.PodName()
-				namespace := apps.Namespace.Name()
-				timeout := time.After(5 * time.Second)
-				ticker := time.NewTicker(500 * time.Millisecond)
-				defer ticker.Stop()
-			InnerLoop:
-				for {
-					select {
-					case <-timeout:
-						t.Fatalf("Timeout: XDP eBPF program not found on pod %s", podName)
-					case <-ticker.C:
-						cmd := exec.Command("kubectl", "exec", "-n", namespace, podName, "--", "sh", "-c", "ip a | grep xdp")
-						output, err := cmd.CombinedOutput()
-						if err == nil && len(output) > 0 {
-							t.Logf("XDP program is loaded on pod %s", podName)
-							count++
-							break InnerLoop
-						}
-						t.Logf("Waiting for XDP program to load on pod %s: %v", podName, err)
-					}
-				}
-			}
-
-			for _, tc := range authzCases {
-				t.ConfigIstio().Eval(apps.Namespace.Name(), map[string]string{
-					"Destination": dst.Config().Service,
-					"Ip":          selectedAddress,
-				}, `apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: policy
-spec:
-  selector:
-    matchLabels:
-      app: "{{.Destination}}"
-`+tc.spec+`
-  rules:
-  - from:
-    - source:
-        ipBlocks:
-        - "{{.Ip}}"
-`).ApplyOrFail(t)
-
-				for _, client := range clients {
-					opt := echo.CallOptions{
-						To:                      dst,
-						Port:                    echo.Port{Name: "tcp"},
-						Scheme:                  scheme.TCP,
-						NewConnectionPerRequest: true,
-						// Due to the mechanism of Kmesh L4 authorization, we need to set the timeout slightly longer.
-						Timeout: time.Minute * 2,
-					}
-
-					var name string
-					if client.Address() != selectedAddress {
-						name = tc.name + ", not selected address"
-					} else {
-						name = tc.name + ", selected address"
-					}
-
-					opt.Check = chooseChecker(tc.name, client.Address())
-
-					t.NewSubTestf("%v", name).Run(func(t framework.TestContext) {
-						src.WithWorkloads(client).CallOrFail(t, opt)
-					})
-				}
-			}
-		})
-	})
-}
-
 func getSupportedIPFamilies(t framework.TestContext) (v4 bool, v6 bool) {
 	addrs := apps.All.WorkloadsOrFail(t).Addresses()
 	for _, a := range addrs {
