Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SourcesToFilter support for network-blackhole-port fault #4408

Merged
merged 4 commits into from
Oct 23, 2024
Merged

Add SourcesToFilter support for network-blackhole-port fault #4408

merged 4 commits into from
Oct 23, 2024

Conversation

amogh09
Copy link
Contributor

@amogh09 amogh09 commented Oct 23, 2024
edited
Loading

Summary

This PR adds support for SourcesToFilter parameter to network-blackhole-port fault. This field is needed to supply IPs that should be protected from the fault. This will be helpful for certain sidecar containers such as FIS sidecar to protect their service related endpoints from getting impacted by the fault. We already have this for network-latency and network-packet-loss faults.

Implementation details

  • Add new field SourcesToFilter to NetworkFaultRequest
  • Update network-blackhole-port fault injection function so that it loops through SourcesToFilter and adds an ACCEPT rule for each source to the fault chain.
  • Update network-blackhole-port/start request handler so that it adds TMDS IP to SourcesToFilter if the fault is for egress traffic and the port of the fault matches TMDS port. TMDS access is blocked for the task only by egress faults so we need to protect TMDS IP only for egress faults.

Testing

Ran a bunch of manual tests for host and awsvpc network mode tasks. Verified that

  1. IPs provided to the API in SourcesToFilter field are still accessible after an egress network-blackhole-port fault is injected. Other IP on the fault's port are not accessible.
  2. TMDS IP is protected if the fault is of egress type and port 80.

New tests cover the changes: yes

Description for the changelog

Enhancement: Add SourcesToFilter support for network-blackhole-port fault

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?

Does this PR include the addition of new environment variables in the README?

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@amogh09 amogh09 marked this pull request as ready for review October 23, 2024 18:36
@amogh09 amogh09 requested a review from a team as a code owner October 23, 2024 18:36
@amogh09 amogh09 merged commit 75ee48f into aws:dev Oct 23, 2024
40 checks passed
@amogh09 amogh09 mentioned this pull request Oct 24, 2024
Merged
@mye956 mye956 mentioned this pull request Oct 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mye956 mye956 mye956 approved these changes

@xxx0624 xxx0624 xxx0624 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@amogh09 @xxx0624 @mye956 @amazon-ecs-bot