Zenithar/chaos controller/full bpf network filter

.github/workflows/ci.yml

@@ -128,16 +128,7 @@ jobs:
       - name: Run e2e tests
         env:
           DATADOG_API_KEY: ${{ steps.dd-sts.outputs.api_key || '' }}
-        run: |
-          for attempt in 1 2 3; do
-            echo "=== Attempt ${attempt}/3 ==="
-            if make e2e-test KUBECTL="minikube kubectl --" E2E_TEST_CLUSTER_NAME="minikube" E2E_TEST_KUBECTL_CONTEXT="minikube"; then
-              exit 0
-            fi
-            echo "Attempt ${attempt} failed"
-          done
-          echo "All 3 attempts failed"
-          exit 1
+        run: make e2e-test KUBECTL="minikube kubectl --" E2E_TEST_CLUSTER_NAME="minikube" E2E_TEST_KUBECTL_CONTEXT="minikube"
       - name: Save controller logs
         if: always()
         run: |

.gitignore

@@ -17,6 +17,7 @@ docker-metadata.json
 
 # Test binary, build with `go test -c`
 *.test
+bin/integration.test
 
 # Test dir, autocreated for envtest
 testbin/

.spelling

@@ -1,41 +1,20 @@
-# Format - lines beginning # are comments
 # a markdown-spellcheck spelling configuration file
+# Format - lines beginning # are comments
 # global dictionary is at the start, file overrides afterwards
 # one word per line, to define a file override use ' - filename'
 # where filename is relative to this configuration file
 1.20.x
 15m30s
 45s
 4h30m
-AllowRootDiskFailure
-AtLeastOneOf
-ClusterIP
-ClusterRole
-DaemonSet
-DisableCountTooLarge
-DisableNeitherHostNorPort
-DynamicTargeting
-ExclusiveFields
-IPs
-IgnoreName
-LICENSE-3rdparty
-LinkedFields
-LinkedFieldsValue
-LinkedFieldsValueWithTrigger
-Meowmix
-OnInit
-PIDs
-QoS
-README.md
-SIGKILL
-SIGTERM
-StaticTargeting
 actioned
+AllowRootDiskFailure
 api
 apis
 apiserver
 apiservers
 arg
+AtLeastOneOf
 authentify
 base64
 benchmarked
@@ -46,6 +25,8 @@ cgroup
 cgroups
 chaosli
 cleanup
+ClusterIP
+ClusterRole
 config
 configmap
 configmaps
@@ -54,16 +35,20 @@ containerd
 contributing.md
 cpu
 csv
+DaemonSet
 datadog
 ddmark
 ddmarkers
 demo.yaml
 dequeued
 dequeuing
 dev
+DisableCountTooLarge
+DisableNeitherHostNorPort
 disruptionlistener
 dns
 dogfood
+DynamicTargeting
 e.g.
 eBPF
 ebpf-builder
@@ -75,28 +60,31 @@ enum
 envtest
 eth0
 events.go
+ExclusiveFields
 faq.md
 filepath
 finalizer
 finalizers
-gRPC
 golang's
 golangci-lint
 goog.json
 goroutine
 goroutines
 gpg
-grpc.yaml
+gRPC
 grpc_error.yaml
 grpc_override.yaml
+grpc.yaml
 healthchecks
 hostname
 hostnames
 ie
 iff
+IgnoreName
 information_source
 ip
 ips
+IPs
 iptables
 istio
 json
@@ -107,10 +95,15 @@ kubebuilder
 kubectl
 kubernetes
 libbpf
+LICENSE-3rdparty
 lifecycle
 lima
+LinkedFields
+LinkedFieldsValue
+LinkedFieldsValueWithTrigger
 linux
 liveness
+Meowmix
 metadata
 microservice
 microservices
@@ -120,9 +113,11 @@ nat
 netem
 nginx
 no_entry
+OnInit
 open_book
 openat
 pid
+PIDs
 pre-controller
 pre-run
 prio
@@ -132,14 +127,19 @@ protobuf
 protoc
 qdisc
 qdiscs
+QoS
 re-enqueued
+README.md
 reinjected
 reinjection
 renices
 rollouts
 runtime
 safemode
+SIGKILL
+SIGTERM
 specificities
+StaticTargeting
 storageClasses
 struct
 structs

Dockerfile.integration

@@ -0,0 +1,46 @@
+# Stage 1: build BPF object + bpf-network-disruption binary
+# Mirrors the ebpf-builder stage in bin/injector/Dockerfile.
+FROM ubuntu:24.04 AS ebpf-builder
+
+ARG TARGETARCH
+ARG BUILDGOVERSION=1.26.2
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        curl make clang libelf-dev libbpf-dev llvm && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install Go (same script as injector Dockerfile)
+ENV TARGETARCH=${TARGETARCH} BUILDGOVERSION=${BUILDGOVERSION}
+COPY ./scripts/install-go /tmp/install-go
+RUN /tmp/install-go && rm -f /tmp/install-go
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+WORKDIR /app/ebpf
+RUN make network-disruption
+
+# Stage 2: test runner
+FROM ubuntu:24.04
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        iproute2 iptables wget linux-tools-common linux-tools-generic && \
+    rm -rf /var/lib/apt/lists/*
+# Expose bpftool in PATH: prefer standalone package, fall back to kernel-versioned binary.
+RUN (apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bpftool && \
+     rm -rf /var/lib/apt/lists/*) || \
+    (find /usr/lib/linux-tools -maxdepth 2 -name bpftool 2>/dev/null | head -1 | \
+     xargs -I{} ln -sf {} /usr/local/bin/bpftool) || true
+RUN bpftool version || echo "WARNING: bpftool not available; ingress-shaping tests will skip BPF feature detection"
+
+ARG TARGETARCH
+COPY --from=ebpf-builder /app/bin/injector/ebpf/${TARGETARCH}/bpf-network-disruption \
+    /usr/local/bin/bpf-network-disruption
+COPY --from=ebpf-builder /app/bin/injector/ebpf/${TARGETARCH}/bpf-network-disruption.bpf.o \
+    /usr/local/bin/bpf-network-disruption.bpf.o
+COPY bin/integration.test /integration.test
+ENTRYPOINT ["/integration.test", "-test.v"]

LICENSE-3rdparty.csv

@@ -3,6 +3,7 @@ cyphar.com/go-pathrs,cyphar.com/go-pathrs,MPL-2.0
 cyphar.com/go-pathrs,cyphar.com/go-pathrs/internal/fdutils,MPL-2.0
 cyphar.com/go-pathrs,cyphar.com/go-pathrs/internal/libpathrs,MPL-2.0
 cyphar.com/go-pathrs,cyphar.com/go-pathrs/procfs,MPL-2.0
+dario.cat/mergo,dario.cat/mergo,BSD-3-Clause
 github.com/AdaLogics/go-fuzz-headers,github.com/AdaLogics/go-fuzz-headers,Apache-2.0
 github.com/AdamKorcz/go-118-fuzz-build,github.com/AdamKorcz/go-118-fuzz-build/testing,Apache-2.0
 github.com/AlecAivazis/survey/v2,github.com/AlecAivazis/survey/v2,MIT
@@ -201,6 +202,7 @@ github.com/aquasecurity/libbpfgo/helpers,github.com/aquasecurity/libbpfgo/helper
 github.com/avast/retry-go,github.com/avast/retry-go,MIT
 github.com/beorn7/perks,github.com/beorn7/perks/quantile,MIT
 github.com/cenkalti/backoff,github.com/cenkalti/backoff,MIT
+github.com/cenkalti/backoff/v4,github.com/cenkalti/backoff/v4,MIT
 github.com/cenkalti/backoff/v5,github.com/cenkalti/backoff/v5,MIT
 github.com/cespare/xxhash/v2,github.com/cespare/xxhash/v2,MIT
 github.com/cihub/seelog,github.com/cihub/seelog,BSD-3-Clause
@@ -296,6 +298,7 @@ github.com/containerd/ttrpc,github.com/containerd/ttrpc,Apache-2.0
 github.com/containerd/typeurl/v2,github.com/containerd/typeurl/v2,Apache-2.0
 github.com/coreos/go-iptables,github.com/coreos/go-iptables/iptables,Apache-2.0
 github.com/coreos/go-systemd/v22,github.com/coreos/go-systemd/v22/dbus,Apache-2.0
+github.com/cpuguy83/dockercfg,github.com/cpuguy83/dockercfg,MIT
 github.com/cyphar/filepath-securejoin,github.com/cyphar/filepath-securejoin,BSD-3-Clause
 github.com/cyphar/filepath-securejoin,github.com/cyphar/filepath-securejoin/internal/consts,BSD-3-Clause
 github.com/cyphar/filepath-securejoin,github.com/cyphar/filepath-securejoin/pathrs-lite,BSD-3-Clause
@@ -434,14 +437,45 @@ github.com/leodido/go-urn,github.com/leodido/go-urn/scim/schema,MIT
 github.com/liggitt/tabwriter,github.com/liggitt/tabwriter,BSD-3-Clause
 github.com/linkdata/deadlock,github.com/linkdata/deadlock,MIT
 github.com/lufia/plan9stats,github.com/lufia/plan9stats,BSD-3-Clause
+github.com/magiconair/properties,github.com/magiconair/properties,BSD-2-Clause
 github.com/mattn/go-colorable,github.com/mattn/go-colorable,MIT
 github.com/mattn/go-isatty,github.com/mattn/go-isatty,MIT
 github.com/mgutz/ansi,github.com/mgutz/ansi,MIT
 github.com/miekg/dns,github.com/miekg/dns,BSD-3-Clause
 github.com/minio/simdjson-go,github.com/minio/simdjson-go,Apache-2.0
 github.com/mitchellh/go-homedir,github.com/mitchellh/go-homedir,MIT
 github.com/moby/docker-image-spec,github.com/moby/docker-image-spec/specs-go/v1,Apache-2.0
+github.com/moby/go-archive,github.com/moby/go-archive,Apache-2.0
+github.com/moby/go-archive,github.com/moby/go-archive/compression,Apache-2.0
+github.com/moby/go-archive,github.com/moby/go-archive/tarheader,Apache-2.0
 github.com/moby/locker,github.com/moby/locker,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/pkg/authconfig,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/pkg/stdcopy,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/blkiodev,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/build,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/checkpoint,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/common,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/container,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/events,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/image,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/jsonstream,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/mount,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/network,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/plugin,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/registry,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/storage,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/swarm,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/system,Apache-2.0
+github.com/moby/moby/api,github.com/moby/moby/api/types/volume,Apache-2.0
+github.com/moby/moby/client,github.com/moby/moby/client,Apache-2.0
+github.com/moby/moby/client,github.com/moby/moby/client/internal,Apache-2.0
+github.com/moby/moby/client,github.com/moby/moby/client/internal/mod,Apache-2.0
+github.com/moby/moby/client,github.com/moby/moby/client/internal/timestamp,Apache-2.0
+github.com/moby/moby/client,github.com/moby/moby/client/pkg/jsonmessage,Apache-2.0
+github.com/moby/moby/client,github.com/moby/moby/client/pkg/versions,Apache-2.0
+github.com/moby/patternmatcher,github.com/moby/patternmatcher,Apache-2.0
+github.com/moby/patternmatcher,github.com/moby/patternmatcher/ignorefile,Apache-2.0
 github.com/moby/sys/mountinfo,github.com/moby/sys/mountinfo,Apache-2.0
 github.com/moby/sys/sequential,github.com/moby/sys/sequential,Apache-2.0
 github.com/moby/sys/signal,github.com/moby/sys/signal,Apache-2.0
@@ -567,6 +601,14 @@ github.com/stretchr/testify,github.com/stretchr/testify/assert/yaml,MIT
 github.com/stretchr/testify,github.com/stretchr/testify/mock,MIT
 github.com/stretchr/testify,github.com/stretchr/testify/require,MIT
 github.com/subosito/gotenv,github.com/subosito/gotenv,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/exec,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/internal,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/internal/config,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/internal/core,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/internal/core/network,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/log,MIT
+github.com/testcontainers/testcontainers-go,github.com/testcontainers/testcontainers-go/wait,MIT
 github.com/tidwall/gjson,github.com/tidwall/gjson,MIT
 github.com/tidwall/match,github.com/tidwall/match,MIT
 github.com/tidwall/pretty,github.com/tidwall/pretty,MIT
@@ -645,7 +687,14 @@ go.uber.org/zap,go.uber.org/zap/zaptest,MIT
 go.uber.org/zap,go.uber.org/zap/zaptest/observer,MIT
 go.yaml.in/yaml/v2,go.yaml.in/yaml/v2,Apache-2.0
 go.yaml.in/yaml/v3,go.yaml.in/yaml/v3,Apache-2.0
+golang.org/x/crypto,golang.org/x/crypto/blowfish,BSD-3-Clause
+golang.org/x/crypto,golang.org/x/crypto/chacha20,BSD-3-Clause
+golang.org/x/crypto,golang.org/x/crypto/curve25519,BSD-3-Clause
+golang.org/x/crypto,golang.org/x/crypto/internal/alias,BSD-3-Clause
+golang.org/x/crypto,golang.org/x/crypto/internal/poly1305,BSD-3-Clause
 golang.org/x/crypto,golang.org/x/crypto/sha3,BSD-3-Clause
+golang.org/x/crypto,golang.org/x/crypto/ssh,BSD-3-Clause
+golang.org/x/crypto,golang.org/x/crypto/ssh/internal/bcrypt_pbkdf,BSD-3-Clause
 golang.org/x/exp,golang.org/x/exp/constraints,BSD-3-Clause
 golang.org/x/mod,golang.org/x/mod/semver,BSD-3-Clause
 golang.org/x/net,golang.org/x/net/bpf,BSD-3-Clause

Makefile

@@ -287,6 +287,19 @@ test: generate-controller manifests
 	$(MAKE) _ginkgo_test GO_TEST_REPORT_NAME=$@ \
 		GINKGO_TEST_ARGS="-r --skip-package=controllers --randomize-suites --timeout=10m $(TEST_ARGS)"
 
+## Run network disruption integration tests (requires Docker Desktop)
+## Full verbose output is written to /tmp/chaos-integration-test.log
+test-integration:
+	GOOS=linux GOARCH=$(GOARCH) go test -c -tags=integration -o bin/integration.test ./injector/
+	docker build -q -f Dockerfile.integration -t chaos-integration-test:local .
+	docker run --rm --privileged --pid=host \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		-e CHAOS_INJECTOR_MOUNT_PROC=/proc/ \
+		-e DOCKER_HOST=unix:///var/run/docker.sock \
+		chaos-integration-test:local -test.run=TestIntegration $(TEST_ARGS) \
+		2>&1 | tee /tmp/chaos-integration-test.log | grep -v "logger.go:[0-9]*:"
+	@echo "Full log: /tmp/chaos-integration-test.log"
+
 spellcheck-deps:
 ifeq (, $(shell which npm))
 	@{\