Skip to content

fix(just): pre-create cilium connectivity-test namespaces privileged#212

Merged
jvcorredor merged 2 commits into
mainfrom
homelab-211-smoke-cilium-psa-labels
May 17, 2026
Merged

fix(just): pre-create cilium connectivity-test namespaces privileged#212
jvcorredor merged 2 commits into
mainfrom
homelab-211-smoke-cilium-psa-labels

Conversation

@jvcorredor

@jvcorredor jvcorredor commented May 17, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

just smoke always failed at the smoke-cilium step. cilium-cli creates its test namespaces — cilium-test-1 plus the cilium-test-ccnp* pair for the CiliumClusterwideNetworkPolicy tests — with no PodSecurity labels, so they inherit the cluster-wide default Talos ships (enforce: baseline). The connectivity-test fixtures require NET_RAW, hostNetwork, and hostPort, all forbidden under baseline:

pods "client-...-88p57" is forbidden: violates PodSecurity "baseline:latest":
non-default capabilities (container "client" must not include "NET_RAW")

Every test pod was rejected at admission, the deployments never got a replica, and cilium-cli timed out (replicas count is zero).

Fix

The smoke-cilium recipe now pre-creates all three test namespaces labelled privileged before invoking cilium connectivity test; cilium-cli reuses an existing namespace as-is.

cilium-cli's --namespace-labels flag was tried first but only labels the primary test namespace — the auxiliary cilium-test-ccnp* namespaces still inherited baseline and failed. Pre-creating covers all of them uniformly. The namespace names track cilium-cli's convention for the default --test-concurrency 1.

create --dry-run=client | apply + label --overwrite are idempotent, so a namespace left over from a prior failed run is handled cleanly.

Context

Version-independent — this recipe would fail identically on any Cilium release. It surfaced while verifying the Cilium 1.19.4 upgrade (#198): the upgrade is healthy, but its just smoke acceptance criterion was not actually satisfiable as the recipe stood.

Testing

  • just --list renders smoke-cilium with its intended one-line description.
  • Partial verification done: with the namespaces pre-labelled, the connectivity-test fixtures are admitted and run (previously 0 pods). A full just smoke run against the rockingham cluster to confirm the whole matrix passes is in progress.

Closes: #211

🤖 Generated with Claude Code

@jvcorredor @claude
fix(just): pre-create cilium connectivity-test namespaces privileged
fc0677c 
`just smoke` always failed at smoke-cilium. cilium-cli creates its test
namespaces (`cilium-test-1` and the `cilium-test-ccnp*` pair for the
CiliumClusterwideNetworkPolicy tests) with no PodSecurity labels, so they
inherit the cluster-wide default Talos ships (`enforce: baseline`). The
test fixtures need NET_RAW, hostNetwork, and hostPort — all forbidden
under baseline — so every pod is rejected at admission and cilium-cli
times out on zero replicas.

cilium-cli's `--namespace-labels` flag only labels the primary test
namespace, not the auxiliary `ccnp` ones. Pre-create all three as
`privileged` before the run instead; cilium-cli reuses an existing
namespace as-is.

Version-independent — surfaced verifying the Cilium 1.19.4 upgrade (#198).

Closes: #211

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jvcorredor jvcorredor force-pushed the homelab-211-smoke-cilium-psa-labels branch from c89e2f2 to fc0677c Compare May 17, 2026 15:40
@jvcorredor jvcorredor changed the title fix(just): label cilium connectivity-test namespace privileged fix(just): pre-create cilium connectivity-test namespaces privileged May 17, 2026
@jvcorredor jvcorredor merged commit 81ea6fe into main May 17, 2026
1 check passed
@jvcorredor jvcorredor deleted the homelab-211-smoke-cilium-psa-labels branch May 17, 2026 16:26
This was referenced May 17, 2026
Closed
Merged
jvcorredor added a commit that referenced this pull request May 17, 2026
@jvcorredor @claude
fix(just): exclude noisy connectivity-test checks from smoke-cilium (#…
9c2fe12 
…215)

After #212 made `cilium connectivity test` runnable, `just smoke` still
exited 1 on two checks that are unreliable on this homelab:

  - no-unexpected-packet-drops trips on ambient VLAN-tagged LAN traffic
    that Cilium drops by design ("VLAN traffic disallowed by VLAN
    filter") — not cluster-pod traffic, and the counter is cumulative.
  - check-log-errors scans the full agent log and re-flags benign
    agent-startup transients (e.g. a one-off cilium-health socket poll
    racing agent start).

Exclude both via `--test '!...'` so `just smoke` is a clean pass/fail
gate. A full conformance pass remains available by running `cilium
connectivity test` directly without the excludes.

Closes: #214

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 17, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(just): smoke-cilium fails — connectivity-test pods rejected by baseline PodSecurity

1 participant

@jvcorredor