fix(eks): stabilize UDP NetworkPolicy e2e coverage

[chance-coleman]

Description

Problem

The UDP NetworkPolicy E2E test was flaky on EKS for two independent reasons:

1. Cross-node UDP traffic was not actually allowed by the EKS node security group configuration.
   The EKS test infra only allowed node-to-node UDP/53 by default, and the earlier SG change used the cluster security group as the source instead of a self-referencing node security group rule. That left cross-node UDP/5000 traffic unreliable.

2. The test itself depended on a one-shot UDP listener started via execInPod.
   The old test launched nc -u -l -p 5000 at assertion time and immediately raced client sends against listener startup and exec WebSocket timing. That made the test flaky even when networking was healthy.

Fix

This PR fixes both issues with the smallest set of real changes:

• adds a self-referencing UDP ingress rule to the EKS node security group so cross-node pod-to-pod UDP is allowed
• changes the UDP server test workload to run a persistent nc loop inside the container
• updates the UDP E2E test to:
  • fetch pod names in parallel in beforeAll() to avoid EKS hook timeout
  • assert delivery by polling the server log instead of relying on listener stdout
  • send UDP directly to the server pod IP so the test stays focused on NetworkPolicy behavior instead of kube-proxy UDP ClusterIP routing behavior

Why this approach

This keeps the test focused on what UDS Core owns:

• UDP allow/deny NetworkPolicy behavior between pods
  It avoids unrelated sources of flake:
• incorrect EKS cross-node UDP security group rules
• execInPod listener startup timing
• EKS UDP ClusterIP/DNAT service-path instability

Validation

Validated successfully across CI flavors after these changes.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[greptile-apps]

Greptile Summary

This PR stabilises the UDP NetworkPolicy E2E test on EKS by fixing two independent root causes: missing cross-node UDP SG rules and a flaky one-shot listener pattern. The approach replaces one-shot nc with a persistent log-appending loop, switches assertions to poll the log file, and parallelises beforeAll pod-name fetches to avoid hook timeout on slow EKS API servers.

• EKS infra (cluster.tf): adds a self-referencing node SG rule for UDP, though the port range (0-65535) is broader than the single test port (5000) that motivated the fix.
• Test workload (app-curl.yaml): UDP server container now runs a persistent nc loop, eliminating the listen-before-exec race.
• E2E spec (network.spec.ts): beforeAll pod fetches run in parallel via Promise.all, assertions now read the server log file instead of relying on nc stdout, and direct pod IP is used to avoid kube-proxy DNAT timing issues.

Confidence Score: 5/5

Safe to merge — all three changes are scoped to test infrastructure and do not touch production paths

All changes are confined to EKS test infra, a test-only workload manifest, and the E2E spec file. The logic changes are well-reasoned and validated in CI. Two minor observations exist — an overly broad SG port range and an early-exit condition in waitForUdpLog that is never reached — but neither causes test failures or behavioral regressions.

.github/test-infra/aws/eks/cluster.tf (UDP SG port range) and test/vitest/network.spec.ts (waitForUdpLog early-exit logic)

Important Files Changed

Filename	Overview
.github/test-infra/aws/eks/cluster.tf	Adds a self-referencing UDP ingress rule to the node security group; opens ports 0-65535 when only port 5000 is needed for the test
src/test/app-curl.yaml	Replaces the idle sleep command with a persistent nc loop that appends received UDP data to /tmp/udp.log, enabling log-based assertion
test/vitest/network.spec.ts	Parallelises beforeAll pod-name fetches, rewrites the UDP test to poll the server log file via pod IP, and adds clearUdpLog/readUdpLog/waitForUdpLog helpers; waitForUdpLog early-exit condition is dead code for the allowed path

Sequence Diagram

sequenceDiagram
    participant Test as E2E Test
    participant Client as udp-echo-client pod
    participant Server as udp-echo-server pod
    participant Log as /tmp/udp.log

    Note over Server,Log: Container runs persistent nc loop
    Server->>Log: nc -u -l -p 5000 -w 1 loop

    Test->>Server: clearUdpLog truncate log
    Test->>Client: execInPod send 3 pings to serverIP port 5000
    Client->>Server: UDP ping x3
    Server->>Log: append ping per nc session

    loop poll every 250ms up to 5s
        Test->>Log: readUdpLog
        Log-->>Test: log content
    end

    Test->>Test: expectUdpPingLog all lines equal ping

    Note over Test: Denied path
    Test->>Server: clearUdpLog
    Test->>Client: execInPod from deny-all namespace
    Client--xServer: blocked by NetworkPolicy

    loop poll every 250ms up to 2s
        Test->>Log: readUdpLog
        Log-->>Test: empty string
    end

    Test->>Test: expect deniedLog toBe empty

Loading

_{Reviews (2): Last reviewed commit: "final cleanup" | Re-trigger Greptile}

[chance-coleman]

@greptileai review this PR

[jasonwashburn]

One nit and a copyright update, otherwise everything looks good to me!

[jasonwashburn]

Looks good (pending CI)