mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #104349 from rajaskakodkar/netpol-container-improvement
Optimize the resource consumption of networkpolicy tests by reducing the containers created
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
07dc81f83b
@ -130,7 +130,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules())
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
@ -145,7 +146,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
|
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachability := NewReachability(model.AllPods(), true)
|
reachability := NewReachability(model.AllPods(), true)
|
||||||
@ -167,7 +169,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
|
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachability := NewReachability(model.AllPods(), true)
|
reachability := NewReachability(model.AllPods(), true)
|
||||||
@ -180,7 +183,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy to allow ingress traffic for a target [Feature:NetworkPolicy] ", func() {
|
ginkgo.It("should enforce policy to allow ingress traffic for a target [Feature:NetworkPolicy] ", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
ginkgo.By("having a deny all ingress policy", func() {
|
ginkgo.By("having a deny all ingress policy", func() {
|
||||||
// Deny all Ingress traffic policy to pods on namespace nsX
|
// Deny all Ingress traffic policy to pods on namespace nsX
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
|
||||||
@ -204,7 +208,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy to allow ingress traffic from pods in all namespaces [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy to allow ingress traffic from pods in all namespaces [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
||||||
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}})
|
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}})
|
||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-another-ns", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-another-ns", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
||||||
@ -217,7 +222,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
||||||
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"ns": nsY}}})
|
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"ns": nsY}}})
|
||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
||||||
@ -245,7 +251,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
|
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachability := NewReachability(model.AllPods(), true)
|
reachability := NewReachability(model.AllPods(), true)
|
||||||
@ -258,7 +265,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions[Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions[Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||||
Key: "ns",
|
Key: "ns",
|
||||||
@ -282,7 +290,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||||
Key: "ns",
|
Key: "ns",
|
||||||
@ -310,7 +319,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||||
Key: "ns",
|
Key: "ns",
|
||||||
@ -339,7 +349,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy based on Multiple PodSelectors and NamespaceSelectors [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy based on Multiple PodSelectors and NamespaceSelectors [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||||
Key: "ns",
|
Key: "ns",
|
||||||
@ -371,7 +382,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy based on any PodSelectors [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy based on any PodSelectors [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
||||||
for _, label := range []map[string]string{{"pod": "b"}, {"pod": "c"}} {
|
for _, label := range []map[string]string{{"pod": "b"}, {"pod": "c"}} {
|
||||||
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: label}})
|
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: label}})
|
||||||
@ -392,7 +404,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -419,7 +432,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -443,7 +457,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80, 81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -485,7 +500,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80, 81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
ginkgo.By("Testing pods can connect to both ports when an 'allow-all' policy is present.")
|
ginkgo.By("Testing pods can connect to both ports when an 'allow-all' policy is present.")
|
||||||
@ -500,7 +516,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(IngressRules))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(IngressRules))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80, 81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
ginkgo.By("Blocking all ports other then 81 in the entire namespace")
|
ginkgo.By("Blocking all ports other then 81 in the entire namespace")
|
||||||
@ -517,7 +534,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should allow ingress access from namespace on one named port [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should allow ingress access from namespace on one named port [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80, 81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -551,7 +569,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
|
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80, 81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachabilityPort80 := NewReachability(model.AllPods(), true)
|
reachabilityPort80 := NewReachability(model.AllPods(), true)
|
||||||
@ -569,7 +588,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-mutate-to-deny-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-mutate-to-deny-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachability := NewReachability(model.AllPods(), true)
|
reachability := NewReachability(model.AllPods(), true)
|
||||||
@ -587,7 +607,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should allow ingress access from updated namespace [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should allow ingress access from updated namespace [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
defer ResetNamespaceLabels(k8s, nsY)
|
defer ResetNamespaceLabels(k8s, nsY)
|
||||||
|
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
@ -621,7 +642,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should allow ingress access from updated pod [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should allow ingress access from updated pod [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
podXB, err := model.FindPod(nsX, "b")
|
podXB, err := model.FindPod(nsX, "b")
|
||||||
framework.ExpectNoError(err, "find pod x/b")
|
framework.ExpectNoError(err, "find pod x/b")
|
||||||
defer ResetPodLabels(k8s, podXB)
|
defer ResetPodLabels(k8s, podXB)
|
||||||
@ -652,8 +674,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should deny ingress from pods on other namespaces [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should deny ingress from pods on other namespaces [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
IngressRules := networkingv1.NetworkPolicyIngressRule{}
|
IngressRules := networkingv1.NetworkPolicyIngressRule{}
|
||||||
IngressRules.From = append(IngressRules.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}})
|
IngressRules.From = append(IngressRules.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}})
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-empty-policy", metav1.LabelSelector{}, SetSpecIngressRules(IngressRules))
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-empty-policy", metav1.LabelSelector{}, SetSpecIngressRules(IngressRules))
|
||||||
@ -669,7 +691,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should deny ingress access to updated pod [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should deny ingress access to updated pod [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
podXA, err := model.FindPod(nsX, "a")
|
podXA, err := model.FindPod(nsX, "a")
|
||||||
framework.ExpectNoError(err, "find pod x/a")
|
framework.ExpectNoError(err, "find pod x/a")
|
||||||
defer ResetPodLabels(k8s, podXA)
|
defer ResetPodLabels(k8s, podXA)
|
||||||
@ -692,7 +715,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should deny egress from pods based on PodSelector [Feature:NetworkPolicy] ", func() {
|
ginkgo.It("should deny egress from pods based on PodSelector [Feature:NetworkPolicy] ", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}}, SetSpecEgressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}}, SetSpecEgressRules())
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
@ -705,7 +729,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should deny egress from all pods in a namespace [Feature:NetworkPolicy] ", func() {
|
ginkgo.It("should deny egress from all pods in a namespace [Feature:NetworkPolicy] ", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-ns-x", metav1.LabelSelector{}, SetSpecEgressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-ns-x", metav1.LabelSelector{}, SetSpecEgressRules())
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
@ -735,7 +760,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}
|
policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80, 81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
reachabilityPort80 := NewReachability(model.AllPods(), true)
|
reachabilityPort80 := NewReachability(model.AllPods(), true)
|
||||||
@ -760,7 +786,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
|
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
|
|
||||||
// Building egress policy for x/a to y/a only
|
// Building egress policy for x/a to y/a only
|
||||||
allowedEgressNamespaces := &metav1.LabelSelector{
|
allowedEgressNamespaces := &metav1.LabelSelector{
|
||||||
@ -850,7 +877,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -875,7 +903,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce ingress policy allowing any port traffic to a server on a specific protocol [Feature:NetworkPolicy] [Feature:UDP]", func() {
|
ginkgo.It("should enforce ingress policy allowing any port traffic to a server on a specific protocol [Feature:NetworkPolicy] [Feature:UDP]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP, protocolUDP}
|
protocols := []v1.Protocol{protocolTCP, protocolUDP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
ingressRule := networkingv1.NetworkPolicyIngressRule{}
|
||||||
ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolTCP})
|
ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolTCP})
|
||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-by-proto", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-by-proto", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
||||||
@ -892,7 +921,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce multiple ingress policies with ingress allow-all policy taking precedence [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce multiple ingress policies with ingress allow-all policy taking precedence [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
IngressRules := networkingv1.NetworkPolicyIngressRule{}
|
IngressRules := networkingv1.NetworkPolicyIngressRule{}
|
||||||
IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}})
|
IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}})
|
||||||
policyAllowOnlyPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-port-80", map[string]string{}, SetSpecIngressRules(IngressRules))
|
policyAllowOnlyPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-port-80", map[string]string{}, SetSpecIngressRules(IngressRules))
|
||||||
@ -919,7 +949,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policyAllowPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress-port-80", map[string]string{}, SetSpecEgressRules(egressRule))
|
policyAllowPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress-port-80", map[string]string{}, SetSpecEgressRules(egressRule))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policyAllowPort80, nsX)
|
CreatePolicy(k8s, policyAllowPort80, nsX)
|
||||||
|
|
||||||
ginkgo.By("Making sure ingress doesn't work other than port 80")
|
ginkgo.By("Making sure ingress doesn't work other than port 80")
|
||||||
@ -944,7 +975,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules())
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
reachability := NewReachability(model.AllPods(), true)
|
reachability := NewReachability(model.AllPods(), true)
|
||||||
|
|
||||||
@ -968,7 +1000,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
// Getting podServer's status to get podServer's IP, to create the CIDR
|
// Getting podServer's status to get podServer's IP, to create the CIDR
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
podList, err := f.ClientSet.CoreV1().Pods(nsY).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=b"})
|
podList, err := f.ClientSet.CoreV1().Pods(nsY).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=b"})
|
||||||
framework.ExpectNoError(err, "Failing to list pods in namespace y")
|
framework.ExpectNoError(err, "Failing to list pods in namespace y")
|
||||||
pod := podList.Items[0]
|
pod := podList.Items[0]
|
||||||
@ -994,7 +1027,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
// Getting podServer's status to get podServer's IP, to create the CIDR with except clause
|
// Getting podServer's status to get podServer's IP, to create the CIDR with except clause
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
podList, err := f.ClientSet.CoreV1().Pods(nsX).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=a"})
|
podList, err := f.ClientSet.CoreV1().Pods(nsX).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=a"})
|
||||||
framework.ExpectNoError(err, "Failing to find pod x/a")
|
framework.ExpectNoError(err, "Failing to find pod x/a")
|
||||||
podA := podList.Items[0]
|
podA := podList.Items[0]
|
||||||
@ -1027,7 +1061,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
// Getting podServer's status to get podServer's IP, to create the CIDR with except clause
|
// Getting podServer's status to get podServer's IP, to create the CIDR with except clause
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
podList, err := f.ClientSet.CoreV1().Pods(nsX).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=a"})
|
podList, err := f.ClientSet.CoreV1().Pods(nsX).List(context.TODO(), metav1.ListOptions{LabelSelector: "pod=a"})
|
||||||
framework.ExpectNoError(err, "Failing to find pod x/a")
|
framework.ExpectNoError(err, "Failing to find pod x/a")
|
||||||
podA := podList.Items[0]
|
podA := podList.Items[0]
|
||||||
@ -1088,7 +1123,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
metav1.LabelSelector{MatchLabels: targetLabels}, SetSpecEgressRules(networkingv1.NetworkPolicyEgressRule{}))
|
metav1.LabelSelector{MatchLabels: targetLabels}, SetSpecEgressRules(networkingv1.NetworkPolicyEgressRule{}))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, allowEgressPolicy, nsX)
|
CreatePolicy(k8s, allowEgressPolicy, nsX)
|
||||||
|
|
||||||
allowEgressReachability := NewReachability(model.AllPods(), true)
|
allowEgressReachability := NewReachability(model.AllPods(), true)
|
||||||
@ -1110,7 +1146,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should not mistakenly treat 'protocol: SCTP' as 'protocol: TCP', even if the plugin doesn't support SCTP [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should not mistakenly treat 'protocol: SCTP' as 'protocol: TCP', even if the plugin doesn't support SCTP [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
|
|
||||||
ginkgo.By("Creating a default-deny ingress policy.")
|
ginkgo.By("Creating a default-deny ingress policy.")
|
||||||
// Empty podSelector blocks the entire namespace
|
// Empty podSelector blocks the entire namespace
|
||||||
@ -1139,7 +1176,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
ginkgo.By("Trying to connect to TCP port 81, which should be blocked by implicit isolation.")
|
ginkgo.By("Trying to connect to TCP port 81, which should be blocked by implicit isolation.")
|
||||||
@ -1154,7 +1192,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
ginkgo.By("Creating a network policy for the server which allows traffic only via UDP on port 81.")
|
ginkgo.By("Creating a network policy for the server which allows traffic only via UDP on port 81.")
|
||||||
@ -1169,7 +1208,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy to allow traffic based on NamespaceSelector with MatchLabels using default ns label [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy to allow traffic based on NamespaceSelector with MatchLabels using default ns label [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
v1.LabelMetadataName: nsY,
|
v1.LabelMetadataName: nsY,
|
||||||
@ -1191,7 +1231,8 @@ var _ = common.SIGDescribe("Netpol", func() {
|
|||||||
ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions using default ns label [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions using default ns label [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolTCP}
|
protocols := []v1.Protocol{protocolTCP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
MatchExpressions: []metav1.LabelSelectorRequirement{{
|
||||||
Key: v1.LabelMetadataName,
|
Key: v1.LabelMetadataName,
|
||||||
@ -1231,7 +1272,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() {
|
|||||||
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolUDP}
|
protocols := []v1.Protocol{protocolUDP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
@ -1245,7 +1287,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() {
|
|||||||
ginkgo.By("Creating a network policy allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
ginkgo.By("Creating a network policy allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolUDP}
|
protocols := []v1.Protocol{protocolUDP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -1268,7 +1311,8 @@ var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() {
|
|||||||
ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolUDP}
|
protocols := []v1.Protocol{protocolUDP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -1313,7 +1357,8 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt
|
|||||||
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() {
|
||||||
nsX, _, _, k8s := getK8sNamespaces(f)
|
nsX, _, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolSCTP}
|
protocols := []v1.Protocol{protocolSCTP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
|
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
|
||||||
CreatePolicy(k8s, policy, nsX)
|
CreatePolicy(k8s, policy, nsX)
|
||||||
|
|
||||||
@ -1327,7 +1372,8 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt
|
|||||||
ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
|
||||||
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
nsX, nsY, nsZ, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolSCTP}
|
protocols := []v1.Protocol{protocolSCTP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{81}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedLabels := &metav1.LabelSelector{
|
allowedLabels := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -1349,7 +1395,8 @@ var _ = common.SIGDescribe("Netpol [Feature:SCTPConnectivity][LinuxOnly][Disrupt
|
|||||||
ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
|
||||||
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
nsX, nsY, _, k8s := getK8sNamespaces(f)
|
||||||
protocols := []v1.Protocol{protocolSCTP}
|
protocols := []v1.Protocol{protocolSCTP}
|
||||||
model = initializeResourcesByFixedNS(f, protocols)
|
ports := []int32{80}
|
||||||
|
model = initializeResourcesByFixedNS(f, protocols, ports)
|
||||||
allowedNamespaces := &metav1.LabelSelector{
|
allowedNamespaces := &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
"ns": nsY,
|
"ns": nsY,
|
||||||
@ -1389,11 +1436,11 @@ func getNamespaces(rootNs string) (string, string, string, []string) {
|
|||||||
|
|
||||||
// defaultModel creates a new "model" pod system under namespaces (x,y,z) which has pods a, b, and c. Thus resulting in the
|
// defaultModel creates a new "model" pod system under namespaces (x,y,z) which has pods a, b, and c. Thus resulting in the
|
||||||
// truth table matrix that is identical for all tests, comprising 81 total connections between 9 pods (x/a, x/b, x/c, ..., z/c).
|
// truth table matrix that is identical for all tests, comprising 81 total connections between 9 pods (x/a, x/b, x/c, ..., z/c).
|
||||||
func defaultModel(namespaces []string, dnsDomain string, protocols []v1.Protocol) *Model {
|
func defaultModel(namespaces []string, dnsDomain string, protocols []v1.Protocol, ports []int32) *Model {
|
||||||
if framework.NodeOSDistroIs("windows") {
|
if framework.NodeOSDistroIs("windows") {
|
||||||
return NewWindowsModel(namespaces, []string{"a", "b", "c"}, []int32{80, 81}, dnsDomain)
|
return NewWindowsModel(namespaces, []string{"a", "b", "c"}, ports, dnsDomain)
|
||||||
}
|
}
|
||||||
return NewModel(namespaces, []string{"a", "b", "c"}, []int32{80, 81}, protocols, dnsDomain)
|
return NewModel(namespaces, []string{"a", "b", "c"}, ports, protocols, dnsDomain)
|
||||||
}
|
}
|
||||||
|
|
||||||
// getK8sNamespaces returns the canonical set of namespaces using the framework's root namespace
|
// getK8sNamespaces returns the canonical set of namespaces using the framework's root namespace
|
||||||
@ -1404,9 +1451,9 @@ func getK8sNamespaces(f *framework.Framework) (string, string, string, *kubeMana
|
|||||||
|
|
||||||
// initializeResourcesByFixedNS uses the e2e framework to create all necessary namespace resources, cleaning up
|
// initializeResourcesByFixedNS uses the e2e framework to create all necessary namespace resources, cleaning up
|
||||||
// network policies from the namespace if useFixedNamespace is set true, avoiding policies overlap of new tests.
|
// network policies from the namespace if useFixedNamespace is set true, avoiding policies overlap of new tests.
|
||||||
func initializeResourcesByFixedNS(f *framework.Framework, protocols []v1.Protocol) *Model {
|
func initializeResourcesByFixedNS(f *framework.Framework, protocols []v1.Protocol, ports []int32) *Model {
|
||||||
if useFixedNamespaces {
|
if useFixedNamespaces {
|
||||||
model, _ := initializeResources(f, protocols)
|
model, _ := initializeResources(f, protocols, ports)
|
||||||
k8s := newKubeManager(f)
|
k8s := newKubeManager(f)
|
||||||
framework.ExpectNoError(k8s.cleanNetworkPolicies(model.NamespaceNames), "unable to clean network policies")
|
framework.ExpectNoError(k8s.cleanNetworkPolicies(model.NamespaceNames), "unable to clean network policies")
|
||||||
err := wait.Poll(waitInterval, waitTimeout, func() (done bool, err error) {
|
err := wait.Poll(waitInterval, waitTimeout, func() (done bool, err error) {
|
||||||
@ -1423,7 +1470,7 @@ func initializeResourcesByFixedNS(f *framework.Framework, protocols []v1.Protoco
|
|||||||
return model
|
return model
|
||||||
} else {
|
} else {
|
||||||
framework.Logf("Using %v as the default dns domain for this cluster... ", framework.TestContext.ClusterDNSDomain)
|
framework.Logf("Using %v as the default dns domain for this cluster... ", framework.TestContext.ClusterDNSDomain)
|
||||||
model, err := initializeResources(f, protocols)
|
model, err := initializeResources(f, protocols, ports)
|
||||||
framework.ExpectNoError(err, "unable to initialize resources")
|
framework.ExpectNoError(err, "unable to initialize resources")
|
||||||
return model
|
return model
|
||||||
}
|
}
|
||||||
@ -1432,12 +1479,12 @@ func initializeResourcesByFixedNS(f *framework.Framework, protocols []v1.Protoco
|
|||||||
// initializeResources uses the e2e framework to create all necessary namespace resources, based on the network policy
|
// initializeResources uses the e2e framework to create all necessary namespace resources, based on the network policy
|
||||||
// model derived from the framework. It then waits for the resources described by the model to be up and running
|
// model derived from the framework. It then waits for the resources described by the model to be up and running
|
||||||
// (i.e. all pods are ready and running in their namespaces).
|
// (i.e. all pods are ready and running in their namespaces).
|
||||||
func initializeResources(f *framework.Framework, protocols []v1.Protocol) (*Model, error) {
|
func initializeResources(f *framework.Framework, protocols []v1.Protocol, ports []int32) (*Model, error) {
|
||||||
k8s := newKubeManager(f)
|
k8s := newKubeManager(f)
|
||||||
rootNs := f.Namespace.GetName()
|
rootNs := f.Namespace.GetName()
|
||||||
_, _, _, namespaces := getNamespaces(rootNs)
|
_, _, _, namespaces := getNamespaces(rootNs)
|
||||||
|
|
||||||
model := defaultModel(namespaces, framework.TestContext.ClusterDNSDomain, protocols)
|
model := defaultModel(namespaces, framework.TestContext.ClusterDNSDomain, protocols, ports)
|
||||||
|
|
||||||
framework.Logf("initializing cluster: ensuring namespaces, deployments, and pods exist and are ready")
|
framework.Logf("initializing cluster: ensuring namespaces, deployments, and pods exist and are ready")
|
||||||
|
|
||||||
|
|||||||
@ -69,7 +69,7 @@ func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespac
|
|||||||
// waitForHTTPServers waits for all webservers to be up, on all protocols sent in the input, and then validates them using the same probe logic as the rest of the suite.
|
// waitForHTTPServers waits for all webservers to be up, on all protocols sent in the input, and then validates them using the same probe logic as the rest of the suite.
|
||||||
func waitForHTTPServers(k *kubeManager, model *Model) error {
|
func waitForHTTPServers(k *kubeManager, model *Model) error {
|
||||||
const maxTries = 10
|
const maxTries = 10
|
||||||
framework.Logf("waiting for HTTP servers (ports 80 and 81) to become ready")
|
framework.Logf("waiting for HTTP servers (ports 80 and/or 81) to become ready")
|
||||||
|
|
||||||
testCases := map[string]*TestCase{}
|
testCases := map[string]*TestCase{}
|
||||||
for _, port := range model.Ports {
|
for _, port := range model.Ports {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user