github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 19:01:49 +00:00
Code Issues Projects Releases Wiki Activity

Default deny all egress from pods in the namespace

Browse Source
This commit is contained in:
Amim Knabben 2021-01-05 15:31:09 -05:00
parent 23a46d8843
commit 189edf1e73
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
test/e2e/network/netpol/network_policy.go
View File

@ -556,6 +556,17 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
})
ginkgo.It("should deny egress from all pods in a namespace [Feature:NetworkPolicy] ", func() {
nsX, _, _, model, k8s := getK8SModel(f)
policy := GetDenyEgress("deny-egress-ns-x")
CreatePolicy(k8s, policy, nsX)
reachability := NewReachability(model.AllPods(), true)
reachability.ExpectPeer(&Peer{Namespace: nsX}, &Peer{}, false)
ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
})
ginkgo.It("should work with Ingress, Egress specified together [Feature:NetworkPolicy]", func() {
allowedPodLabels := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "b"}}
policy := GetAllowIngressByPod("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, allowedPodLabels)

14
test/e2e/network/netpol/policies.go
View File

@ -40,6 +40,20 @@ func GetDenyIngress(name string) *networkingv1.NetworkPolicy {
}
}
// GetDenyEgress returns a default deny egress policy.
func GetDenyEgress(name string) *networkingv1.NetworkPolicy {
return &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Spec: networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{},
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
Egress: []networkingv1.NetworkPolicyEgressRule{},
},
}
}
// GetDenyEgressForTarget returns a default deny egress policy.
func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy {
return &networkingv1.NetworkPolicy{