From f86ddbea70cc0d9490173a04c9640ebdf0c0c8dd Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Mon, 26 Apr 2021 10:23:43 -0500 Subject: [PATCH] e2e/network/firewall: don't assume nodes are exposed externally If no nodes have NodeExternalIP addresses, then clearly none of the services are exposed externally, and the test should succeed. Seen in OpenShift CI. --- test/e2e/network/firewall.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/test/e2e/network/firewall.go b/test/e2e/network/firewall.go index d5d4cc8f548..2d6566c138a 100644 --- a/test/e2e/network/firewall.go +++ b/test/e2e/network/firewall.go @@ -218,8 +218,10 @@ var _ = common.SIGDescribe("Firewall rule", func() { ginkgo.By("Checking well known ports on master and nodes are not exposed externally") nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP) - if nodeAddr == "" { - framework.Failf("did not find any node addresses") + if nodeAddr != "" { + assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletPort, firewallTestTCPTimeout, false) + assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletReadOnlyPort, firewallTestTCPTimeout, false) + assertNotReachableHTTPTimeout(nodeAddr, "/", ports.ProxyStatusPort, firewallTestTCPTimeout, false) } controlPlaneAddresses := framework.GetControlPlaneAddresses(cs) @@ -227,9 +229,6 @@ var _ = common.SIGDescribe("Firewall rule", func() { assertNotReachableHTTPTimeout(instanceAddress, "/healthz", ports.KubeControllerManagerPort, firewallTestTCPTimeout, true) assertNotReachableHTTPTimeout(instanceAddress, "/healthz", kubeschedulerconfig.DefaultKubeSchedulerPort, firewallTestTCPTimeout, true) } - assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletPort, firewallTestTCPTimeout, false) - assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletReadOnlyPort, firewallTestTCPTimeout, false) - assertNotReachableHTTPTimeout(nodeAddr, "/", ports.ProxyStatusPort, firewallTestTCPTimeout, false) }) })