github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 19:23:40 +00:00
Code Issues Projects Releases Wiki Activity

minor fix comments in netpol so its easy to understand the tests for newcomers, remove one misleading comment (#118264)

Browse Source 
* Fix comments in the netpol tests for new contributors to understand them better

* typo
This commit is contained in:
jay vyas 2023-06-05 08:31:25 -04:00 committed by GitHub
parent 72a3990728
commit 6195f96e56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
test/e2e/network/netpol/network_policy.go
View File

@ -45,8 +45,7 @@ const (
// Calico, Cillium, Antrea seem to do different things. // Calico, Cillium, Antrea seem to do different things.
// Since different CNIs have different results, that causes tests including loopback to fail // Since different CNIs have different results, that causes tests including loopback to fail
// on some CNIs. So let's just ignore loopback calls for the purposes of deciding test pass/fail. // on some CNIs. So let's just ignore loopback calls for the purposes of deciding test pass/fail.
ignoreLoopback = true ignoreLoopback = true
namespaceLabelKey = "kubernetes.io/metadata.name" namespaceLabelKey = "kubernetes.io/metadata.name"
) )
@ -118,16 +117,29 @@ var _ = common.SIGDescribe("Netpol", func() {
var k8s *kubeManager var k8s *kubeManager
ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func(ctx context.Context) { ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func(ctx context.Context) {
// Only poll TCP
protocols := []v1.Protocol{protocolTCP} protocols := []v1.Protocol{protocolTCP}
// Only testing port 80
ports := []int32{80} ports := []int32{80}
// Create pods and namespaces for this test
k8s = initializeResources(ctx, f, protocols, ports) k8s = initializeResources(ctx, f, protocols, ports)
// Only going to make a policy in namespace X
nsX, _, _ := getK8sNamespaces(k8s) nsX, _, _ := getK8sNamespaces(k8s)
policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules()) policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules())
// Create the policy
CreatePolicy(ctx, k8s, policy, nsX) CreatePolicy(ctx, k8s, policy, nsX)
// Make a truth table of connectivity for all pods in ns x y z
reachability := NewReachability(k8s.AllPodStrings(), true) reachability := NewReachability(k8s.AllPodStrings(), true)
// Set the nsX as false, since it has a policy that blocks traffic
reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false) reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)
// Confirm that the real world connectivity matches our matrix
ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
}) })
@ -614,7 +626,7 @@ var _ = common.SIGDescribe("Netpol", func() {
reachability.ExpectAllIngress(NewPodString(nsX, "a"), false) reachability.ExpectAllIngress(NewPodString(nsX, "a"), false)
ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability}) ValidateOrFail(k8s, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
// add a new label, we'll remove it after this test is completed // add a new label
AddNamespaceLabel(ctx, k8s, nsY, "ns2", "updated") AddNamespaceLabel(ctx, k8s, nsY, "ns2", "updated")
// anything from namespace 'y' should be able to get to x/a // anything from namespace 'y' should be able to get to x/a
@ -631,7 +643,7 @@ var _ = common.SIGDescribe("Netpol", func() {
nsX, _, _ := getK8sNamespaces(k8s) nsX, _, _ := getK8sNamespaces(k8s)
ginkgo.DeferCleanup(ResetPodLabels, k8s, nsX, "b") ginkgo.DeferCleanup(ResetPodLabels, k8s, nsX, "b")
// add a new label, we'll remove it after this test is done // add a new label
matchLabels := map[string]string{"pod": "b", "pod2": "updated"} matchLabels := map[string]string{"pod": "b", "pod2": "updated"}
allowedLabels := &metav1.LabelSelector{MatchLabels: matchLabels} allowedLabels := &metav1.LabelSelector{MatchLabels: matchLabels}
ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule := networkingv1.NetworkPolicyIngressRule{}
@ -725,8 +737,8 @@ var _ = common.SIGDescribe("Netpol", func() {
ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: allowedPodLabels}) ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: allowedPodLabels})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
// add an egress rule on to it...
// add an egress rule on to it...
policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{ policy.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{
{ {
Ports: []networkingv1.NetworkPolicyPort{ Ports: []networkingv1.NetworkPolicyPort{