From 875f80e3a3d69af1387571fb619b7ea2c5f5e7fe Mon Sep 17 00:00:00 2001 From: Artur Gadelshin Date: Sun, 12 Apr 2020 23:22:47 +0200 Subject: [PATCH] Add test for ingress/egress combination --- test/e2e/network/network_policy.go | 114 ++++++++++++++++++++++++++++- 1 file changed, 112 insertions(+), 2 deletions(-) diff --git a/test/e2e/network/network_policy.go b/test/e2e/network/network_policy.go index 4e8270cbce3..f564d550126 100644 --- a/test/e2e/network/network_policy.go +++ b/test/e2e/network/network_policy.go @@ -78,10 +78,10 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() { cleanupServerPodAndService(f, podServer, service) }) - ginkgo.It("should support a 'default-deny' policy [Feature:NetworkPolicy]", func() { + ginkgo.It("should support a 'default-deny-ingress' policy [Feature:NetworkPolicy]", func() { policy := &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ - Name: "deny-all", + Name: "deny-ingress", }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, @@ -98,6 +98,28 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() { testCannotConnect(f, f.Namespace, "client-cannot-connect", service, 80) }) + ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() { + policy := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default-deny-all", + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}, + Ingress: []networkingv1.NetworkPolicyIngressRule{}, + Egress: []networkingv1.NetworkPolicyEgressRule{}, + }, + } + + policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{}) + framework.ExpectNoError(err) + defer cleanupNetworkPolicy(f, policy) + + // Create a pod with name 'client-cannot-connect', which will attempt to communicate with the server, + // but should not be able to now that isolation is on. + testCannotConnect(f, f.Namespace, "client-cannot-connect", service, 80) + }) + ginkgo.It("should enforce policy to allow traffic from pods within server namespace based on PodSelector [Feature:NetworkPolicy]", func() { nsA := f.Namespace nsBName := f.BaseName + "-b" @@ -906,6 +928,94 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() { testCannotConnect(f, f.Namespace, "client-a", service, allowedPort) }) + ginkgo.It("should work with Ingress,Egress specified together [Feature:NetworkPolicy]", func() { + const allowedPort = 80 + const notAllowedPort = 81 + protocolUDP := v1.ProtocolUDP + + nsBName := f.BaseName + "-b" + nsB, err := f.CreateNamespace(nsBName, map[string]string{ + "ns-name": nsBName, + }) + framework.ExpectNoError(err, "Error occurred while creating namespace-b.") + + podB, serviceB := createServerPodAndService(f, nsB, "pod-b", []int{allowedPort, notAllowedPort}) + defer cleanupServerPodAndService(f, podB, serviceB) + + // Wait for Server with Service in NS-B to be ready + framework.Logf("Waiting for servers to be ready.") + err = e2epod.WaitTimeoutForPodReadyInNamespace(f.ClientSet, podB.Name, nsB.Name, framework.PodStartTimeout) + framework.ExpectNoError(err, "Error occurred while waiting for pod status in namespace: Ready.") + + ginkgo.By("Create a network policy for the server which denies both Ingress and Egress traffic.") + policy := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ingress-egress-rule", + }, + Spec: networkingv1.NetworkPolicySpec{ + PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, + Ingress: []networkingv1.NetworkPolicyIngressRule{{ + From: []networkingv1.NetworkPolicyPeer{{ + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "ns-name": nsBName, + }, + }, + }}, + Ports: []networkingv1.NetworkPolicyPort{{ + Port: &intstr.IntOrString{IntVal: allowedPort}, + }}, + }}, + Egress: []networkingv1.NetworkPolicyEgressRule{ + { + Ports: []networkingv1.NetworkPolicyPort{ + // Allow DNS look-ups + { + Protocol: &protocolUDP, + Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53}, + }, + }, + }, + { + To: []networkingv1.NetworkPolicyPeer{ + { + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "ns-name": nsBName, + }, + }, + }, + }, + Ports: []networkingv1.NetworkPolicyPort{{ + Port: &intstr.IntOrString{IntVal: allowedPort}, + }}, + }, + }, + }, + } + + policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{}) + framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err) + defer cleanupNetworkPolicy(f, policy) + + ginkgo.By("client-a should be able to communicate with server port 80 in namespace-b", func() { + testCanConnect(f, f.Namespace, "client-a", serviceB, allowedPort) + }) + + ginkgo.By("client-b should be able to communicate with server port 80 in namespace-a", func() { + testCanConnect(f, nsB, "client-b", service, allowedPort) + }) + + ginkgo.By("client-a should not be able to communicate with server port 81 in namespace-b", func() { + testCannotConnect(f, f.Namespace, "client-a", serviceB, notAllowedPort) + }) + + ginkgo.By("client-b should not be able to communicate with server port 81 in namespace-a", func() { + testCannotConnect(f, nsB, "client-b", service, notAllowedPort) + }) + + }) + ginkgo.It("should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() { var nsBserviceA, nsBserviceB *v1.Service var nsBpodServerA, nsBpodServerB *v1.Pod