github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

Deny ingress on other namespaces

Browse Source
This commit is contained in:
Amim Knabben 2021-01-25 20:17:20 -05:00
parent c304418b54
commit 96a7b2a102
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
test/e2e/network/netpol/network_policy.go
View File

@ -525,6 +525,19 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachabilityWithLabel})
})
ginkgo.It("should deny ingress from pods on other namespaces [Feature:NetworkPolicy]", func() {
nsX, nsY, nsZ, model, k8s := getK8SModel(f)
policy := GetDenyIngressEmptyPeerSelector("deny-empty-policy")
CreatePolicy(k8s, policy, nsX)
reachability := NewReachability(model.AllPods(), true)
reachability.ExpectPeer(&Peer{Namespace: nsY}, &Peer{Namespace: nsX}, false)
reachability.ExpectPeer(&Peer{Namespace: nsZ}, &Peer{Namespace: nsX}, false)
ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
})
ginkgo.It("should deny ingress access to updated pod [Feature:NetworkPolicy]", func() {
nsX, _, _, model, k8s := getK8SModel(f)
podXA, err := model.FindPod(nsX, "a")

21
test/e2e/network/netpol/policies.go
View File

@ -40,6 +40,27 @@ func GetDenyIngress(name string) *networkingv1.NetworkPolicy {
}
}
// GetDenyIngressEmptyPeerSelector returns a default ingress deny policy using empty Peer selector.
func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy {
return &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Spec: networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{},
Ingress: []networkingv1.NetworkPolicyIngressRule{
{
From: []networkingv1.NetworkPolicyPeer{
{
PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}},
},
},
},
},
},
}
}
// GetDenyEgress returns a default deny egress policy.
func GetDenyEgress(name string) *networkingv1.NetworkPolicy {
return &networkingv1.NetworkPolicy{