github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 12:15:52 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #88393 from abhiraut/e2e-exc-multiple

Browse Source 
Add e2e test for stacked NetworkPolicies with overlapping CIDR
This commit is contained in:
Kubernetes Prow Robot 2020-04-13 13:37:48 -07:00 committed by GitHub
commit c894c7b121
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
test/e2e/network/network_policy.go
View File

@ -1371,6 +1371,130 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() {
}) })
}) })
ginkgo.It("should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed [Feature:NetworkPolicy]", func() {
protocolUDP := v1.ProtocolUDP
// Getting podServer's status to get podServer's IP, to create the CIDR with except clause
podServerStatus, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), podServer.Name, metav1.GetOptions{})
if err != nil {
framework.ExpectNoError(err, "Error occurred while getting pod status.")
}
podServerAllowCIDR := fmt.Sprintf("%s/24", podServerStatus.Status.PodIP)
podServerIP := fmt.Sprintf("%s/32", podServerStatus.Status.PodIP)
// Exclude podServer's IP with an Except clause
podServerExceptList := []string{podServerIP}
// Create NetworkPolicy which blocks access to podServer with except clause.
policyAllowCIDRWithExceptServerPod := &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Namespace: f.Namespace.Name,
Name: "deny-client-a-via-except-cidr-egress-rule",
},
Spec: networkingv1.NetworkPolicySpec{
// Apply this policy to the client.
PodSelector: metav1.LabelSelector{
MatchLabels: map[string]string{
"pod-name": "client-a",
},
},
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
// Allow traffic to only one CIDR block except subnet which includes Server.
Egress: []networkingv1.NetworkPolicyEgressRule{
{
Ports: []networkingv1.NetworkPolicyPort{
// Allow DNS look-ups
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
},
},
},
{
To: []networkingv1.NetworkPolicyPeer{
{
IPBlock: &networkingv1.IPBlock{
CIDR: podServerAllowCIDR,
Except: podServerExceptList,
},
},
},
},
},
},
}
policyAllowCIDRWithExceptServerPodObj, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowCIDRWithExceptServerPod, metav1.CreateOptions{})
framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowCIDRWithExceptServerPod.")
ginkgo.By("Creating client-a which should not be able to contact the server.", func() {
testCannotConnect(f, f.Namespace, "client-a", service, 80)
})
// Create NetworkPolicy which allows access to the podServer using podServer's IP in allow CIDR.
policyAllowCIDRServerPod := &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Namespace: f.Namespace.Name,
Name: "allow-client-a-via-cidr-egress-rule",
},
Spec: networkingv1.NetworkPolicySpec{
// Apply this policy to the client.
PodSelector: metav1.LabelSelector{
MatchLabels: map[string]string{
"pod-name": "client-a",
},
},
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
// Allow traffic to only one CIDR block which includes Server.
Egress: []networkingv1.NetworkPolicyEgressRule{
{
Ports: []networkingv1.NetworkPolicyPort{
// Allow DNS look-ups
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
},
},
},
{
To: []networkingv1.NetworkPolicyPeer{
{
IPBlock: &networkingv1.IPBlock{
CIDR: podServerIP,
},
},
},
},
},
},
}
policyAllowCIDRServerPod, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowCIDRServerPod, metav1.CreateOptions{})
framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowCIDRServerPod.")
defer cleanupNetworkPolicy(f, policyAllowCIDRServerPod)
ginkgo.By("Creating client-a which should now be able to contact the server.", func() {
testCanConnect(f, f.Namespace, "client-a", service, 80)
})
ginkgo.By("Deleting the network policy with except podServer IP which disallows access to podServer.")
cleanupNetworkPolicy(f, policyAllowCIDRWithExceptServerPodObj)
ginkgo.By("Creating client-a which should still be able to contact the server after deleting the network policy with except clause.", func() {
testCanConnect(f, f.Namespace, "client-a", service, 80)
})
// Recreate the NetworkPolicy which contains the podServer's IP in the except list.
policyAllowCIDRWithExceptServerPod, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowCIDRWithExceptServerPod, metav1.CreateOptions{})
framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowCIDRWithExceptServerPod.")
defer cleanupNetworkPolicy(f, policyAllowCIDRWithExceptServerPod)
ginkgo.By("Creating client-a which should still be able to contact the server after recreating the network policy with except clause.", func() {
testCanConnect(f, f.Namespace, "client-a", service, 80)
})
})
ginkgo.It("should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector [Feature:NetworkPolicy]", func() { ginkgo.It("should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector [Feature:NetworkPolicy]", func() {
var serviceA, serviceB *v1.Service var serviceA, serviceB *v1.Service
var podA, podB *v1.Pod var podA, podB *v1.Pod