github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #97638 from knabben/netpol-egress-func

Browse Source 
Moving egress deny with DNS to a policy function
This commit is contained in:
Kubernetes Prow Robot 2021-01-13 04:18:35 -08:00 committed by GitHub
commit f6e04cd3ad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
test/e2e/network/netpol/network_policy.go
View File

@ -18,7 +18,6 @@ package netpol
import (
"context"
"encoding/json"
"fmt"
"time"
@ -159,39 +158,9 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
})
ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
np := &networkingv1.NetworkPolicy{}
policy := `
{
"kind": "NetworkPolicy",
"apiVersion": "networking.k8s.io/v1",
"metadata": {
"name": "deny-all-tcp-allow-dns"
},
"spec": {
"podSelector": {
"matchLabels": {}
},
"ingress": [],
"egress": [{
"ports": [
{
"protocol": "UDP",
"port": 53
}
]
}],
"policyTypes": [
"Ingress",
"Egress"
]
}
}
`
err := json.Unmarshal([]byte(policy), np)
framework.ExpectNoError(err, "unmarshal network policy")
policy := GetDenyAllWithEgressDNS()
nsX, _, _, model, k8s := getK8SModel(f)
CreatePolicy(k8s, np, nsX)
CreatePolicy(k8s, policy, nsX)
reachability := NewReachability(model.AllPods(), true)
reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)

25
test/e2e/network/netpol/policies.go
View File

@ -157,6 +157,31 @@ func GetDenyAll(name string) *networkingv1.NetworkPolicy {
return policy
}
// GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port
func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy {
protocolUDP := v1.ProtocolUDP
return &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "deny-all-tcp-allow-dns",
},
Spec: networkingv1.NetworkPolicySpec{
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
PodSelector: metav1.LabelSelector{},
Ingress: []networkingv1.NetworkPolicyIngressRule{},
Egress: []networkingv1.NetworkPolicyEgressRule{
{
Ports: []networkingv1.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
},
},
},
},
},
}
}
// GetAllowIngressByPod allows ingress by pod labels
func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy {
policy := &networkingv1.NetworkPolicy{