From 4b0d0d6fc7d49c797c0a46844dc407caf8033480 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Tue, 1 Jun 2021 19:08:05 -0400 Subject: [PATCH 1/2] Fix spurious Feature tags on some NetworkPolicy tests The "[Feature:SCTP]" tag was needed on "should not allow access by TCP when a policy specifies only SCTP" back when SCTP was alpha, because it wasn't possible to create a policy that even mentioned SCTP without enabling the feature gate. This no longer applies, and the tag was removed from the original copy of network_policy.go, but accidentally got left behind in the netpol/ version. Likewise, the newly-added "should not allow access by TCP when a policy specifies only UDP" got tagged "[Feature:UDP]", but this was never necessary, and is inconsistent with other UDP tests anyway. Similarly, we need "[Feature:SCTPConnectivity]" on tests that make SCTP connections, because that functionality is not available in all clusters, but "[Feature:UDPConnectivity]" is unnecessary and inconsistent. --- test/e2e/network/netpol/network_legacy.go | 2 +- test/e2e/network/netpol/network_policy.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/e2e/network/netpol/network_legacy.go b/test/e2e/network/netpol/network_legacy.go index 0015b6ab5f1..b2d1c9f7200 100644 --- a/test/e2e/network/netpol/network_legacy.go +++ b/test/e2e/network/netpol/network_legacy.go @@ -1682,7 +1682,7 @@ var _ = common.SIGDescribe("NetworkPolicy [LinuxOnly]", func() { }) cleanupServerPodAndService(f, podA, serviceA) }) - ginkgo.It("should not allow access by TCP when a policy specifies only SCTP [Feature:NetworkPolicy] [Feature:SCTP]", func() { + ginkgo.It("should not allow access by TCP when a policy specifies only SCTP [Feature:NetworkPolicy]", func() { ginkgo.By("getting the state of the sctp module on nodes") nodes, err := e2enode.GetReadySchedulableNodes(f.ClientSet) framework.ExpectNoError(err) diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 8d548362b76..4a042980947 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -1059,7 +1059,7 @@ var _ = common.SIGDescribe("Netpol", func() { ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: denyIngressToXReachability}) }) - ginkgo.It("should not allow access by TCP when a policy specifies only SCTP [Feature:NetworkPolicy] [Feature:SCTP]", func() { + ginkgo.It("should not allow access by TCP when a policy specifies only SCTP [Feature:NetworkPolicy]", func() { ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolSCTP}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) @@ -1074,7 +1074,7 @@ var _ = common.SIGDescribe("Netpol", func() { ValidateOrFail(k8s, model, &TestCase{ToPort: 81, Protocol: v1.ProtocolTCP, Reachability: reachability}) }) - ginkgo.It("should not allow access by TCP when a policy specifies only UDP [Feature:NetworkPolicy] [Feature:UDP]", func() { + ginkgo.It("should not allow access by TCP when a policy specifies only UDP [Feature:NetworkPolicy]", func() { ingressRule := networkingv1.NetworkPolicyIngressRule{} ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP}) policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) @@ -1091,7 +1091,7 @@ var _ = common.SIGDescribe("Netpol", func() { }) }) -var _ = common.SIGDescribe("Netpol [Feature:UDPConnectivity][LinuxOnly]", func() { +var _ = common.SIGDescribe("Netpol [LinuxOnly]", func() { f := framework.NewDefaultFramework("udp-network-policy") ginkgo.BeforeEach(func() { From 211e9747224e94594923bfee2498f357c6ac1f36 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 27 May 2021 10:11:44 -0400 Subject: [PATCH 2/2] Clarify and split up the "not actually SCTP" SCTP NetworkPolicy test These tests *do* apply to plugins that don't support SCTP. --- test/e2e/network/netpol/network_policy.go | 34 +++++++++++++++++++---- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 4a042980947..d97f594a80e 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -1059,16 +1059,40 @@ var _ = common.SIGDescribe("Netpol", func() { ValidateOrFail(k8s, model, &TestCase{ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: denyIngressToXReachability}) }) - ginkgo.It("should not allow access by TCP when a policy specifies only SCTP [Feature:NetworkPolicy]", func() { - ingressRule := networkingv1.NetworkPolicyIngressRule{} - ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolSCTP}) - policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + // This test *does* apply to plugins that do not implement SCTP. It is a + // security hole if you fail this test, because you are allowing TCP + // traffic that is supposed to be blocked. + ginkgo.It("should not mistakenly treat 'protocol: SCTP' as 'protocol: TCP', even if the plugin doesn't support SCTP [Feature:NetworkPolicy]", func() { nsX, _, _, model, k8s := getK8SModel(f) + + ginkgo.By("Creating a default-deny ingress policy.") + policy := GenNetworkPolicyWithNameAndPodSelector("deny-ingress", metav1.LabelSelector{}, SetSpecIngressRules()) CreatePolicy(k8s, policy, nsX) ginkgo.By("Creating a network policy for the server which allows traffic only via SCTP on port 81.") + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolSCTP}) + policy = GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + CreatePolicy(k8s, policy, nsX) - // Probing with TCP, so all traffic should be dropped. + ginkgo.By("Trying to connect to TCP port 81, which should be blocked by the deny-ingress policy.") + reachability := NewReachability(model.AllPods(), true) + reachability.ExpectAllIngress(NewPodString(nsX, "a"), false) + ValidateOrFail(k8s, model, &TestCase{ToPort: 81, Protocol: v1.ProtocolTCP, Reachability: reachability}) + }) + + // This test *does* apply to plugins that do not implement SCTP. It is a + // security hole if you fail this test, because you are allowing TCP + // traffic that is supposed to be blocked. + ginkgo.It("should properly isolate pods that are selected by a policy allowing SCTP, even if the plugin doesn't support SCTP [Feature:NetworkPolicy]", func() { + ginkgo.By("Creating a network policy for the server which allows traffic only via SCTP on port 80.") + ingressRule := networkingv1.NetworkPolicyIngressRule{} + ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 80}, Protocol: &protocolSCTP}) + policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule)) + nsX, _, _, model, k8s := getK8SModel(f) + CreatePolicy(k8s, policy, nsX) + + ginkgo.By("Trying to connect to TCP port 81, which should be blocked by implicit isolation.") reachability := NewReachability(model.AllPods(), true) reachability.ExpectAllIngress(NewPodString(nsX, "a"), false) ValidateOrFail(k8s, model, &TestCase{ToPort: 81, Protocol: v1.ProtocolTCP, Reachability: reachability})