github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

Default deny egress with pod label selector

Browse Source
This commit is contained in:
Amim Knabben 2021-01-05 15:31:09 -05:00
parent 1f64838041
commit fc46c0a75a
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
test/e2e/network/netpol/network_policy.go
View File

@ -586,6 +586,17 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
ValidateOrFail(k8s, model, &TestCase{FromPort: 81, ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachabilityIsolated}) ValidateOrFail(k8s, model, &TestCase{FromPort: 81, ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachabilityIsolated})
}) })
ginkgo.It("should deny egress from pods based on PodSelector [Feature:NetworkPolicy] ", func() {
nsX, _, _, model, k8s := getK8SModel(f)
policy := GetDenyEgressForTarget("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}})
CreatePolicy(k8s, policy, nsX)
reachability := NewReachability(model.AllPods(), true)
reachability.ExpectAllEgress(NewPodString(nsX, "a"), false)
ValidateOrFail(k8s, model, &TestCase{FromPort: 81, ToPort: 80, Protocol: v1.ProtocolTCP, Reachability: reachability})
})
ginkgo.It("should work with Ingress, Egress specified together [Feature:NetworkPolicy]", func() { ginkgo.It("should work with Ingress, Egress specified together [Feature:NetworkPolicy]", func() {
allowedPodLabels := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "b"}} allowedPodLabels := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "b"}}
policy := GetAllowIngressByPod("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, allowedPodLabels) policy := GetAllowIngressByPod("allow-client-a-via-pod-selector", map[string]string{"pod": "a"}, allowedPodLabels)

17
test/e2e/network/netpol/policies.go
View File

@ -26,7 +26,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
) )
// GetDenyIngress returns a default deny policy named 'name'. // GetDenyIngress returns a default deny ingress policy.
func GetDenyIngress(name string) *networkingv1.NetworkPolicy { func GetDenyIngress(name string) *networkingv1.NetworkPolicy {
return &networkingv1.NetworkPolicy{ return &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
@ -34,11 +34,26 @@ func GetDenyIngress(name string) *networkingv1.NetworkPolicy {
}, },
Spec: networkingv1.NetworkPolicySpec{ Spec: networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{}, PodSelector: metav1.LabelSelector{},
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
Ingress: []networkingv1.NetworkPolicyIngressRule{}, Ingress: []networkingv1.NetworkPolicyIngressRule{},
}, },
} }
} }
// GetDenyEgressForTarget returns a default deny egress policy.
func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy {
return &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
Spec: networkingv1.NetworkPolicySpec{
PodSelector: targetSelector,
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
Egress: []networkingv1.NetworkPolicyEgressRule{},
},
}
}
// GetRandomIngressPolicies returns "num" random policies that allow a unique:n label, i.e. // GetRandomIngressPolicies returns "num" random policies that allow a unique:n label, i.e.
// unique:1, unique:2, and so on. Used for creating a 'background' set of policies. // unique:1, unique:2, and so on. Used for creating a 'background' set of policies.
func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy { func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy {