Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var AdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyEgressInlineCIDRPeers", Description: "Tests support for egress traffic to CIDR peers using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, suite.SupportAdminNetworkPolicyEgressInlineCIDRPeers, }, Manifests: []string{"base/admin_network_policy/extended-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() t.Run("Should support a 'deny-egress' rule policy for egress-cidr-peer", func(t *testing.T) { serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) serverPod = &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'allow-egress' rule policy for egress-cidr-peer", func(t *testing.T) { serverPodRavenclaw := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPodRavenclaw) require.NoErrorf(t, err, "unable to fetch the server pod") serverPodHufflepuff := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPodHufflepuff) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "node-and-cidr-as-peers-example", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() var mask string if net.IsIPv4String(serverPodRavenclaw.Status.PodIP) { mask = "/32" } else { mask = "/128" } newRule := []v1alpha1.AdminNetworkPolicyEgressRule{ { Name: "allow-egress-to-specific-podIPs", Action: "Allow", To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { Networks: []v1alpha1.CIDR{ v1alpha1.CIDR(serverPodRavenclaw.Status.PodIP + mask), v1alpha1.CIDR(serverPodHufflepuff.Status.PodIP + mask), }, }, }, }, } mutate.Spec.Egress = append(newRule, mutate.Spec.Egress...) err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyEgressNamedPort", Description: "Tests support for egress traffic on a named port using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, suite.SupportAdminNetworkPolicyNamedPorts, }, Manifests: []string{"base/admin_network_policy/core-egress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() namedPortRule := mutate.Spec.Egress[5] webPort := "web" namedPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ { NamedPort: &webPort, }, } mutate.Spec.Egress[5] = namedPortRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyEgressNodePeers = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyEgressNodePeers", Description: "Tests support for egress traffic to node peers using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, suite.SupportAdminNetworkPolicyEgressNodePeers, }, Manifests: []string{"base/admin_network_policy/extended-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-forbidden-forrest", Name: "centaur-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") t.Run("Should support an 'allow-egress' rule policy for egress-node-peer", func(t *testing.T) { success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(36363), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-egress' rule policy for egress-node-peer", func(t *testing.T) { success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(34345), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'deny-egress' rule policy for egress-node-peer", func(t *testing.T) { success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(36364), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(34346), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyEgressSCTP", Description: "Tests support for egress traffic (SCTP protocol) using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-egress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-sctp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-sctp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-sctp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyEgressTCP = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyEgressTCP", Description: "Tests support for egress traffic (TCP protocol) using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-egress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyEgressUDP = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyEgressUDP", Description: "Tests support for egress traffic (UDP protocol) using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-egress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "egress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyGress = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyGress", Description: "Tests support for combined ingress and egress traffic rules in the admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-gress-rules-combined.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "gress-rules", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowOutRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowOutRule allowInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowInRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "gress-rules", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyOutRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[2] mutate.Spec.Egress[2] = denyOutRule denyInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyInRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "gress-rules", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyToRule := mutate.Spec.Egress[3] mutate.Spec.Egress[3] = mutate.Spec.Egress[4] mutate.Spec.Egress[4] = denyToRule denyInRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyInRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyIngressNamedPort = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyIngressNamedPort", Description: "Tests support for ingress traffic on a named port using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, suite.SupportAdminNetworkPolicyNamedPorts, }, Manifests: []string{"base/admin_network_policy/core-ingress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() dnsPortRule := mutate.DeepCopy().Spec.Ingress[5] dnsPort := "dns" dnsPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ { NamedPort: &dnsPort, }, } mutate.Spec.Ingress[5] = dnsPortRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyIngressSCTP", Description: "Tests support for ingress traffic (SCTP protocol) using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-ingress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-sctp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-sctp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-sctp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyIngressTCP = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyIngressTCP", Description: "Tests support for ingress traffic (TCP protocol) using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-ingress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-tcp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyIngressUDP = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyIngressUDP", Description: "Tests support for ingress traffic (UDP protocol) using admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-ingress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'pass-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[2] mutate.Spec.Ingress[2] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") anp := &v1alpha1.AdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "ingress-udp", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() denyRule := mutate.Spec.Ingress[3] mutate.Spec.Ingress[3] = mutate.Spec.Ingress[4] mutate.Spec.Ingress[4] = denyRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyIntegration = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyIntegration", Description: "Tests integration support for gress traffic between ANP, NP and BANP using PASS action based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/api_integration/core-anp-np-banp.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should Deny traffic from slytherin to gryffindor respecting ANP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should Deny traffic to slytherin from gryffindor respecting ANP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'pass-ingress' policy for ANP and respect the match for network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() anp := &v1alpha1.AdminNetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Name: "pass-example", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() mutate.Spec.Ingress[0].Action = v1alpha1.AdminNetworkPolicyRuleActionPass err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") serverPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-egress' policy for ANP and respect the match for network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() anp := &v1alpha1.AdminNetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Name: "pass-example", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() mutate.Spec.Egress[0].Action = v1alpha1.AdminNetworkPolicyRuleActionPass err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") serverPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'pass-ingress' policy for ANP and respect the match for baseline admin network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() np := &networkingv1.NetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "allow-gress-from-to-slytherin-to-gryffindor", }, np) require.NoErrorf(t, err, "unable to fetch the network policy") err = s.Client.Delete(ctx, np) require.NoErrorf(t, err, "unable to delete the network policy") clientPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, clientPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", clientPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", clientPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'pass-egress' policy for ANP and respect the match for baseline admin network policy", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() clientPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, clientPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", clientPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", clientPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var AdminNetworkPolicyPriorityField = suite.ConformanceTest{ ShortName: "AdminNetworkPolicyPriorityField", Description: "Tests support for admin network policy API's .spec.priority field based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportAdminNetworkPolicy, suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/admin_network_policy/core-priority-field.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should Deny traffic from slytherin to gryffindor respecting ANP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should Deny traffic to slytherin from gryffindor respecting ANP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should respect ANP priority field; thus passing both ingress and egress traffic over to BANP", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() anp := &v1alpha1.AdminNetworkPolicy{} err := s.Client.Get(ctx, client.ObjectKey{ Name: "old-priority-60-new-priority-40-example", }, anp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := anp.DeepCopy() mutate.Spec.Priority = 40 err = s.Client.Patch(ctx, mutate, client.MergeFrom(anp)) require.NoErrorf(t, err, "unable to patch the admin network policy") serverPod := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyEgressInlineCIDRPeers = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyEgressInlineCIDRPeers", Description: "Tests support for egress traffic to CIDR peers using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, suite.SupportBaselineAdminNetworkPolicyEgressInlineCIDRPeers, }, Manifests: []string{"base/baseline_admin_network_policy/extended-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() t.Run("Should support a 'deny-egress' rule policy for egress-cidr-peer", func(t *testing.T) { serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) serverPod = &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'allow-egress' rule policy for egress-cidr-peer", func(t *testing.T) { serverPodRavenclaw := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPodRavenclaw) require.NoErrorf(t, err, "unable to fetch the server pod") serverPodHufflepuff := &v1.Pod{} err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPodHufflepuff) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() var mask string if net.IsIPv4String(serverPodRavenclaw.Status.PodIP) { mask = "/32" } else { mask = "/128" } newRule := []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ { Name: "allow-egress-to-specific-podIPs", Action: "Allow", To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { Networks: []v1alpha1.CIDR{ v1alpha1.CIDR(serverPodRavenclaw.Status.PodIP + mask), v1alpha1.CIDR(serverPodHufflepuff.Status.PodIP + mask), }, }, }, }, } mutate.Spec.Egress = append(newRule, mutate.Spec.Egress...) err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPodRavenclaw.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPodRavenclaw.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPodRavenclaw.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPodHufflepuff.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPodHufflepuff.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPodHufflepuff.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyEgressNamedPort = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyEgressNamedPort", Description: "Tests support for egress traffic on a named port using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, suite.SupportBaselineAdminNetworkPolicyNamedPorts, }, Manifests: []string{"base/baseline_admin_network_policy/core-egress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() dnsPortRule := mutate.Spec.Egress[3] dnsPort := "dns" dnsPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ { NamedPort: &dnsPort, }, } mutate.Spec.Egress[3] = dnsPortRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyEgressNodePeers = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyEgressNodePeers", Description: "Tests support for egress traffic to node peers using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, suite.SupportBaselineAdminNetworkPolicyEgressNodePeers, }, Manifests: []string{"base/baseline_admin_network_policy/extended-egress-selector-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-forbidden-forrest", Name: "centaur-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") t.Run("Should support an 'allow-egress' rule policy for egress-node-peer", func(t *testing.T) { success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(36363), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(36364), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support a 'deny-egress' rule policy for egress-node-peer", func(t *testing.T) { success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(34346), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyEgressSCTP = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyEgressSCTP", Description: "Tests support for egress traffic (SCTP protocol) using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-egress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-egress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-egress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyEgressTCP = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyEgressTCP", Description: "Tests support for egress traffic (TCP protocol) using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-egress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-egress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-egress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyEgressUDP = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyEgressUDP", Description: "Tests support for egress traffic (UDP protocol) using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-egress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-egress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() allowRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-egress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyGress = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyGress", Description: "Tests support for combined ingress and egress traffic rules in the baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-gress-rules-combined.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-gress' policy across different protocols", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() allowOutRule := mutate.Spec.Egress[0] mutate.Spec.Egress[0] = mutate.Spec.Egress[1] mutate.Spec.Egress[1] = allowOutRule allowInRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowInRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-gress' policy across different protocols at the specified ports", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-slytherin", Name: "draco-malfoy-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) err = s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyIngressNamedPort = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyIngressNamedPort", Description: "Tests support for ingress traffic on a named port using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, suite.SupportBaselineAdminNetworkPolicyNamedPorts, }, Manifests: []string{"base/baseline_admin_network_policy/core-ingress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for named port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() namedPortRule := mutate.Spec.Ingress[3] webPort := "web" namedPortRule.Ports = &[]v1alpha1.AdminNetworkPolicyPort{ { NamedPort: &webPort, }, } mutate.Spec.Ingress[3] = namedPortRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyIngressSCTP = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyIngressSCTP", Description: "Tests support for ingress traffic (SCTP protocol) using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-ingress-sctp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-ingress' policy for SCTP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-ingress' policy for SCTP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-ravenclaw", Name: "luna-lovegood-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "sctp", serverPod.Status.PodIP, int32(9003), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "sctp", serverPod.Status.PodIP, int32(9005), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyIngressTCP = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyIngressTCP", Description: "Tests support for ingress traffic (TCP protocol) using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-ingress-tcp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-hufflepuff", "cedric-diggory-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-ingress' policy for TCP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the baseline admin network policy") mutate := banp.DeepCopy() allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-ingress' policy for TCP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-gryffindor", Name: "harry-potter-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "tcp", serverPod.Status.PodIP, int32(80), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "tcp", serverPod.Status.PodIP, int32(8080), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var BaselineAdminNetworkPolicyIngressUDP = suite.ConformanceTest{ ShortName: "BaselineAdminNetworkPolicyIngressUDP", Description: "Tests support for ingress traffic (UDP protocol) using baseline admin network policy API based on a server and client model", Features: []suite.SupportedFeature{ suite.SupportBaselineAdminNetworkPolicy, }, Manifests: []string{"base/baseline_admin_network_policy/core-ingress-udp-rules.yaml"}, Test: func(t *testing.T, s *suite.ConformanceTestSuite) { t.Run("Should support an 'allow-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) t.Run("Should support an 'allow-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-gryffindor", "harry-potter-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support an 'deny-ingress' policy for UDP protocol; ensure rule ordering is respected", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-1", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") banp := &v1alpha1.BaselineAdminNetworkPolicy{} err = s.Client.Get(ctx, client.ObjectKey{ Name: "default", }, banp) require.NoErrorf(t, err, "unable to fetch the admin network policy") mutate := banp.DeepCopy() allowRule := mutate.Spec.Ingress[0] mutate.Spec.Ingress[0] = mutate.Spec.Ingress[1] mutate.Spec.Ingress[1] = allowRule err = s.Client.Patch(ctx, mutate, client.MergeFrom(banp)) require.NoErrorf(t, err, "unable to patch the baseline admin network policy") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-0", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-ravenclaw", "luna-lovegood-1", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) }) t.Run("Should support a 'deny-ingress' policy for UDP protocol at the specified port", func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), s.TimeoutConfig.GetTimeout) defer cancel() serverPod := &v1.Pod{} err := s.Client.Get(ctx, client.ObjectKey{ Namespace: "network-policy-conformance-hufflepuff", Name: "cedric-diggory-0", }, serverPod) require.NoErrorf(t, err, "unable to fetch the server pod") success := kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-0", "udp", serverPod.Status.PodIP, int32(5353), s.TimeoutConfig.RequestTimeout, false) assert.True(t, success) success = kubernetes.PokeServer(t, s.ClientSet, &s.KubeConfig, "network-policy-conformance-slytherin", "draco-malfoy-1", "udp", serverPod.Status.PodIP, int32(53), s.TimeoutConfig.RequestTimeout, true) assert.True(t, success) }) }, }
View Source
var ConformanceTests []suite.ConformanceTest
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
- admin-network-policy-core-egress-sctp-rules.go
- admin-network-policy-core-egress-tcp-rules.go
- admin-network-policy-core-egress-udp-rules.go
- admin-network-policy-core-gress-rules.go
- admin-network-policy-core-ingress-sctp-rules.go
- admin-network-policy-core-ingress-tcp-rules.go
- admin-network-policy-core-ingress-udp-rules.go
- admin-network-policy-core-integration.go
- admin-network-policy-core-priority.go
- admin-network-policy-extended-egress-rules.go
- admin-network-policy-extended-ingress-rules.go
- baseline-admin-network-policy-core-egress-sctp-rules.go
- baseline-admin-network-policy-core-egress-tcp-rules.go
- baseline-admin-network-policy-core-egress-udp-rules.go
- baseline-admin-network-policy-core-gress-rules.go
- baseline-admin-network-policy-core-ingress-sctp-rules.go
- baseline-admin-network-policy-core-ingress-tcp-rules.go
- baseline-admin-network-policy-core-ingress-udp-rules.go
- baseline-admin-network-policy-extended-egress-rules.go
- baseline-admin-network-policy-extended-ingress-rules.go
- main.go
Click to show internal directories.
Click to hide internal directories.