From 13ebf69b193fe89f55d8ab65cdddf41e857e6e6e Mon Sep 17 00:00:00 2001 From: Jaeryn Chu Date: Mon, 23 Sep 2019 16:59:45 -0700 Subject: [PATCH] Adding tests to verify that allow policies should take precedence over deny --- npm/translatePolicy_test.go | 298 ++++++++++++++++++++++++++++++++++++ 1 file changed, 298 insertions(+) diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index 7039fe51bb..71f2bf14a9 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -2816,3 +2816,301 @@ func TestTranslatePolicy(t *testing.T) { t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries) } } + +func TestAllowPrecedenceOverDeny(t *testing.T) { + targetSelector := metav1.LabelSelector{} + targetSelectorA := metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "test", + }, + MatchExpressions: []metav1.LabelSelectorRequirement{ + metav1.LabelSelectorRequirement{ + Key: "testIn", + Operator: metav1.LabelSelectorOpIn, + Values: []string{ + "pod-A", + }, + }, + }, + } + denyAllPolicy := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default-deny", + Namespace: "default", + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: targetSelector, + PolicyTypes: []networkingv1.PolicyType{ + networkingv1.PolicyTypeIngress, + }, + Ingress: []networkingv1.NetworkPolicyIngressRule{}, + }, + } + allowToPodPolicy := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pod-A", + Namespace: "default", + }, + Spec: networkingv1.NetworkPolicySpec{ + PodSelector: targetSelectorA, + PolicyTypes: []networkingv1.PolicyType{ + networkingv1.PolicyTypeIngress, + networkingv1.PolicyTypeEgress, + }, + Ingress: []networkingv1.NetworkPolicyIngressRule{ + networkingv1.NetworkPolicyIngressRule{ + From: []networkingv1.NetworkPolicyPeer{ + networkingv1.NetworkPolicyPeer{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "test", + }, + MatchExpressions: []metav1.LabelSelectorRequirement{ + metav1.LabelSelectorRequirement{ + Key: "testIn", + Operator: metav1.LabelSelectorOpIn, + Values: []string{ + "pod-B", + }, + }, + }, + }, + }, + networkingv1.NetworkPolicyPeer{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "test", + }, + MatchExpressions: []metav1.LabelSelectorRequirement{ + metav1.LabelSelectorRequirement{ + Key: "testIn", + Operator: metav1.LabelSelectorOpIn, + Values: []string{ + "pod-C", + }, + }, + }, + }, + }, + }, + }, + }, + Egress: []networkingv1.NetworkPolicyEgressRule{ + networkingv1.NetworkPolicyEgressRule{ + To: []networkingv1.NetworkPolicyPeer{ + networkingv1.NetworkPolicyPeer{ + NamespaceSelector: &metav1.LabelSelector{}, + }, + }, + }, + }, + }, + } + + sets, lists, iptEntries := translatePolicy(denyAllPolicy) + expectedSets := []string{ + "ns-default", + } + if !reflect.DeepEqual(sets, expectedSets) { + t.Errorf("translatedPolicy failed @ k8s-example-policy sets comparison") + t.Errorf("sets: %v", sets) + t.Errorf("expectedSets: %v", expectedSets) + } + + expectedLists := []string{} + if !reflect.DeepEqual(lists, expectedLists) { + t.Errorf("translatedPolicy failed @ k8s-example-policy lists comparison") + t.Errorf("lists: %v", lists) + t.Errorf("expectedLists: %v", expectedLists) + } + + sets, lists, finalIptEntries := translatePolicy(allowToPodPolicy) + expectedSets = []string{ + "app:test", + "testIn:pod-A", + "testIn:pod-B", + "testIn:pod-C", + } + if !reflect.DeepEqual(sets, expectedSets) { + t.Errorf("translatedPolicy failed @ k8s-example-policy sets comparison") + t.Errorf("sets: %v", sets) + t.Errorf("expectedSets: %v", expectedSets) + } + + expectedLists = []string{ + "all-namespaces", + } + if !reflect.DeepEqual(lists, expectedLists) { + t.Errorf("translatedPolicy failed @ k8s-example-policy lists comparison") + t.Errorf("lists: %v", lists) + t.Errorf("expectedLists: %v", expectedLists) + } + + iptEntries = append(iptEntries, finalIptEntries...) + + nonKubeSystemEntries := []*iptm.IptEntry{ + &iptm.IptEntry{ + Chain: util.IptablesAzureTargetSetsChain, + Specs: []string{ + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("ns-default"), + util.IptablesDstFlag, + util.IptablesJumpFlag, + util.IptablesDrop, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "DROP-ALL-TO-ns-default", + }, + }, + } + nonKubeSystemEntries2 := []*iptm.IptEntry{ + &iptm.IptEntry{ + Chain: util.IptablesAzureIngressPortChain, + Specs: []string{ + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesDstFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-A"), + util.IptablesDstFlag, + util.IptablesJumpFlag, + util.IptablesAzureIngressFromChain, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "ALLOW-ALL-TO-app:test-AND-testIn:pod-A-TO-JUMP-TO-" + + util.IptablesAzureIngressFromChain, + }, + }, + &iptm.IptEntry{ + Chain: util.IptablesAzureIngressFromChain, + Specs: []string{ + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-B"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesDstFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-A"), + util.IptablesDstFlag, + util.IptablesJumpFlag, + util.IptablesAccept, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "ALLOW-app:test-AND-testIn:pod-B-TO-app:test-AND-testIn:pod-A", + }, + }, + &iptm.IptEntry{ + Chain: util.IptablesAzureIngressFromChain, + Specs: []string{ + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-C"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesDstFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-A"), + util.IptablesDstFlag, + util.IptablesJumpFlag, + util.IptablesAccept, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "ALLOW-app:test-AND-testIn:pod-C-TO-app:test-AND-testIn:pod-A", + }, + }, + &iptm.IptEntry{ + Chain: util.IptablesAzureEgressPortChain, + Specs: []string{ + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-A"), + util.IptablesSrcFlag, + util.IptablesJumpFlag, + util.IptablesAzureEgressToChain, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "ALLOW-ALL-FROM-app:test-AND-testIn:pod-A-TO-JUMP-TO-" + + util.IptablesAzureEgressToChain, + }, + }, + &iptm.IptEntry{ + Chain: util.IptablesAzureEgressToChain, + Specs: []string{ + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("app:test"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("testIn:pod-A"), + util.IptablesSrcFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("all-namespaces"), + util.IptablesDstFlag, + util.IptablesJumpFlag, + util.IptablesAccept, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "ALLOW-app:test-AND-testIn:pod-A-TO-all-namespaces", + }, + }, + } + expectedIptEntries := []*iptm.IptEntry{} + expectedIptEntries = append(expectedIptEntries, getAllowKubeSystemEntries("default", targetSelector)...) + expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...) + expectedIptEntries = append(expectedIptEntries, getAllowKubeSystemEntries("default", targetSelectorA)...) + expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries2...) + expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("default", targetSelectorA, true, true)...) + if !reflect.DeepEqual(iptEntries, expectedIptEntries) { + t.Errorf("TestAllowPrecedenceOverDeny failed @ k8s-example-policy policy comparison") + marshalledIptEntries, _ := json.Marshal(iptEntries) + marshalledExpectedIptEntries, _ := json.Marshal(expectedIptEntries) + t.Errorf("iptEntries: %s", marshalledIptEntries) + t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries) + } +}