Add support for NetworkPolicies

Shopify · Feb 27, 2019 · ec887ea · ec887ea
1 parent 6a0dd66
commit ec887ea
Show file tree

Hide file tree

Showing 9 changed files with 73 additions and 2 deletions.
diff --git a/lib/kubernetes-deploy/deploy_task.rb b/lib/kubernetes-deploy/deploy_task.rb
@@ -14,6 +14,7 @@
   persistent_volume_claim
   pod
   redis
+  network_policy
   memcached
   service
   pod_template
@@ -63,6 +64,7 @@ class DeployTask
     def predeploy_sequence
       before_crs = %w(
         ResourceQuota
+        NetworkPolicy
       )
       after_crs = %w(
         ConfigMap
@@ -86,6 +88,7 @@ def prune_whitelist
         extensions/v1beta1/DaemonSet
         extensions/v1beta1/Deployment
         extensions/v1beta1/Ingress
+        networking.k8s.io/v1/NetworkPolicy
         apps/v1beta1/StatefulSet
         autoscaling/v1/HorizontalPodAutoscaler
         policy/v1beta1/PodDisruptionBudget

diff --git a/lib/kubernetes-deploy/kubeclient_builder.rb b/lib/kubernetes-deploy/kubeclient_builder.rb
@@ -84,6 +84,14 @@ def build_rbac_v1_kubeclient(context)
       )
     end
 
+    def build_networking_v1_kubeclient(context)
+      _build_kubeclient(
+        api_version: "v1",
+        context: context,
+        endpoint_path: "/apis/networking.k8s.io"
+      )
+    end
+
     def _build_kubeclient(api_version:, context:, endpoint_path: nil)
       # Find a context defined in kube conf files that matches the input context by name
       configs = config_files.map { |f| KubeConfig.read(f) }

diff --git a/lib/kubernetes-deploy/kubernetes_resource/network_policy.rb b/lib/kubernetes-deploy/kubernetes_resource/network_policy.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module KubernetesDeploy
+  class NetworkPolicy < KubernetesResource
+    TIMEOUT = 30.seconds
+
+    def status
+      exists? ? "Created" : "Unknown"
+    end
+
+    def deploy_succeeded?
+      exists?
+    end
+
+    def deploy_failed?
+      false
+    end
+
+    def timeout_message
+      UNUSUAL_FAILURE_MESSAGE
+    end
+  end
+end
diff --git a/test/fixtures/hello-cloud/network_policy.yml b/test/fixtures/hello-cloud/network_policy.yml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-network-policy
+spec:
+  podSelector: {}
+  ingress:
+    - {}
+  policyTypes:
+    - Ingress
diff --git a/test/helpers/fixture_set.rb b/test/helpers/fixture_set.rb
@@ -173,6 +173,12 @@ def assert_stateful_set_present(name)
       desired = stateful_sets.find { |ss| ss.metadata.name == name }
       assert(desired.present?, "Stateful set #{name} does not exist")
     end
+
+    def assert_network_policy_present(name)
+      network_policies =  networking_v1_kubeclient.get_network_policies(namespace: namespace)
+      desired = network_policies.find { |np| np.metadata.name == name }
+      assert(desired.present?, "Network #{name} does not exist")
+    end
   end
 end
 

diff --git a/test/helpers/fixture_sets/hello_cloud.rb b/test/helpers/fixture_sets/hello_cloud.rb
@@ -20,6 +20,7 @@ def assert_all_up
       assert_daemon_set_up
       assert_stateful_set_up
       assert_job_up
+      assert_network_policy_up
     end
 
     def assert_unmanaged_pod_statuses(status, count = 1)
@@ -109,5 +110,9 @@ def assert_stateful_set_up
     def assert_job_up
       assert_job_exists("hello-job")
     end
+
+    def assert_network_policy_up
+      assert_network_policy_present("allow-all-network-policy")
+    end
   end
 end
diff --git a/test/helpers/kubeclient_helper.rb b/test/helpers/kubeclient_helper.rb
@@ -45,4 +45,8 @@ def autoscaling_v1_kubeclient
   def rbac_v1_kubeclient
     @rbac_v1_kubeclient ||= build_rbac_v1_kubeclient(TEST_CONTEXT)
   end
+
+  def networking_v1_kubeclient
+    @networking_v1_kubeclient ||= build_networking_v1_kubeclient(TEST_CONTEXT)
+  end
 end
diff --git a/test/integration/kubernetes_deploy_test.rb b/test/integration/kubernetes_deploy_test.rb
@@ -12,7 +12,7 @@ def test_full_hello_cloud_set_deploy_succeeds
       %r{Deploying Pod/unmanaged-pod-[-\w]+ \(timeout: 60s\)}, # annotation timeout override
       "Hello from the command runner!", # unmanaged pod logs
       "Result: SUCCESS",
-      "Successfully deployed 21 resources",
+      "Successfully deployed 22 resources",
     ], in_order: true)
 
     num_ds = expected_daemonset_pod_count
@@ -101,8 +101,9 @@ def test_pruning_works
       prune_matcher("statefulset", "apps", "stateful-busybox"),
       prune_matcher("job", "batch", "hello-job"),
       prune_matcher("poddisruptionbudget", "policy", "test"),
+      prune_matcher("networkpolicy", "networking.k8s.io", "allow-all-network-policy"),
     ] # not necessarily listed in this order
-    expected_msgs = [/Pruned 10 resources and successfully deployed 6 resources/]
+    expected_msgs = [/Pruned 11 resources and successfully deployed 6 resources/]
     expected_pruned.map do |resource|
       expected_msgs << /The following resources were pruned:.*#{resource}/
     end
@@ -1080,6 +1081,17 @@ def test_not_apply_resource_can_be_pruned
     ])
   end
 
+  def test_network_policies_are_deployed_first
+    deploy_fixtures('hello-cloud', subset: ['network_policy.yml'])
+    assert_logs_match_all([
+      "Predeploying priority resources",
+      "Deploying NetworkPolicy/allow-all-network-policy (timeout: 30s)",
+      "Successfully deployed 1 resource",
+      "Successful resources",
+      "NetworkPolicy/allow-all-network-policy",
+    ], in_order: true)
+  end
+
   private
 
   def expected_daemonset_pod_count

diff --git a/test/integration/render_task_test.rb b/test/integration/render_task_test.rb
@@ -172,6 +172,7 @@ def test_render_task_rendering_all_files
       assert_match(/name: redis/, output)
       assert_match(/name: role-binding/, output)
       assert_match(/name: resource-quotas/, output)
+      assert_match(/name: allow-all-network-policy/, output)
       assert_match(/name: build-robot/, output)
       assert_match(/name: stateful-busybox/, output)
       assert_match(/name: hello-cloud-template-runner/, output)