antctl: improve deny-all NetworkPolicy check (#6412)

The egress-deny-all-connectivity check takes more than 1m to run even if it works as expected. This is because the client Pod can't resolve the Service name to IP due to the deny-all policy while DNS resolution doesn't have an explicit timeout. The inability to resolve Service names make testing both SameNodeService and OtherNodeService pointless as the client won't really send any traffic to them. The commit changes to test ClusterIPs of target Services directly, to check the NetworkPolicy enforcement of both inter-Node and intra-Node traffic, and both IPv4 and IPv6 family. It also reduces the code redundancy between egress-deny-all and ingress-deny-all tests. Signed-off-by: Quan Tian <quan.tian@broadcom.com>
antrea-io · Jun 7, 2024 · ea35c60 · ea35c60
1 parent 39ecb3b
commit ea35c60
Show file tree

Hide file tree

Showing 5 changed files with 140 additions and 206 deletions.
diff --git a/pkg/antctl/raw/check/installation/command.go b/pkg/antctl/raw/check/installation/command.go
@@ -30,6 +30,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	"k8s.io/utils/ptr"
 
 	"antrea.io/antrea/pkg/antctl/raw/check"
 )
@@ -96,14 +97,16 @@ func RegisterTest(name string, test Test) {
 }
 
 type testContext struct {
-	client           kubernetes.Interface
-	config           *rest.Config
-	clusterName      string
-	antreaNamespace  string
-	clientPods       []corev1.Pod
-	echoSameNodePod  *corev1.Pod
-	echoOtherNodePod *corev1.Pod
-	namespace        string
+	client               kubernetes.Interface
+	config               *rest.Config
+	clusterName          string
+	antreaNamespace      string
+	clientPods           []corev1.Pod
+	echoSameNodePod      *corev1.Pod
+	echoSameNodeService  *corev1.Service
+	echoOtherNodePod     *corev1.Pod
+	echoOtherNodeService *corev1.Service
+	namespace            string
 	// A nil regex indicates that all the tests should be run.
 	runFilterRegex *regexp.Regexp
 }
@@ -169,7 +172,8 @@ func newService(name string, selector map[string]string, port int) *corev1.Servi
 			Ports: []corev1.ServicePort{
 				{Name: name, Port: int32(port)},
 			},
-			Selector: selector,
+			Selector:       selector,
+			IPFamilyPolicy: ptr.To(corev1.IPFamilyPolicyPreferDualStack),
 		},
 	}
 }
@@ -204,7 +208,7 @@ func (t *testContext) setup(ctx context.Context) error {
 	}
 	t.Log("Deploying echo-same-node Service %s...", echoSameNodeDeploymentName)
 	svc := newService(echoSameNodeDeploymentName, map[string]string{"name": echoSameNodeDeploymentName}, 80)
-	_, err = t.client.CoreV1().Services(t.namespace).Create(ctx, svc, metav1.CreateOptions{})
+	t.echoSameNodeService, err = t.client.CoreV1().Services(t.namespace).Create(ctx, svc, metav1.CreateOptions{})
 	if err != nil {
 		return err
 	}
@@ -290,7 +294,7 @@ func (t *testContext) setup(ctx context.Context) error {
 	if len(nodes.Items) >= 2 {
 		t.Log("Deploying echo-other-node Service %s...", echoOtherNodeDeploymentName)
 		svc = newService(echoOtherNodeDeploymentName, map[string]string{"name": echoOtherNodeDeploymentName}, 80)
-		_, err = t.client.CoreV1().Services(t.namespace).Create(ctx, svc, metav1.CreateOptions{})
+		t.echoOtherNodeService, err = t.client.CoreV1().Services(t.namespace).Create(ctx, svc, metav1.CreateOptions{})
 		if err != nil {
 			return err
 		}
@@ -360,7 +364,7 @@ func (t *testContext) runAgnhostConnect(ctx context.Context, clientPodName strin
 		// We log the contents of stderr here for troubleshooting purposes.
 		t.Log("/agnhost command '%s' failed: %v", strings.Join(cmd, " "), err)
 		if stderr != "" {
-			t.Log("/agnhost stderr: %s", stderr)
+			t.Log("/agnhost stderr: %s", strings.TrimSpace(stderr))
 		}
 	}
 	return err

diff --git a/pkg/antctl/raw/check/installation/test_denyall.go b/pkg/antctl/raw/check/installation/test_denyall.go
@@ -0,0 +1,100 @@
+// Copyright 2024 Antrea Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package installation
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type DenyAllConnectivityTest struct {
+	networkPolicy *networkingv1.NetworkPolicy
+}
+
+func init() {
+	RegisterTest("egress-deny-all-connectivity", &DenyAllConnectivityTest{networkPolicy: &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "egress-deny-all",
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "name",
+						Operator: metav1.LabelSelectorOpIn,
+						Values:   []string{clientDeploymentName},
+					},
+				},
+			},
+			PolicyTypes: []networkingv1.PolicyType{
+				networkingv1.PolicyTypeEgress,
+			},
+		},
+	}})
+	RegisterTest("ingress-deny-all-connectivity", &DenyAllConnectivityTest{networkPolicy: &networkingv1.NetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "ingress-deny-all",
+		},
+		Spec: networkingv1.NetworkPolicySpec{
+			PodSelector: metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "name",
+						Operator: metav1.LabelSelectorOpIn,
+						Values:   []string{echoSameNodeDeploymentName, echoOtherNodeDeploymentName},
+					},
+				},
+			},
+			PolicyTypes: []networkingv1.PolicyType{
+				networkingv1.PolicyTypeIngress,
+			},
+		},
+	}})
+}
+
+func (t *DenyAllConnectivityTest) Run(ctx context.Context, testContext *testContext) error {
+	services := []*corev1.Service{testContext.echoSameNodeService}
+	if testContext.echoOtherNodeService != nil {
+		services = append(services, testContext.echoOtherNodeService)
+	}
+	_, err := testContext.client.NetworkingV1().NetworkPolicies(testContext.namespace).Create(ctx, t.networkPolicy, metav1.CreateOptions{})
+	if err != nil {
+		return fmt.Errorf("error creating NetworkPolicy: %w", err)
+	}
+	defer func() error {
+		if err := testContext.client.NetworkingV1().NetworkPolicies(testContext.namespace).Delete(ctx, t.networkPolicy.Name, metav1.DeleteOptions{}); err != nil {
+			return fmt.Errorf("NetworkPolicy deletion was unsuccessful: %w", err)
+		}
+		testContext.Log("NetworkPolicy deletion was successful")
+		return nil
+	}()
+	testContext.Log("NetworkPolicy applied successfully")
+	for _, clientPod := range testContext.clientPods {
+		for _, service := range services {
+			for _, clusterIP := range service.Spec.ClusterIPs {
+				if err := testContext.runAgnhostConnect(ctx, clientPod.Name, "", clusterIP, 80); err != nil {
+					testContext.Log("NetworkPolicy is working as expected: Pod %s cannot connect to Service %s (%s)", clientPod.Name, service.Name, clusterIP)
+				} else {
+					return fmt.Errorf("NetworkPolicy is not working as expected: Pod %s connected to Service %s (%s) when it should not", clientPod.Name, service.Name, clusterIP)
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/pkg/antctl/raw/check/installation/test_egressdenyall.go b/pkg/antctl/raw/check/installation/test_egressdenyall.go
diff --git a/pkg/antctl/raw/check/installation/test_ingressdenyall.go b/pkg/antctl/raw/check/installation/test_ingressdenyall.go