Fix iptables rules in multiple items in ingress/egress

This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45
k8snetworkplumbingwg · Mar 10, 2023 · 31a5750 · 31a5750
1 parent 639a712
commit 31a5750
Show file tree

Hide file tree

Showing 13 changed files with 787 additions and 4 deletions.
diff --git a/.github/workflows/kind-e2e.yml b/.github/workflows/kind-e2e.yml
@@ -33,6 +33,11 @@ jobs:
           bats ./tests/simple-v4-ingress.bats
           bats ./tests/simple-v4-egress.bats
           bats ./tests/simple-v6-ingress.bats
-          bats ./tests/stacked.bats
           bats ./tests/ipblock.bats
+          # stacked case
+          bats ./tests/stacked.bats
           bats ./tests/ipblock-stacked.bats
+          # multiple items in egress/ingress
+          bats ./tests/ipblock-list.bats
+          bats ./tests/simple-v4-ingress-list.bats
+          bats ./tests/simple-v4-egress-list.bats
diff --git a/e2e/tests/ipblock-list.bats b/e2e/tests/ipblock-list.bats
@@ -0,0 +1,42 @@
+#!/usr/bin/env bats
+
+# Note:
+# These test cases, stacked, will create stacked policy rules in one multi-networkpolicy and test the
+# traffic policying by ncat (nc) command.
+
+setup() {
+	cd $BATS_TEST_DIRNAME
+	load "common"
+
+	server_net1=$(get_net1_ip "test-ipblock-list" "pod-server")
+	client_a_net1=$(get_net1_ip "test-ipblock-list" "pod-client-a")
+	client_b_net1=$(get_net1_ip "test-ipblock-list" "pod-client-b")
+	client_c_net1=$(get_net1_ip "test-ipblock-list" "pod-client-c")
+}
+
+@test "setup ipblock-list test environments" {
+	kubectl create -f ipblock-list.yml
+	run kubectl -n test-ipblock-list wait --for=condition=ready -l app=test-ipblock-list pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock-list check client-a" {
+	run kubectl -n test-ipblock-list exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock-list check client-b" {
+	run kubectl -n test-ipblock-list exec pod-client-b -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-ipblock-list check client-c" {
+	run kubectl -n test-ipblock-list exec pod-client-c -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "1" ]
+}
+
+@test "cleanup environments" {
+	kubectl delete -f ipblock-list.yml
+	run kubectl -n test-ipblock-list wait --for=delete -l app=test-ipblock-list pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}
diff --git a/e2e/tests/ipblock-list.yml b/e2e/tests/ipblock-list.yml
@@ -0,0 +1,140 @@
+---
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  namespace: default
+  name: macvlan1-ipblock
+spec:
+  config: '{
+            "cniVersion": "0.3.1",
+            "name": "macvlan1-ipblock",
+            "plugins": [
+                {
+                    "type": "macvlan",
+                    "mode": "bridge",
+                    "capabilities": {"ips": true },
+                    "ipam":{
+                      "type":"static"
+                    }
+                }]
+        }'
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+    name: test-ipblock-list
+---
+# Pods
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-server
+  namespace: test-ipblock-list
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock",
+      "namespace": "default",
+      "ips": ["2.2.5.1/24"]
+      }]'
+  labels:
+    app: test-ipblock-list
+    name: pod-server
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-client-a
+  namespace: test-ipblock-list
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock",
+      "namespace": "default",
+      "ips": ["2.2.5.11/24"]
+      }]'
+  labels:
+    app: test-ipblock-list
+    name: pod-client-a
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-client-b
+  namespace: test-ipblock-list
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock",
+      "namespace": "default",
+      "ips": ["2.2.5.12/24"]
+      }]'
+  labels:
+    app: test-ipblock-list
+    name: pod-client-b
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-client-c
+  namespace: test-ipblock-list
+  annotations:
+    k8s.v1.cni.cncf.io/networks: '[{
+      "name": "macvlan1-ipblock",
+      "namespace": "default",
+      "ips": ["2.2.5.13/24"]
+      }]'
+  labels:
+    app: test-ipblock-list
+    name: pod-client-c
+spec:
+  containers:
+  - name: macvlan-worker1
+    image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
+    command: ["nc", "-kl", "0.0.0.0", "5555"]
+    securityContext:
+      privileged: true
+---
+# MultiNetworkPolicies
+# this policy accepts ingress trafic from pod-client-a to pod-server
+# and ingress trafic from pod-client-b to pod-server
+# as a result, these policies accepts ingress traffic from pod-client-a
+# or from pod-client-b, to pod-server.
+apiVersion: k8s.cni.cncf.io/v1beta1
+kind: MultiNetworkPolicy
+metadata:
+  name: testnetwork-policy-ipblock-1
+  namespace: test-ipblock-list
+  annotations:
+    k8s.v1.cni.cncf.io/policy-for: default/macvlan1-ipblock
+spec:
+  podSelector:
+    matchLabels:
+      name: pod-server
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 2.2.5.11/32
+  - from:
+    - ipBlock:
+        cidr: 2.2.5.12/32
diff --git a/e2e/tests/ipblock-stacked.bats b/e2e/tests/ipblock-stacked.bats
@@ -14,7 +14,7 @@ setup() {
 	client_c_net1=$(get_net1_ip "test-ipblock-stacked" "pod-client-c")
 }
 
-@test "setup stacked test environments" {
+@test "setup ipblock-stacked test environments" {
 	kubectl create -f ipblock-stacked.yml
 	run kubectl -n test-ipblock-stacked wait --for=condition=ready -l app=test-ipblock-stacked pod --timeout=${kubewait_timeout}
 	[ "$status" -eq  "0" ]
@@ -33,7 +33,7 @@ setup() {
 	[ "$status" -eq  "1" ]
 }
 
-@test "test-ipblock-status check client-a" {
+@test "test-ipblock-stacked check client-a" {
 	run kubectl -n test-ipblock-stacked exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
 	[ "$status" -eq  "0" ]
 }

diff --git a/e2e/tests/ipblock.bats b/e2e/tests/ipblock.bats
@@ -14,7 +14,7 @@ setup() {
 	client_c_net1=$(get_net1_ip "test-ipblock" "pod-client-c")
 }
 
-@test "setup stacked test environments" {
+@test "setup ipblock test environments" {
 	kubectl create -f ipblock.yml
 	run kubectl -n test-ipblock wait --for=condition=ready -l app=test-ipblock pod --timeout=${kubewait_timeout}
 	[ "$status" -eq  "0" ]

diff --git a/e2e/tests/simple-v4-egress-list.bats b/e2e/tests/simple-v4-egress-list.bats
@@ -0,0 +1,67 @@
+#!/usr/bin/env bats
+
+# Note:
+# These test cases, simple, will create simple (one policy for ingress) and test the 
+# traffic policying by ncat (nc) command. In addition, these cases also verifies that
+# simple iptables generation check by iptables-save and pod-iptable in multi-networkpolicy pod.
+
+setup() {
+	cd $BATS_TEST_DIRNAME
+	load "common"
+	server_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-server")
+	client_a_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-client-a")
+	client_b_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-client-b")
+	client_c_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-client-c")
+}
+
+@test "setup simple test environments" {
+	# create test manifests
+	kubectl create -f simple-v4-egress-list.yml
+
+	# verify all pods are available
+	run kubectl -n test-simple-v4-egress-list wait --for=condition=ready -l app=test-simple-v4-egress-list pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-simple-v4-egress-list check client-a -> server" {
+	# nc should succeed from client-a to server by no policy definition for the direction
+	run kubectl -n test-simple-v4-egress-list exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-simple-v4-egress-list check client-b -> server" {
+	# nc should succeed from client-b to server by no policy definition for the direction
+	run kubectl -n test-simple-v4-egress-list exec pod-client-b -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-simple-v4-egress-list check client-c -> server" {
+	# nc should succeed from client-c to server by no policy definition for the direction
+	run kubectl -n test-simple-v4-egress-list exec pod-client-c -- sh -c "echo x | nc -w 1 ${server_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-simple-v4-egress-list check server -> client-a" {
+	# nc should succeed from server to client-a by policy definition
+	run kubectl -n test-simple-v4-egress-list exec pod-server -- sh -c "echo x | nc -w 1 ${client_a_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "test-simple-v4-egress-list check server -> client-b" {
+	# nc should NOT succeed from server to client-b by policy definition
+	run kubectl -n test-simple-v4-egress-list exec pod-server -- sh -c "echo x | nc -w 1 ${client_b_net1} 5555"
+	[ "$status" -eq  "1" ]
+}
+
+@test "test-simple-v4-egress-list check server -> client-c" {
+	# nc should succeed from server to client-c by policy definition
+	run kubectl -n test-simple-v4-egress-list exec pod-server -- sh -c "echo x | nc -w 1 ${client_c_net1} 5555"
+	[ "$status" -eq  "0" ]
+}
+
+@test "cleanup environments" {
+	# remove test manifests
+	kubectl delete -f simple-v4-egress-list.yml
+	run kubectl -n test-simple-v4-egress-list wait --for=delete -l app=test-simple-v4-egress-list pod --timeout=${kubewait_timeout}
+	[ "$status" -eq  "0" ]
+}