-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix iptables rules in multiple items in ingress/egress
This change fixes iptables rules for multiple items in ingress/egress. It also adds e2e tests for that. fix #45
- Loading branch information
Showing
13 changed files
with
787 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#!/usr/bin/env bats | ||
|
||
# Note: | ||
# These test cases, stacked, will create stacked policy rules in one multi-networkpolicy and test the | ||
# traffic policying by ncat (nc) command. | ||
|
||
setup() { | ||
cd $BATS_TEST_DIRNAME | ||
load "common" | ||
|
||
server_net1=$(get_net1_ip "test-ipblock-list" "pod-server") | ||
client_a_net1=$(get_net1_ip "test-ipblock-list" "pod-client-a") | ||
client_b_net1=$(get_net1_ip "test-ipblock-list" "pod-client-b") | ||
client_c_net1=$(get_net1_ip "test-ipblock-list" "pod-client-c") | ||
} | ||
|
||
@test "setup ipblock-list test environments" { | ||
kubectl create -f ipblock-list.yml | ||
run kubectl -n test-ipblock-list wait --for=condition=ready -l app=test-ipblock-list pod --timeout=${kubewait_timeout} | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-ipblock-list check client-a" { | ||
run kubectl -n test-ipblock-list exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-ipblock-list check client-b" { | ||
run kubectl -n test-ipblock-list exec pod-client-b -- sh -c "echo x | nc -w 1 ${server_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-ipblock-list check client-c" { | ||
run kubectl -n test-ipblock-list exec pod-client-c -- sh -c "echo x | nc -w 1 ${server_net1} 5555" | ||
[ "$status" -eq "1" ] | ||
} | ||
|
||
@test "cleanup environments" { | ||
kubectl delete -f ipblock-list.yml | ||
run kubectl -n test-ipblock-list wait --for=delete -l app=test-ipblock-list pod --timeout=${kubewait_timeout} | ||
[ "$status" -eq "0" ] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
--- | ||
apiVersion: "k8s.cni.cncf.io/v1" | ||
kind: NetworkAttachmentDefinition | ||
metadata: | ||
namespace: default | ||
name: macvlan1-ipblock | ||
spec: | ||
config: '{ | ||
"cniVersion": "0.3.1", | ||
"name": "macvlan1-ipblock", | ||
"plugins": [ | ||
{ | ||
"type": "macvlan", | ||
"mode": "bridge", | ||
"capabilities": {"ips": true }, | ||
"ipam":{ | ||
"type":"static" | ||
} | ||
}] | ||
}' | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: test-ipblock-list | ||
--- | ||
# Pods | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod-server | ||
namespace: test-ipblock-list | ||
annotations: | ||
k8s.v1.cni.cncf.io/networks: '[{ | ||
"name": "macvlan1-ipblock", | ||
"namespace": "default", | ||
"ips": ["2.2.5.1/24"] | ||
}]' | ||
labels: | ||
app: test-ipblock-list | ||
name: pod-server | ||
spec: | ||
containers: | ||
- name: macvlan-worker1 | ||
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test | ||
command: ["nc", "-kl", "0.0.0.0", "5555"] | ||
securityContext: | ||
privileged: true | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod-client-a | ||
namespace: test-ipblock-list | ||
annotations: | ||
k8s.v1.cni.cncf.io/networks: '[{ | ||
"name": "macvlan1-ipblock", | ||
"namespace": "default", | ||
"ips": ["2.2.5.11/24"] | ||
}]' | ||
labels: | ||
app: test-ipblock-list | ||
name: pod-client-a | ||
spec: | ||
containers: | ||
- name: macvlan-worker1 | ||
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test | ||
command: ["nc", "-kl", "0.0.0.0", "5555"] | ||
securityContext: | ||
privileged: true | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod-client-b | ||
namespace: test-ipblock-list | ||
annotations: | ||
k8s.v1.cni.cncf.io/networks: '[{ | ||
"name": "macvlan1-ipblock", | ||
"namespace": "default", | ||
"ips": ["2.2.5.12/24"] | ||
}]' | ||
labels: | ||
app: test-ipblock-list | ||
name: pod-client-b | ||
spec: | ||
containers: | ||
- name: macvlan-worker1 | ||
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test | ||
command: ["nc", "-kl", "0.0.0.0", "5555"] | ||
securityContext: | ||
privileged: true | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod-client-c | ||
namespace: test-ipblock-list | ||
annotations: | ||
k8s.v1.cni.cncf.io/networks: '[{ | ||
"name": "macvlan1-ipblock", | ||
"namespace": "default", | ||
"ips": ["2.2.5.13/24"] | ||
}]' | ||
labels: | ||
app: test-ipblock-list | ||
name: pod-client-c | ||
spec: | ||
containers: | ||
- name: macvlan-worker1 | ||
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test | ||
command: ["nc", "-kl", "0.0.0.0", "5555"] | ||
securityContext: | ||
privileged: true | ||
--- | ||
# MultiNetworkPolicies | ||
# this policy accepts ingress trafic from pod-client-a to pod-server | ||
# and ingress trafic from pod-client-b to pod-server | ||
# as a result, these policies accepts ingress traffic from pod-client-a | ||
# or from pod-client-b, to pod-server. | ||
apiVersion: k8s.cni.cncf.io/v1beta1 | ||
kind: MultiNetworkPolicy | ||
metadata: | ||
name: testnetwork-policy-ipblock-1 | ||
namespace: test-ipblock-list | ||
annotations: | ||
k8s.v1.cni.cncf.io/policy-for: default/macvlan1-ipblock | ||
spec: | ||
podSelector: | ||
matchLabels: | ||
name: pod-server | ||
policyTypes: | ||
- Ingress | ||
ingress: | ||
- from: | ||
- ipBlock: | ||
cidr: 2.2.5.11/32 | ||
- from: | ||
- ipBlock: | ||
cidr: 2.2.5.12/32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
#!/usr/bin/env bats | ||
|
||
# Note: | ||
# These test cases, simple, will create simple (one policy for ingress) and test the | ||
# traffic policying by ncat (nc) command. In addition, these cases also verifies that | ||
# simple iptables generation check by iptables-save and pod-iptable in multi-networkpolicy pod. | ||
|
||
setup() { | ||
cd $BATS_TEST_DIRNAME | ||
load "common" | ||
server_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-server") | ||
client_a_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-client-a") | ||
client_b_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-client-b") | ||
client_c_net1=$(get_net1_ip "test-simple-v4-egress-list" "pod-client-c") | ||
} | ||
|
||
@test "setup simple test environments" { | ||
# create test manifests | ||
kubectl create -f simple-v4-egress-list.yml | ||
|
||
# verify all pods are available | ||
run kubectl -n test-simple-v4-egress-list wait --for=condition=ready -l app=test-simple-v4-egress-list pod --timeout=${kubewait_timeout} | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-simple-v4-egress-list check client-a -> server" { | ||
# nc should succeed from client-a to server by no policy definition for the direction | ||
run kubectl -n test-simple-v4-egress-list exec pod-client-a -- sh -c "echo x | nc -w 1 ${server_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-simple-v4-egress-list check client-b -> server" { | ||
# nc should succeed from client-b to server by no policy definition for the direction | ||
run kubectl -n test-simple-v4-egress-list exec pod-client-b -- sh -c "echo x | nc -w 1 ${server_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-simple-v4-egress-list check client-c -> server" { | ||
# nc should succeed from client-c to server by no policy definition for the direction | ||
run kubectl -n test-simple-v4-egress-list exec pod-client-c -- sh -c "echo x | nc -w 1 ${server_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-simple-v4-egress-list check server -> client-a" { | ||
# nc should succeed from server to client-a by policy definition | ||
run kubectl -n test-simple-v4-egress-list exec pod-server -- sh -c "echo x | nc -w 1 ${client_a_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "test-simple-v4-egress-list check server -> client-b" { | ||
# nc should NOT succeed from server to client-b by policy definition | ||
run kubectl -n test-simple-v4-egress-list exec pod-server -- sh -c "echo x | nc -w 1 ${client_b_net1} 5555" | ||
[ "$status" -eq "1" ] | ||
} | ||
|
||
@test "test-simple-v4-egress-list check server -> client-c" { | ||
# nc should succeed from server to client-c by policy definition | ||
run kubectl -n test-simple-v4-egress-list exec pod-server -- sh -c "echo x | nc -w 1 ${client_c_net1} 5555" | ||
[ "$status" -eq "0" ] | ||
} | ||
|
||
@test "cleanup environments" { | ||
# remove test manifests | ||
kubectl delete -f simple-v4-egress-list.yml | ||
run kubectl -n test-simple-v4-egress-list wait --for=delete -l app=test-simple-v4-egress-list pod --timeout=${kubewait_timeout} | ||
[ "$status" -eq "0" ] | ||
} |
Oops, something went wrong.