-
Notifications
You must be signed in to change notification settings - Fork 39.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
e2e test cases for basic SCTP testing #88196
Conversation
Hi @janosi. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign |
test/e2e/network/util.go
Outdated
if err != nil { | ||
framework.Logf("sctp module is not loaded or error occured while executing command %s on node: %v", cmd, err) | ||
return false | ||
} else { | ||
framework.Logf("the sctp module is loaded on node: %v", node.Name) | ||
return true | ||
for _, line := range strings.Split(result, "\n") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do this block needs to be inside the else
?
it seems that if err != nil
it will return so no need to use it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
test/e2e/network/util.go
Outdated
framework.Logf("the sctp module is loaded on node: %v", node.Name) | ||
return true | ||
for _, line := range strings.Split(result, "\n") { | ||
if !strings.Contains(line, "xt_sctp") && !!strings.Contains(line, "nf_conntrack_proto_sctp") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry if this is a dumb question but if I do execute in my host I have
linux-6my5:~ # lsmod | grep sctp
sctp_diag 16384 0
sctp 352256 39 sctp_diag
inet_diag 20480 4 raw_diag,tcp_diag,sctp_diag,udp_diag
libcrc32c 16384 5 ip_vs,nf_conntrack,xfs,nf_nat,sctp
is this if
looking for a line that does not contain xt_sctp
and nf_conntrack_proto_sctp
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, that if
tries to filter out those modules that are not harmful from userspace SCTP stack perspective. But the best would be to check if the sctp
module is loaded or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Coded a more sophisticated one with regex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay in getting back to this. This looks ready to go; I just have nitpicks.
test/e2e/network/network_policy.go
Outdated
@@ -1482,9 +1484,48 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() { | |||
}) | |||
cleanupServerPodAndService(f, podA, serviceA) | |||
}) | |||
ginkgo.It("should allow acces only for SCTP on port 80 [Feature:NetworkPolicy] [Feature:SCTP]", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo "acces"
but this test name doesn't describe what the test is doing well.
"It should not allow access by TCP when a policy specifies only SCTP"
or something like that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
test/e2e/network/service.go
Outdated
cs = f.ClientSet | ||
}) | ||
|
||
ginkgo.It("should serve a basic SCTP service with pod and endpoints", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"serve" makes it sound like this is testing that network traffic actually works, which it is not
"should allow creating a basic SCTP service with pod and endpoints"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
test/e2e/network/service.go
Outdated
framework.ExpectNoError(err, "failed to delete service: %s in namespace: %s", serviceName, ns) | ||
}() | ||
|
||
err = framework.WaitForService(f.ClientSet, ns, serviceName, true, 5*time.Second, 45*time.Second) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
meh. test cases shouldn't have hard-coded time values, they should use constants defined in e2e/framework
... But the tests are kind of a mess and there are no obvious constants you could use here... I guess replace 45*time.Second
with e2eservice.TestTimeout
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
test/e2e/network/service.go
Outdated
framework.ExpectNoError(err, "failed to delete service: %s in namespace: %s", serviceName, ns) | ||
}() | ||
|
||
err = framework.WaitForService(f.ClientSet, ns, serviceName, true, 5*time.Second, 45*time.Second) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e2eservice.TestTimeout
again
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
test/e2e/network/service.go
Outdated
framework.Failf("The state of the sctp module has changed due to the test case") | ||
} | ||
}) | ||
ginkgo.It("should create a NodePort Service with SCTP ports", func() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm... I'm not sure this is really testing much more than the non-NodePort test. May not be worth having both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Deleted.
test/e2e/network/util.go
Outdated
|
||
// VerifySCTPModuleLoadedOnNodes checks whether any node on the list has the | ||
// sctp.ko module loaded | ||
func VerifySCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Verify" makes it sound like the goal of the function is to ensure that SCTP is loaded, when in fact we want the opposite. Maybe rename to CheckSCTPModuleLoadedOnNodes
? Or else VerifySCTPModuleNotLoadedOnNodes
but then you'd have to flip the sense of the return value too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
@@ -76,3 +79,27 @@ func newAgnhostPod(name string, args ...string) *v1.Pod { | |||
}, | |||
} | |||
} | |||
|
|||
// VerifySCTPModuleLoadedOnNodes checks whether any node on the list has the | |||
// sctp.ko module loaded |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably also a good place to document why we are doing this:
// For security reasons, and also to allow clusters to use userspace SCTP implementations,
// we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything
// that would cause the sctp kernel module to be loaded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
12f0791
to
377260f
Compare
/retest |
Add SCTP NetworkPolicy test.
/lgtm |
oops, and |
/retest |
/retest |
1 similar comment
/retest |
sigh |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, janosi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
that happened a while back |
/retest |
3 similar comments
/retest |
/retest |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
4 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR is to implement the basic e2e test cases for the SCTP support feature as defined at https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/0015-20180614-SCTP-support.md#basic-tests
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: