diff --git a/test/e2e/network/netpol/BUILD b/test/e2e/network/netpol/BUILD index a90026d8c719..b52177fbac65 100644 --- a/test/e2e/network/netpol/BUILD +++ b/test/e2e/network/netpol/BUILD @@ -8,6 +8,7 @@ go_library( "kubemanager.go", "model.go", "network_policy.go", + "network_policy_api.go", "policies.go", "probe.go", "reachability.go", @@ -18,9 +19,12 @@ go_library( deps = [ "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/api/networking/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//test/e2e/framework:go_default_library", "//test/e2e/framework/pod:go_default_library", diff --git a/test/e2e/network/netpol/network_policy.go b/test/e2e/network/netpol/network_policy.go index 343ca411348f..8784ddda0087 100644 --- a/test/e2e/network/netpol/network_policy.go +++ b/test/e2e/network/netpol/network_policy.go @@ -28,11 +28,11 @@ import ( networkingv1 "k8s.io/api/networking/v1" "github.com/onsi/ginkgo" - e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" - utilnet "k8s.io/utils/net" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/kubernetes/test/e2e/framework" + e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper" + utilnet "k8s.io/utils/net" ) const ( diff --git a/test/e2e/network/netpol/network_policy_api.go b/test/e2e/network/netpol/network_policy_api.go new file mode 100644 index 000000000000..9d84f24615b4 --- /dev/null +++ b/test/e2e/network/netpol/network_policy_api.go @@ -0,0 +1,211 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package netpol + +import ( + "context" + "fmt" + "time" + + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/apimachinery/pkg/watch" + + "github.com/onsi/ginkgo" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/kubernetes/test/e2e/framework" +) + +var _ = SIGDescribeCopy("Netpol API", func() { + f := framework.NewDefaultFramework("netpol") + /* + Release: v1.20 + Testname: NetworkPolicies API + Description: + - The networking.k8s.io API group MUST exist in the /apis discovery document. + - The networking.k8s.io/v1 API group/version MUST exist in the /apis/networking.k8s.io discovery document. + - The NetworkPolicies resources MUST exist in the /apis/networking.k8s.io/v1 discovery document. + - The NetworkPolicies resource must support create, get, list, watch, update, patch, delete, and deletecollection. + */ + + ginkgo.It("should support creating NetworkPolicy API operations", func() { + // Setup + ns := f.Namespace.Name + npVersion := "v1" + npClient := f.ClientSet.NetworkingV1().NetworkPolicies(ns) + npTemplate := &networkingv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "e2e-example-netpol", + Labels: map[string]string{ + "special-label": f.UniqueName, + }, + }, + Spec: networkingv1.NetworkPolicySpec{ + // Apply this policy to the Server + PodSelector: metav1.LabelSelector{ + MatchLabels: map[string]string{ + "pod-name": "test-pod", + }, + }, + // Allow traffic only from client-a in namespace-b + Ingress: []networkingv1.NetworkPolicyIngressRule{{ + From: []networkingv1.NetworkPolicyPeer{{ + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "ns-name": "pod-b", + }, + }, + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "pod-name": "client-a", + }, + }, + }}, + }}, + }, + } + // Discovery + ginkgo.By("getting /apis") + { + discoveryGroups, err := f.ClientSet.Discovery().ServerGroups() + framework.ExpectNoError(err) + found := false + for _, group := range discoveryGroups.Groups { + if group.Name == networkingv1.GroupName { + for _, version := range group.Versions { + if version.Version == npVersion { + found = true + break + } + } + } + } + framework.ExpectEqual(found, true, fmt.Sprintf("expected networking API group/version, got %#v", discoveryGroups.Groups)) + } + ginkgo.By("getting /apis/networking.k8s.io") + { + group := &metav1.APIGroup{} + err := f.ClientSet.Discovery().RESTClient().Get().AbsPath("/apis/networking.k8s.io").Do(context.TODO()).Into(group) + framework.ExpectNoError(err) + found := false + for _, version := range group.Versions { + if version.Version == npVersion { + found = true + break + } + } + framework.ExpectEqual(found, true, fmt.Sprintf("expected networking API version, got %#v", group.Versions)) + } + ginkgo.By("getting /apis/networking.k8s.io" + npVersion) + { + resources, err := f.ClientSet.Discovery().ServerResourcesForGroupVersion(networkingv1.SchemeGroupVersion.String()) + framework.ExpectNoError(err) + foundNetPol := false + for _, resource := range resources.APIResources { + switch resource.Name { + case "networkpolicies": + foundNetPol = true + } + } + framework.ExpectEqual(foundNetPol, true, fmt.Sprintf("expected networkpolicies, got %#v", resources.APIResources)) + } + // NetPol resource create/read/update/watch verbs + ginkgo.By("creating") + _, err := npClient.Create(context.TODO(), npTemplate, metav1.CreateOptions{}) + framework.ExpectNoError(err) + _, err = npClient.Create(context.TODO(), npTemplate, metav1.CreateOptions{}) + framework.ExpectNoError(err) + createdNetPol, err := npClient.Create(context.TODO(), npTemplate, metav1.CreateOptions{}) + framework.ExpectNoError(err) + + ginkgo.By("getting") + gottenNetPol, err := npClient.Get(context.TODO(), createdNetPol.Name, metav1.GetOptions{}) + framework.ExpectNoError(err) + framework.ExpectEqual(gottenNetPol.UID, createdNetPol.UID) + + ginkgo.By("listing") + nps, err := npClient.List(context.TODO(), metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + framework.ExpectEqual(len(nps.Items), 3, "filtered list should have 3 items") + + ginkgo.By("watching") + framework.Logf("starting watch") + npWatch, err := npClient.Watch(context.TODO(), metav1.ListOptions{ResourceVersion: nps.ResourceVersion, LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + // Test cluster-wide list and watch + clusterNPClient := f.ClientSet.NetworkingV1().NetworkPolicies("") + ginkgo.By("cluster-wide listing") + clusterNPs, err := clusterNPClient.List(context.TODO(), metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + framework.ExpectEqual(len(clusterNPs.Items), 3, "filtered list should have 3 items") + + ginkgo.By("cluster-wide watching") + framework.Logf("starting watch") + _, err = clusterNPClient.Watch(context.TODO(), metav1.ListOptions{ResourceVersion: nps.ResourceVersion, LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + + ginkgo.By("patching") + patchedNetPols, err := npClient.Patch(context.TODO(), createdNetPol.Name, types.MergePatchType, []byte(`{"metadata":{"annotations":{"patched":"true"}}}`), metav1.PatchOptions{}) + framework.ExpectNoError(err) + framework.ExpectEqual(patchedNetPols.Annotations["patched"], "true", "patched object should have the applied annotation") + + ginkgo.By("updating") + npToUpdate := patchedNetPols.DeepCopy() + npToUpdate.Annotations["updated"] = "true" + updatedNetPols, err := npClient.Update(context.TODO(), npToUpdate, metav1.UpdateOptions{}) + framework.ExpectNoError(err) + framework.ExpectEqual(updatedNetPols.Annotations["updated"], "true", "updated object should have the applied annotation") + + framework.Logf("waiting for watch events with expected annotations") + for sawAnnotations := false; !sawAnnotations; { + select { + case evt, ok := <-npWatch.ResultChan(): + framework.ExpectEqual(ok, true, "watch channel should not close") + framework.ExpectEqual(evt.Type, watch.Modified) + watchedNetPol, isNetPol := evt.Object.(*networkingv1.NetworkPolicy) + framework.ExpectEqual(isNetPol, true, fmt.Sprintf("expected NetworkPolicy, got %T", evt.Object)) + if watchedNetPol.Annotations["patched"] == "true" && watchedNetPol.Annotations["updated"] == "true" { + framework.Logf("saw patched and updated annotations") + sawAnnotations = true + npWatch.Stop() + } else { + framework.Logf("missing expected annotations, waiting: %#v", watchedNetPol.Annotations) + } + case <-time.After(wait.ForeverTestTimeout): + framework.Fail("timed out waiting for watch event") + } + } + // NetPol resource delete operations + ginkgo.By("deleting") + err = npClient.Delete(context.TODO(), createdNetPol.Name, metav1.DeleteOptions{}) + framework.ExpectNoError(err) + _, err = npClient.Get(context.TODO(), createdNetPol.Name, metav1.GetOptions{}) + framework.ExpectEqual(apierrors.IsNotFound(err), true, fmt.Sprintf("expected 404, got %#v", err)) + nps, err = npClient.List(context.TODO(), metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + framework.ExpectEqual(len(nps.Items), 2, "filtered list should have 2 items") + + ginkgo.By("deleting a collection") + err = npClient.DeleteCollection(context.TODO(), metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + nps, err = npClient.List(context.TODO(), metav1.ListOptions{LabelSelector: "special-label=" + f.UniqueName}) + framework.ExpectNoError(err) + framework.ExpectEqual(len(nps.Items), 0, "filtered list should have 0 items") + }) +})