Skip to content

Commit

Permalink
Fix YAML injections in the network policy enforcement test
Browse files Browse the repository at this point in the history
  • Loading branch information
dlapcevic authored and marseel committed Jan 12, 2024
1 parent a5ac4af commit 9150ab7
Show file tree
Hide file tree
Showing 8 changed files with 13 additions and 34 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ spec:
# Use separate nodes to avoid consuming CPU/Memory resources on default
# nodes where all deployments of the performance test run.
nodeSelector:
{{.TestClientNodeSelectorKey}}: {{.TestClientNodeSelectorValue}}
test-np: {{.TestClientNodeSelectorValue}}
tolerations:
- key: {{.TestClientNodeSelectorKey}}
- key: test-np
operator: Equal
value: {{.TestClientNodeSelectorValue}}
effect: NoSchedule
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ spec:
# Use separate nodes to avoid consuming CPU/Memory resources on default
# nodes where all deployments of the performance test run.
nodeSelector:
{{.TestClientNodeSelectorKey}}: {{.TestClientNodeSelectorValue}}
test-np: {{.TestClientNodeSelectorValue}}
tolerations:
- key: {{.TestClientNodeSelectorKey}}
- key: test-np
operator: Equal
value: {{.TestClientNodeSelectorValue}}
effect: NoSchedule
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
- to:
- podSelector:
matchLabels:
{{.TargetLabelKey}}: {{.TargetLabelValue}}
net-pol-test: {{.TargetLabelValue}}
{{if .OnlyTargetNamespace}}
namespaceSelector:
matchLabels:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
spec:
podSelector:
matchLabels:
{{.PodSelectorLabelKey}}: {{.PodSelectorLabelValue}}
name: {{.PodSelectorLabelValue}}
policyTypes:
- Egress
egress:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ Deploy the test clients (setup and run) with "testType" flag set to
Deploy the test clients (setup and run) with "testType" flag set to
"pod-creation", before creating the target pods.
Target pods are all pods that have the specified label:
{ targetLabelKey: targetLabelValue }.
{ net-pol-test: targetLabelValue }.
The test is set up by this measurement, by creating the required resources,
including the network policy enforcement latency test client pods that are
measuring the latencies and generating metrics for them.
Expand Down Expand Up @@ -98,9 +98,6 @@ type networkPolicyEnforcementMeasurement struct {
framework *framework.Framework
// testClientNamespace is the namespace of the test client pods.
testClientNamespace string
// targetLabelKey is the key for the label selector of target pods to apply
// network policies on and measure the latency to become reachable.
targetLabelKey string
// targetLabelValue is the value for the label selector of target pods to
// apply network policies on and measure the latency to become reachable.
targetLabelValue string
Expand All @@ -111,9 +108,6 @@ type networkPolicyEnforcementMeasurement struct {
// creation latency test, to compare pod creation reachability latency with
// and without network policies.
baseline bool
// testClientNodeSelectorKey is the key for the node label on which the test
// client pods should run.
testClientNodeSelectorKey string
// testClientNodeSelectorValue is value key for the node label on which the
// test client pods should run.
testClientNodeSelectorValue string
Expand Down Expand Up @@ -185,10 +179,6 @@ func (nps *networkPolicyEnforcementMeasurement) initializeMeasurement(config *me
}

var err error
if nps.targetLabelKey, err = util.GetString(config.Params, "targetLabelKey"); err != nil {
return err
}

if nps.targetLabelValue, err = util.GetString(config.Params, "targetLabelValue"); err != nil {
return err
}
Expand All @@ -201,10 +191,6 @@ func (nps *networkPolicyEnforcementMeasurement) initializeMeasurement(config *me
return err
}

if nps.testClientNodeSelectorKey, err = util.GetString(config.Params, "testClientNodeSelectorKey"); err != nil {
return err
}

if nps.testClientNodeSelectorValue, err = util.GetString(config.Params, "testClientNodeSelectorValue"); err != nil {
return err
}
Expand Down Expand Up @@ -283,12 +269,11 @@ func (nps *networkPolicyEnforcementMeasurement) run(config *measurement.Config)
templateMap := map[string]interface{}{
"Namespace": nps.testClientNamespace,
"TestClientLabel": netPolicyTestClientName,
"TargetLabelSelector": fmt.Sprintf("%s = %s", nps.targetLabelKey, nps.targetLabelValue),
"TargetLabelSelector": fmt.Sprintf("net-pol-test = %s", nps.targetLabelValue),
"TargetPort": targetPort,
"MetricsPort": metricsPort,
"ServiceAccountName": netPolicyTestClientName,
"MaxTargets": maxTargets,
"TestClientNodeSelectorKey": nps.testClientNodeSelectorKey,
"TestClientNodeSelectorValue": nps.testClientNodeSelectorValue,
}

Expand Down Expand Up @@ -403,7 +388,6 @@ func (nps *networkPolicyEnforcementMeasurement) createPolicyToTargetPods(policyN
templateMap := map[string]interface{}{
"Name": policyName,
"Namespace": nps.testClientNamespace,
"TargetLabelKey": nps.targetLabelKey,
"TypeLabelValue": testType,
}

Expand Down Expand Up @@ -479,7 +463,6 @@ func (nps *networkPolicyEnforcementMeasurement) createLoadPolicies(config *measu
templateMapForTargetPods := map[string]interface{}{
"Name": fmt.Sprintf("%s-%d", podSelectorLabelValue, nsIdx),
"Namespace": ns,
"PodSelectorLabelKey": "name",
"PodSelectorLabelValue": podSelectorLabelValue,
"CIDR": baseCidr,
}
Expand Down
5 changes: 2 additions & 3 deletions clusterloader2/testing/load/daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
{{$RUN_ON_ARM_NODES := DefaultParam .CL2_RUN_ON_ARM_NODES false}}

{{$ENABLE_NETWORK_POLICY_ENFORCEMENT_LATENCY_TEST := DefaultParam .CL2_ENABLE_NETWORK_POLICY_ENFORCEMENT_LATENCY_TEST false}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_KEY := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_KEY "test"}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_VALUE := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_VALUE "net-policy-client"}}

apiVersion: apps/v1
Expand Down Expand Up @@ -42,15 +41,15 @@ spec:
memory: "20M"
priorityClassName: daemonset-priorityclass-0 # Name is autogenerated, hence the -0 prefix.
terminationGracePeriodSeconds: 1
tolerations:
tolerations:
{{if $RUN_ON_ARM_NODES}}
- key: "kubernetes.io/arch"
operator: Equal
value: arm64
effect: NoSchedule
{{end}}
{{if $ENABLE_NETWORK_POLICY_ENFORCEMENT_LATENCY_TEST}}
- key: {{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_KEY}}
- key: test-np
operator: Equal
value: {{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_VALUE}}
effect: NoSchedule
Expand Down
3 changes: 1 addition & 2 deletions clusterloader2/testing/load/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
{{$RUN_ON_ARM_NODES := DefaultParam .CL2_RUN_ON_ARM_NODES false}}

{{$EnableNetworkPolicyEnforcementLatencyTest := DefaultParam .EnableNetworkPolicyEnforcementLatencyTest false}}
{{$TargetLabelKey := DefaultParam .TargetLabelKey "net-pol-test"}}
{{$TargetLabelValue := DefaultParam .TargetLabelValue "enforcement-latency"}}
# Run a server pod for network policy enforcement latency test only on every Nth pod.
# Default every third pod.
Expand Down Expand Up @@ -38,7 +37,7 @@ spec:
dns-test: dnsperfgo
{{else}}
{{if $RunNetPolicyTest}}
{{$TargetLabelKey}}: {{$TargetLabelValue}}
net-pol-test: {{$TargetLabelValue}}
{{end}}
{{end}}
spec:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
{{$NETWORK_POLICY_ENFORCEMENT_LATENCY_BASELINE := DefaultParam .CL2_NETWORK_POLICY_ENFORCEMENT_LATENCY_BASELINE false}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_TARGET_LABEL_KEY := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_TARGET_LABEL_KEY "net-pol-test"}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_TARGET_LABEL_VALUE := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_TARGET_LABEL_VALUE "enforcement-latency"}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_KEY := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_KEY "test"}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_VALUE := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_VALUE "net-policy-client"}}
{{$NET_POLICY_ENFORCEMENT_LATENCY_MAX_TARGET_PODS_PER_NS := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LATENCY_MAX_TARGET_PODS_PER_NS 100}}
{{$NET_POLICY_ENFORCEMENT_LOAD_COUNT := DefaultParam .CL2_NET_POLICY_ENFORCEMENT_LOAD_COUNT 1000}}
Expand All @@ -27,10 +26,9 @@ steps:
targetLabelKey: {{$NET_POLICY_ENFORCEMENT_LATENCY_TARGET_LABEL_KEY}}
targetLabelValue: {{$NET_POLICY_ENFORCEMENT_LATENCY_TARGET_LABEL_VALUE}}
baseline: {{$NETWORK_POLICY_ENFORCEMENT_LATENCY_BASELINE}}
testClientNodeSelectorKey: {{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_KEY}}
testClientNodeSelectorValue: {{$NET_POLICY_ENFORCEMENT_LATENCY_NODE_LABEL_VALUE}}
{{end}}

{{if $run}}
- name: "Run pod creation network policy enforcement latency measurement (testType={{$testType}})"
measurements:
Expand All @@ -45,7 +43,7 @@ steps:
policyLoadQPS: {{$NET_POLICY_ENFORCEMENT_LOAD_QPS}}
policyLoadTargetBaseName: {{$NET_POLICY_ENFORCEMENT_LOAD_TARGET_NAME}}
{{end}}

{{if $complete}}
- name: "Complete pod creation network policy enforcement latency measurement (testType={{$testType}})"
measurements:
Expand Down

0 comments on commit 9150ab7

Please sign in to comment.