Skip to content

Commit

Permalink
CFE-853: e2e test case for DNSNameResolver and EgressFirewall integra…
Browse files Browse the repository at this point in the history 
…tion
  • Loading branch information
@bharath-b-rh
bharath-b-rh committed Apr 25, 2024
1 parent cab2b73 commit d30fb16
Show file tree
Hide file tree
Showing 4 changed files with 106 additions and 2 deletions.
36 changes: 36 additions & 0 deletions test/extended/networking/egress_firewall.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@ import (
const (
egressFWTestPod = "egressfirewall"
egressFWE2E = "egress-firewall-e2e"
wcEgressFWE2E = "wildcard-egress-firewall-e2e"
noEgressFWE2E = "no-egress-firewall-e2e"
egressFWTestImage = "registry.k8s.io/e2e-test-images/agnhost:2.47"
oVNKManifest = "ovnk-egressfirewall-test.yaml"
oVNKWCManifest = "ovnk-egressfirewall-wildcard-test.yaml"
openShiftSDNManifest = "sdn-egressnetworkpolicy-test.yaml"
)

Expand All @@ -49,6 +51,25 @@ var _ = g.Describe("[sig-network][Feature:EgressFirewall]", func() {
})
},
)

// When OVNKubernetes subnet and coredns-ocp-dnsnameresolver plugins are enabled.
// coredns-ocp-dnsnameresolver plugin is a TechPreview feature.
// TODO:
// - Remove TechPreview check when feature is GA.
// - Merge oVNKManifest & oVNKWCManifest contents.
// - Update doEgressFwTest and sendEgressFwTraffic functions.
wcEgFwOc := exutil.NewCLIWithPodSecurityLevel(wcEgressFWE2E, admissionapi.LevelPrivileged)
wcEgFwF := wcEgFwOc.KubeFramework()
if exutil.IsTechPreviewNoUpgrade(egFwoc) {
InOVNKubernetesContext(
func() {
g.It("should ensure egressfirewall with wildcard dns rules is created", func() {
doEgressFwTest(wcEgFwF, wcEgFwOc, oVNKWCManifest, true)
})
},
)
}

noegFwoc := exutil.NewCLIWithPodSecurityLevel(noEgressFWE2E, admissionapi.LevelBaseline)
noegFwf := noegFwoc.KubeFramework()
g.It("egressFirewall should have no impact outside its namespace", func() {
Expand Down Expand Up @@ -128,6 +149,21 @@ func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelec
_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://docs.openshift.com").Output()
expectNoError(err)

// TODO:
// - Check for coredns-ocp-dnsnameresolver plugin.
// - Remove TechPreview check when feature is GA.
if networkPluginName() == OVNKubernetesPluginName && exutil.IsTechPreviewNoUpgrade(oc) {
// Test curl to `www.google.com` and `translate.google.com` should pass
// because we have allow dns rule for `*.google.com`.
g.By("sending traffic to `www.google.com` that matches allow dns rule for `*.google.com`")
_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://www.google.com").Output()
expectNoError(err)

g.By("sending traffic to `translate.google.com` that matches allow dns rule for `*.google.com`")
_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://translate.google.com").Output()
expectNoError(err)
}

// Test curl to www.google.com:80 should fail
// because we don't have allow dns rule for www.google.com:80
g.By("sending traffic that does not match allow dns rule")
Expand Down
47 changes: 45 additions & 2 deletions test/extended/testdata/bindata.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

23 changes: 23 additions & 0 deletions test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: k8s.ovn.org/v1
kind: EgressFirewall
metadata:
name: default
spec:
egress:
- type: Allow
to:
dnsName: docs.openshift.com
- type: Allow
to:
dnsName: "*.google.com"
- type: Allow
to:
cidrSelector: 8.8.8.8/32
- type: Allow
to:
nodeSelector:
matchLabels:
node-role.kubernetes.io/control-plane: ''
- type: Deny
to:
cidrSelector: 0.0.0.0/0
2 changes: 2 additions & 0 deletions test/extended/util/annotate/generated/zz_generated.annotations.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit d30fb16

Please sign in to comment.