Skip to content

Commit

Permalink
Review 2 changes
Browse files Browse the repository at this point in the history 
Signed-off-by: Kanha gupta <kanhag4163@gmail.com>
  • Loading branch information
@kanha-gupta
kanha-gupta committed May 28, 2024
1 parent cabcf9c commit 130dfc6
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 136 deletions.
123 changes: 0 additions & 123 deletions pkg/antctl/raw/check/installation/policy.go
View file

This file was deleted.

51 changes: 44 additions & 7 deletions pkg/antctl/raw/check/installation/test_egressdenyall.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ package installation
import (
"context"
"fmt"

networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
)

type EgressDenyAllConnectivityTest struct{}
Expand All @@ -26,21 +30,54 @@ func init() {
}

func (a EgressDenyAllConnectivityTest) Run(ctx context.Context, testContext *testContext) error {
ApplyEgressDenyAll(ctx, testContext.client, testContext.namespace)
err := WaitForNetworkPolicyReady(ctx, testContext.client, testContext.namespace, "egress-deny-all", testContext.clusterName)
if err != nil {
services := []string{echoSameNodeDeploymentName}
if testContext.echoOtherNodePod != nil {
services = append(services, echoOtherNodeDeploymentName)
}
if err := applyEgressDenyAll(ctx, testContext.client, testContext.namespace); err != nil {
return err
}
services := []string{echoSameNodeDeploymentName, echoOtherNodeDeploymentName}
testContext.Log("NetworkPolicy applied successfully")
for _, clientPod := range testContext.clientPods {
for _, service := range services {
if err := testContext.runAgnhostConnect(ctx, clientPod.Name, "", service, 80); err != nil {
testContext.Log("NetworkPolicy is working as expected with Pod %s and Service %s", clientPod.Name, service)
testContext.Log("NetworkPolicy is working as expected: Pod %s cannot connect to Service %s", clientPod.Name, service)
} else {
return fmt.Errorf("NetworkPolicy is not working as expected with Pod %s and Service %s ", clientPod.Name, service)
return fmt.Errorf("networkPolicy is not working as expected: Pod %s connected to Service %s when it should not", clientPod.Name, service)
}
}
}
WaitForNetworkPolicyTeardown(ctx, testContext.client, testContext.namespace, "egress-deny-all", testContext.clusterName)
if err := testContext.client.NetworkingV1().NetworkPolicies(testContext.namespace).Delete(ctx, "egress-deny-all", metav1.DeleteOptions{}); err != nil {
return fmt.Errorf("NetworkPolicy deletion failed: %w", err)
}
testContext.Log("NetworkPolicy deletion successful")
return nil
}

func applyEgressDenyAll(ctx context.Context, client kubernetes.Interface, namespace string) error {
networkPolicy := &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "egress-deny-all",
Namespace: namespace,
},
Spec: networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{
{
Key: "name",
Operator: metav1.LabelSelectorOpIn,
Values: []string{clientDeploymentName},
},
},
},
PolicyTypes: []networkingv1.PolicyType{
networkingv1.PolicyTypeEgress,
},
},
}
_, err := client.NetworkingV1().NetworkPolicies(namespace).Create(ctx, networkPolicy, metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("error creating NetworkPolicy: %w", err)
}
return nil
}
50 changes: 44 additions & 6 deletions pkg/antctl/raw/check/installation/test_ingressdenyall.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ package installation
import (
"context"
"fmt"

networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
)

type IngressDenyAllConnectivityTest struct{}
Expand All @@ -26,21 +30,55 @@ func init() {
}

func (a IngressDenyAllConnectivityTest) Run(ctx context.Context, testContext *testContext) error {
ApplyIngressDenyAll(ctx, testContext.client, testContext.namespace)
err := WaitForNetworkPolicyReady(ctx, testContext.client, testContext.namespace, "ingress-deny-all", testContext.clusterName)
if err != nil {
values := []string{echoSameNodeDeploymentName}
if testContext.echoOtherNodePod != nil {
values = append(values, echoOtherNodeDeploymentName)
}
if err := applyIngressDenyAll(ctx, testContext.client, testContext.namespace, values); err != nil {
return err
}
testContext.Log("NetworkPolicy applied successfully")
services := []string{echoSameNodeDeploymentName, echoOtherNodeDeploymentName}
for _, clientPod := range testContext.clientPods {
for _, service := range services {
if err := testContext.runAgnhostConnect(ctx, clientPod.Name, "", service, 80); err != nil {
testContext.Log("NetworkPolicy is working as expected with Pod %s and Service %s", clientPod.Name, service)
testContext.Log("NetworkPolicy is working as expected: Pod %s cannot connect to Service %s", clientPod.Name, service)
} else {
return fmt.Errorf("networkPolicy is not working as expected with Pod %s and Service %s ", clientPod.Name, service)
return fmt.Errorf("networkPolicy is not working as expected: Pod %s connected to Service %s when it should not", clientPod.Name, service)
}
}
}
WaitForNetworkPolicyTeardown(ctx, testContext.client, testContext.namespace, "ingress-deny-all", testContext.clusterName)
if err := testContext.client.NetworkingV1().NetworkPolicies(testContext.namespace).Delete(ctx, "ingress-deny-all", metav1.DeleteOptions{}); err != nil {
return fmt.Errorf("NetworkPolicy deletion failed: %w", err)
}
testContext.Log("NetworkPolicy deletion successful")
return nil
}

func applyIngressDenyAll(ctx context.Context, client kubernetes.Interface, namespace string, values []string) error {
networkPolicy := &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "ingress-deny-all",
Namespace: namespace,
},
Spec: networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{
{
Key: "name",
Operator: metav1.LabelSelectorOpIn,
Values: values,
},
},
},
PolicyTypes: []networkingv1.PolicyType{
networkingv1.PolicyTypeIngress,
},
},
}
_, err := client.NetworkingV1().NetworkPolicies(namespace).Create(ctx, networkPolicy, metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("error creating NetworkPolicy: %w", err)
}
return nil
}

0 comments on commit 130dfc6

Please sign in to comment.