Add e2e network policy tests. #35660
Conversation
|
Can a kubernetes member verify that this patch is reasonable to test? If so, please reply with "@k8s-bot ok to test" on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands will still work. Regular contributors should join the org to skip this step. If you have questions or suggestions related to this bot's behavior, please file an issue against the kubernetes/test-infra repository. |
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed, please reply here (e.g.
|
k8s-github-robot
added
size/XL
There was a problem hiding this comment.
@djosborne Thanks for doing this!
A few nitty comments from me, but overall this looks like a nice set of basic e2es for NetworkPolicy.
test/e2e/network_policy.go
Outdated
| a simple netcat server, | ||
|
|
||
| We test the following: | ||
| - Namespace ingress isolation set to DefaultDeny |
There was a problem hiding this comment.
extra leading space on the first bullet.
test/e2e/network_policy.go
Outdated
| - Policy rules to allow mono-directional TCP connectivity | ||
| - Policy rules to allow bi-directional TCP connectivity | ||
|
|
||
| TODO: |
There was a problem hiding this comment.
Not a big fan of leaving TODOs in the code, but not too fussed.
test/e2e/network_policy.go
Outdated
| } | ||
| }() | ||
|
|
||
| framework.Logf("Waiting for client-b to run.") |
There was a problem hiding this comment.
This log doesn't correspond with the equivalent one for client-a above?
framework.Logf("Waiting for client-a to to come up.")
test/e2e/network_policy.go
Outdated
| setNamespaceIsolation(f, ns, "DefaultDeny") | ||
|
|
||
| By("Creating a simple server.") | ||
| podServer, service := createServerPod(f, ns, serverName, []int{listeningPort1}) |
There was a problem hiding this comment.
Naming nit: podServer is actually a serverPod
test/e2e/network_policy.go
Outdated
| By("Creating a network policy for the server which allows traffic from the pod 'client-a'.") | ||
| policy, err := f.Client.NetworkPolicies(ns.Name).Create(&extensions.NetworkPolicy{ | ||
| ObjectMeta: api.ObjectMeta{ | ||
| Name: "test-policy", |
There was a problem hiding this comment.
A more descriptive name here would be nice - something like Name: "allow-client-a" maybe?
test/e2e/network_policy.go
Outdated
| }() | ||
|
|
||
| // Create a pod with name 'client-b', which will attempt to comunicate with the server, | ||
| // but should not be able to do to the label-based policy. |
There was a problem hiding this comment.
extra space at beginning of comment.
s/do to/due to
test/e2e/network_policy.go
Outdated
| } | ||
| }() | ||
|
|
||
| // Create a pod with name 'client-a', which should be able to communicate with server. |
There was a problem hiding this comment.
comment doesn't match the test.
There was a problem hiding this comment.
I don't see how that's true? This is the PodSelector test, which allows connections from pods with label "pod-name": "client-a"
There was a problem hiding this comment.
D'oh, I somehow put a "not" in the comment when reading it. Sorry...
There was a problem hiding this comment.
No, Casey's original comment was correct; line 347 says:
// Create a pod with name 'client-a', which should be able to communicate with server.
and 348 says:
By("Creating client-a in ns-a which should *not* be able to contact the server.")
(or maybe the comment got moved around after new commits were pushed...)
test/e2e/network_policy.go
Outdated
| for i, port := range ports { | ||
| // Create the Container | ||
| containers = append(containers, api.Container{ | ||
| Name: fmt.Sprintf("%s-container-%d", podName, i), |
There was a problem hiding this comment.
Instead of naming this after i, could you name it after the port it is listening on?
test/e2e/network_policy.go
Outdated
| }, | ||
| Ports: []api.ContainerPort{{ContainerPort: int32(port)}}, | ||
| }) | ||
| // Create the Service. |
There was a problem hiding this comment.
comment doesn't match the code is describes.
test/e2e/network_policy.go
Outdated
| // Create a server pod with a listening container for each port in ports[]. | ||
| // Will also assign a pod label with key: "pod-name" and label set to the given podname for later use by the network | ||
| // policy. | ||
| func createServerPod(f *framework.Framework, namespace *api.Namespace, podName string, ports []int) (*api.Pod, *api.Service) { |
There was a problem hiding this comment.
naming nit: createServerPodAndService
|
@djosborne You need to sign the linuxfoundation CLA. |
ozdanborne
force-pushed
the
e2e-network-policy
branch
from
764ea65 to
9e36e59
Compare
|
I signed it! |
|
Worth noting, I used the Might be worth adding a busybox alternative / fix for e2e tests to use so I don't have to hijack etcd. |
|
@kubernetes/sig-network |
|
@k8s-bot ok to test |
|
@djosborne Looks like you've got some build failures. |
We also have LaunchWebserverPod() / CheckConnectivityToHost() in test/e2e/framework/util.go for this... (Well, it looks like they're currently unused, but this is what they were intended for; they originally came from the OpenShift network isolation tests.) |
test/e2e/network_policy.go
Outdated
| err = framework.WaitForPodSuccessInNamespace(f.Client, podClientA.Name, ns.Name) | ||
| Expect(err).NotTo(HaveOccurred(), "checking Client-A could communicate with server.") | ||
|
|
||
| By("Creating a client-b that should not succesfully connect to the closed port.") |
There was a problem hiding this comment.
"closed" sounds like it means "has had close() called on it". Something like "blocked" or "isolated" would be better. (And "unblocked"/"unisolated" rather than "opened" before)
test/e2e/network_policy.go
Outdated
|
|
||
| // Create Server with Service | ||
| By("Creating a simple server.") | ||
| serverPod, service := createServerPodAndService(f, ns, serverName, []int{listeningPort1, listeningPort2}) |
There was a problem hiding this comment.
This is the only test case that passes multiple ports to createServerPodAndService, but nothing tests that createServerPodAndService actually works correctly in that case. (If there is a bug in createServerPodAndService such that it only opens the first port, this test would still pass.) And then if that happened, then the test would always pass, even if the NetworkPolicy implementation was broken, because it doesn't distinguish client-b failing because of isolation vs client-b failing because of connection refused.
Simple fix: flip the policy around so port2 is allowed and port1 is denied, and test that instead (and assume that createServerPodAndService isn't likely to be buggy in a way that would let this pass erroneously)
Better fix: test that both listeningPort1 and listeningPort2 work before applying the NetworkPolicy
test/e2e/network_policy.go
Outdated
| } | ||
| }() | ||
|
|
||
| // Create a pod with name 'client-a', which should be able to communicate with server. |
There was a problem hiding this comment.
No, Casey's original comment was correct; line 347 says:
// Create a pod with name 'client-a', which should be able to communicate with server.
and 348 says:
By("Creating client-a in ns-a which should *not* be able to contact the server.")
(or maybe the comment got moved around after new commits were pushed...)
test/e2e/network_policy.go
Outdated
|
|
||
| // Create a pod with name 'client-b', which will attempt to comunicate with the server, | ||
| // but should not be able to do to the label-based policy. | ||
| By("Creating client-b in ns-b which should be able to contact the server.") |
There was a problem hiding this comment.
and this comment is backwards too
|
Additional test possibilities:
|
|
Sorry for the delay, thanks for the review guys. Will revisit and clean up next week. |
ozdanborne
force-pushed
the
e2e-network-policy
branch
2 times, most recently
from
4fd1006 to
338c9b8
Compare
k8s-github-robot
added
size/L
ozdanborne
force-pushed
the
e2e-network-policy
branch
2 times, most recently
from
6992f2c to
fe48e86
Compare
apelisse
removed
the
do-not-merge
ozdanborne
force-pushed
the
e2e-network-policy
branch
from
fe48e86 to
b405fbc
Compare
ozdanborne
force-pushed
the
e2e-network-policy
branch
from
0ffd7f9 to
e1706ad
Compare
|
hey @deads2k I've finally done it - all green. Ready to merge? cc: @caseydavenport |
My name got caught during the initial approver storm. I have approved, so when @caseydavenport lgtm's, you'll enter the queue. We're about to fork for 1.6, so I'm inclined to leave this in 1.7. |
|
/approve |
|
@thockin can we get a lgtm label on this guy so the merge bot will let it through? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
grodrigues3
added
the
needs-ok-to-test
|
@k8s-bot ok to test |
ozdanborne
force-pushed
the
e2e-network-policy
branch
from
e1706ad to
1d05a44
Compare
k8s-github-robot
removed
the
lgtm
|
@djosborne looks like the rebase broke things: |
|
ozdanborne
force-pushed
the
e2e-network-policy
branch
2 times, most recently
from
bd6d843 to
0a49451
Compare
ozdanborne
force-pushed
the
e2e-network-policy
branch
from
0a49451 to
e3762c6
Compare
|
@djosborne: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: caseydavenport, deads2k, djosborne, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue |
|
FYI @caseydavenport @djosborne @deads2k this merge broke the submit queue! Looks like a bad rebase of test_owners.csv |
dcbw
added
the
sig/network
Automatic merge from submit-queue NetworkPolicy tests This pulls in the NetworkPolicy tests from kubernetes/kubernetes#35660, and then makes a few changes to get it to work with our extended networking test, and to get it to actually pass given the current state of our NetworkPolicy support; hopefully the last commit will be able to be reverted at some point.
What this PR does / why we need it:
Add set of e2e tests for Network Policy. This has succesfully run againast a deployment using Calico as the network policy provider.
Specifically, adds a new e2e test file (/test/e2e/network_policy.go) which tests TCP connectivity between pods with isolation.
See #25638 for PR that added NetworkPolicy resource.
This PR is a replacement for #27447 .
This change is