github.com/apprenda/kismatic@v1.12.0/integration-tests/network_policy.go (about) 1 package integration_tests 2 3 import ( 4 "fmt" 5 "time" 6 7 "github.com/apprenda/kismatic/pkg/retry" 8 . "github.com/onsi/ginkgo" 9 ) 10 11 func verifyNetworkPolicy(node NodeDeets, sshKey string) error { 12 By("deplying test pods") 13 if err := copyFileToRemote("test-resources/network-policy/tester.yaml", "/tmp/tester.yaml", node, sshKey, 1*time.Minute); err != nil { 14 return fmt.Errorf("could not copy network-policy tester to remote: %v", err) 15 } 16 if err := runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config apply -f /tmp/tester.yaml"}, []NodeDeets{node}, sshKey, 1*time.Minute); err != nil { 17 return fmt.Errorf("could not deploy network-policy tester to remote: %v", err) 18 } 19 20 By("testing connection with policy disabled") 21 if err := testPodAccess(node, sshKey, 5); err != nil { 22 return fmt.Errorf("could not connect to pod: %v", err) 23 } 24 25 By("enabling global network policy on the policy-tester namespace") 26 if err := copyFileToRemote("test-resources/network-policy/default-deny.yaml", "/tmp/default-deny.yaml", node, sshKey, 1*time.Minute); err != nil { 27 return fmt.Errorf("could not copy default-deny network-policy resource to remote: %v", err) 28 } 29 if err := runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config apply -f /tmp/default-deny.yaml"}, []NodeDeets{node}, sshKey, 1*time.Minute); err != nil { 30 return fmt.Errorf("could not deploy default-deny network-policy resource to remote: %v", err) 31 32 } 33 34 By("testing connection with global policy enabled") 35 if err := testPodAccess(node, sshKey, 1); err == nil { 36 return fmt.Errorf("expected connection to fail and it did not") 37 } 38 39 policyFile := "policy.yaml" 40 By("applying a policy to allow test pods communication") 41 if err := copyFileToRemote("test-resources/network-policy/"+policyFile, "/tmp/policy.yaml", node, sshKey, 1*time.Minute); err != nil { 42 return fmt.Errorf("could not copy pod network-policy resources to remote: %v", err) 43 } 44 if err := runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config apply -f /tmp/policy.yaml"}, []NodeDeets{node}, sshKey, 1*time.Minute); err != nil { 45 return fmt.Errorf("could not deploy pod network-policy resources to remote: %v", err) 46 } 47 48 By("testing connection with global policy enabled and pod policy deployed") 49 if err := testPodAccess(node, sshKey, 5); err != nil { 50 return fmt.Errorf("could not connect to pod after allowing traffic: %v", err) 51 } 52 53 // always try to disable global policy 54 By("disabling global network policy on the policy-tester namespace") 55 if err := retry.WithBackoff(func() error { 56 return runViaSSH([]string{`sudo kubectl --kubeconfig /root/.kube/config annotate ns policy-tester "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultAllow\"}}" --overwrite`}, []NodeDeets{node}, sshKey, 1*time.Minute) 57 }, 3); err != nil { 58 return fmt.Errorf("could not unset deny policy: %v\n", err) 59 } 60 if err := runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config delete -f /tmp/default-deny.yaml"}, []NodeDeets{node}, sshKey, 1*time.Minute); err != nil { 61 return fmt.Errorf("could not deploy default-deny network-policy resource to remote: %v", err) 62 } 63 64 return nil 65 } 66 67 func testPodAccess(node NodeDeets, sshKey string, tries uint) error { 68 return retry.WithBackoff(func() error { 69 return runViaSSH([]string{"sudo kubectl --kubeconfig /root/.kube/config exec -n policy-tester -it network-policy-tester -- wget --spider --timeout=1 network-policy-echoserver"}, []NodeDeets{node}, sshKey, 1*time.Minute) 70 }, tries) 71 }