github.com/fafucoder/cilium@v1.6.11/daemon/k8s_watcher_test.go (about) 1 // Copyright 2017-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build !privileged_tests 16 17 package main 18 19 import ( 20 "github.com/cilium/cilium/pkg/checker" 21 k8sConst "github.com/cilium/cilium/pkg/k8s/apis/cilium.io" 22 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/utils" 23 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" 24 "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/fake" 25 "github.com/cilium/cilium/pkg/k8s/types" 26 "github.com/cilium/cilium/pkg/labels" 27 "github.com/cilium/cilium/pkg/policy" 28 "github.com/cilium/cilium/pkg/policy/api" 29 30 . "gopkg.in/check.v1" 31 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 32 k8sTypes "k8s.io/apimachinery/pkg/types" 33 "k8s.io/client-go/tools/cache" 34 ) 35 36 func (ds *DaemonSuite) Test_addCiliumNetworkPolicyV2(c *C) { 37 // ciliumV2Store cache.Store, oldRules api.Rules, cnp *cilium_v2.CiliumNetworkPolicy 38 39 uuid := k8sTypes.UID("13bba160-ddca-13e8-b697-0800273b04ff") 40 type args struct { 41 ciliumV2Store cache.Store 42 cnp *types.SlimCNP 43 repo *policy.Repository 44 } 45 type wanted struct { 46 err error 47 repo *policy.Repository 48 } 49 tests := []struct { 50 name string 51 setupArgs func() args 52 setupWanted func() wanted 53 }{ 54 { 55 name: "simple policy added", 56 setupArgs: func() args { 57 return args{ 58 ciliumV2Store: &cache.FakeCustomStore{}, 59 cnp: &types.SlimCNP{ 60 CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{ 61 ObjectMeta: metav1.ObjectMeta{ 62 Name: "db", 63 Namespace: "production", 64 UID: uuid, 65 }, 66 Spec: &api.Rule{ 67 EndpointSelector: api.EndpointSelector{ 68 LabelSelector: &metav1.LabelSelector{ 69 MatchLabels: map[string]string{ 70 "env": "cluster-1", 71 }, 72 }, 73 }, 74 }, 75 }, 76 }, 77 repo: policy.NewPolicyRepository(), 78 } 79 }, 80 setupWanted: func() wanted { 81 r := policy.NewPolicyRepository() 82 r.AddList(api.Rules{ 83 api.NewRule(). 84 WithEndpointSelector(api.EndpointSelector{ 85 LabelSelector: &metav1.LabelSelector{ 86 MatchLabels: map[string]string{ 87 "env": "cluster-1", 88 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 89 }, 90 }, 91 }). 92 WithIngressRules(nil). 93 WithEgressRules(nil). 94 WithLabels(utils.GetPolicyLabels( 95 "production", 96 "db", 97 uuid, 98 utils.ResourceTypeCiliumNetworkPolicy), 99 ), 100 }) 101 return wanted{ 102 err: nil, 103 repo: r, 104 } 105 }, 106 }, 107 { 108 name: "have a rule with user labels and update it without user labels, all other rules should be deleted", 109 setupArgs: func() args { 110 r := policy.NewPolicyRepository() 111 lbls := utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy) 112 lbls = append(lbls, labels.ParseLabelArray("foo=bar")...).Sort() 113 r.AddList(api.Rules{ 114 { 115 EndpointSelector: api.EndpointSelector{ 116 LabelSelector: &metav1.LabelSelector{ 117 MatchLabels: map[string]string{ 118 "env": "cluster-1", 119 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 120 }, 121 }, 122 }, 123 Ingress: nil, 124 Egress: nil, 125 Labels: lbls, 126 Description: "", 127 }, 128 }) 129 return args{ 130 ciliumV2Store: &cache.FakeCustomStore{}, 131 cnp: &types.SlimCNP{ 132 CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{ 133 ObjectMeta: metav1.ObjectMeta{ 134 Name: "db", 135 Namespace: "production", 136 UID: uuid, 137 }, 138 Spec: &api.Rule{ 139 EndpointSelector: api.EndpointSelector{ 140 LabelSelector: &metav1.LabelSelector{ 141 MatchLabels: map[string]string{ 142 "env": "cluster-1", 143 }, 144 }, 145 }, 146 }, 147 }, 148 }, 149 repo: r, 150 } 151 }, 152 setupWanted: func() wanted { 153 r := policy.NewPolicyRepository() 154 r.AddList(api.Rules{ 155 api.NewRule(). 156 WithEndpointSelector(api.EndpointSelector{ 157 LabelSelector: &metav1.LabelSelector{ 158 MatchLabels: map[string]string{ 159 "env": "cluster-1", 160 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 161 }, 162 }, 163 }). 164 WithIngressRules(nil). 165 WithEgressRules(nil). 166 WithLabels(utils.GetPolicyLabels( 167 "production", 168 "db", 169 uuid, 170 utils.ResourceTypeCiliumNetworkPolicy, 171 )), 172 }) 173 return wanted{ 174 err: nil, 175 repo: r, 176 } 177 }, 178 }, 179 { 180 name: "have a rule without user labels and update it with user labels, all other rules should be deleted", 181 setupArgs: func() args { 182 r := policy.NewPolicyRepository() 183 r.AddList(api.Rules{ 184 { 185 EndpointSelector: api.EndpointSelector{ 186 LabelSelector: &metav1.LabelSelector{ 187 MatchLabels: map[string]string{ 188 "env": "cluster-1", 189 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 190 }, 191 }, 192 }, 193 Ingress: nil, 194 Egress: nil, 195 Labels: utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy), 196 Description: "", 197 }, 198 }) 199 return args{ 200 ciliumV2Store: &cache.FakeCustomStore{}, 201 cnp: &types.SlimCNP{ 202 CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{ 203 ObjectMeta: metav1.ObjectMeta{ 204 Name: "db", 205 Namespace: "production", 206 UID: uuid, 207 }, 208 Spec: &api.Rule{ 209 EndpointSelector: api.EndpointSelector{ 210 LabelSelector: &metav1.LabelSelector{ 211 MatchLabels: map[string]string{ 212 "env": "cluster-1", 213 }, 214 }, 215 }, 216 Labels: labels.ParseLabelArray("foo=bar"), 217 }, 218 }, 219 }, 220 repo: r, 221 } 222 }, 223 setupWanted: func() wanted { 224 r := policy.NewPolicyRepository() 225 lbls := utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy) 226 lbls = append(lbls, labels.ParseLabelArray("foo=bar")...).Sort() 227 r.AddList(api.Rules{ 228 api.NewRule(). 229 WithEndpointSelector(api.EndpointSelector{ 230 LabelSelector: &metav1.LabelSelector{ 231 MatchLabels: map[string]string{ 232 "env": "cluster-1", 233 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 234 }, 235 }, 236 }). 237 WithIngressRules(nil). 238 WithEgressRules(nil). 239 WithLabels(lbls), 240 }) 241 return wanted{ 242 err: nil, 243 repo: r, 244 } 245 }, 246 }, 247 { 248 name: "have a rule policy installed with multiple rules and apply an empty spec should delete all rules installed", 249 setupArgs: func() args { 250 r := policy.NewPolicyRepository() 251 r.AddList(api.Rules{ 252 { 253 EndpointSelector: api.EndpointSelector{ 254 LabelSelector: &metav1.LabelSelector{ 255 MatchLabels: map[string]string{ 256 "env": "cluster-1", 257 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 258 }, 259 }, 260 }, 261 Ingress: []api.IngressRule{ 262 { 263 FromEndpoints: []api.EndpointSelector{ 264 { 265 LabelSelector: &metav1.LabelSelector{ 266 MatchLabels: map[string]string{ 267 "env": "cluster-1", 268 labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production", 269 }, 270 }, 271 }, 272 }, 273 }, 274 }, 275 Egress: nil, 276 Labels: utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy), 277 Description: "", 278 }, 279 }) 280 return args{ 281 ciliumV2Store: &cache.FakeCustomStore{}, 282 cnp: &types.SlimCNP{ 283 CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{ 284 ObjectMeta: metav1.ObjectMeta{ 285 Name: "db", 286 Namespace: "production", 287 UID: uuid, 288 }, 289 }, 290 }, 291 repo: r, 292 } 293 }, 294 setupWanted: func() wanted { 295 r := policy.NewPolicyRepository() 296 r.AddList(api.Rules{}) 297 return wanted{ 298 err: nil, 299 repo: r, 300 } 301 }, 302 }, 303 } 304 for _, tt := range tests { 305 args := tt.setupArgs() 306 want := tt.setupWanted() 307 ds.d.policy = args.repo 308 err := ds.d.addCiliumNetworkPolicyV2(&fake.Clientset{}, args.ciliumV2Store, args.cnp) 309 c.Assert(err, checker.DeepEquals, want.err, Commentf("Test name: %q", tt.name)) 310 c.Assert(ds.d.policy.GetRulesList().Policy, checker.DeepEquals, want.repo.GetRulesList().Policy, Commentf("Test name: %q", tt.name)) 311 } 312 }