github.com/fafucoder/cilium@v1.6.11/test/helpers/policygen/policygen.go (about) 1 // Copyright 2017 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 package policygen 15 16 var policiesTestSuite = PolicyTestSuite{ 17 l3Checks: []PolicyTestKind{ 18 { 19 name: "No Policy", 20 kind: ingress, 21 tests: ConnResultAllOK, 22 template: map[string]string{ 23 "fromEndpoints": `[{}]`, 24 }, 25 }, 26 { 27 name: "Ingress Label", 28 kind: ingress, 29 tests: ConnResultAllOK, 30 template: map[string]string{ 31 "fromEndpoints": `[{"matchLabels": { "id": "{{.SrcPod}}"}}]`, 32 }, 33 }, 34 { 35 name: "Ingress Label Invalid", 36 kind: ingress, 37 tests: ConnResultAllTimeout, 38 template: map[string]string{ 39 "fromEndpoints": `[{"matchLabels": { "id": "{{.SrcPod}}Invalid"}}]`, 40 }, 41 }, 42 }, 43 l4Checks: []PolicyTestKind{ 44 { 45 name: "No Policy", 46 kind: ingress, 47 tests: ConnResultAllOK, 48 template: map[string]string{}, 49 }, 50 { 51 name: "Ingress Port 80 No protocol", 52 kind: ingress, 53 tests: ConnResultOnlyHTTP, 54 template: map[string]string{ 55 "ports": `[{"port": "80"}]`, 56 }, 57 }, 58 { 59 name: "Egress Port 80 No protocol", 60 kind: egress, 61 tests: ConnResultOnlyHTTP, 62 template: map[string]string{ 63 "ports": `[{"port": "80"}]`, 64 }, 65 }, 66 { 67 name: "Ingress Port 80 TCP", 68 kind: ingress, 69 tests: ConnResultOnlyHTTP, 70 template: map[string]string{ 71 "ports": `[{"port": "80", "protocol": "TCP"}]`, 72 }, 73 }, 74 { 75 name: "Ingress Port 80 UDP", 76 kind: ingress, 77 tests: ConnResultAllTimeout, 78 template: map[string]string{ 79 "ports": `[{"port": "80", "protocol": "UDP"}]`, 80 }, 81 }, 82 { 83 name: "Egress Port 80 TCP", 84 kind: egress, 85 tests: ConnResultOnlyHTTP, 86 template: map[string]string{ 87 "ports": `[{"port": "80", "protocol": "TCP"}]`, 88 }, 89 }, 90 { 91 name: "Egress Port 80 UDP", 92 kind: egress, 93 tests: ConnResultAllTimeout, 94 template: map[string]string{ 95 "ports": `[{"port": "80", "protocol": "UDP"}]`, 96 }, 97 }, 98 }, 99 l7Checks: []PolicyTestKind{ 100 { 101 name: "No Policy", 102 kind: ingress, 103 tests: ConnResultAllOK, 104 template: map[string]string{}, 105 }, 106 { 107 name: "Ingress policy /private/", 108 kind: ingress, 109 tests: ConnResultOnlyHTTPPrivate, 110 template: map[string]string{ 111 "rules": `{"http": [{"method": "GET", "path": "/private"}]}`, 112 "ports": `[{"port": "80", "protocol": "TCP"}]`, 113 }, 114 exclude: []string{ 115 "L4:Ingress Port 80 UDP", 116 "L4:Ingress Port 80 No protocol", 117 }, 118 }, 119 { 120 name: "Egress policy to /private/", 121 kind: egress, 122 tests: ConnResultOnlyHTTPPrivate, 123 template: map[string]string{ 124 "rules": `{"http": [{"method": "GET", "path": "/private"}]}`, 125 "ports": `[{"port": "80", "protocol": "TCP"}]`, 126 }, 127 exclude: []string{ 128 "L4:Egress Port 80 UDP", 129 "L4:Egress Port 80 No protocol", 130 }, 131 }, 132 }, 133 } 134 135 // GeneratedTestSpec returns a `TestSpec` array with all the policies 136 // possibilities based on all combinations of `policiesTestSuite` 137 func GeneratedTestSpec() []TestSpec { 138 var testSpecs = []TestSpec{} 139 for _, l3 := range policiesTestSuite.l3Checks { 140 for _, l4 := range policiesTestSuite.l4Checks { 141 for _, l7 := range policiesTestSuite.l7Checks { 142 for _, dst := range DestinationsTypes { 143 testSpecs = append(testSpecs, TestSpec{ 144 l3: l3, 145 l4: l4, 146 l7: l7, 147 Destination: dst, 148 }) 149 } 150 } 151 } 152 } 153 return testSpecs 154 } 155 156 // GetBasicTestSpec returns a very simple TestSpec with a L4 and L7 policy that 157 // allow traffic only to /private/ 158 func GetBasicTestSpec() TestSpec { 159 return TestSpec{ 160 l3: PolicyTestKind{ 161 name: "No Policy", 162 kind: ingress, 163 tests: ConnResultAllOK, 164 template: map[string]string{ 165 "FromEndpoints": `[{}]`, 166 }, 167 }, 168 l4: PolicyTestKind{ 169 name: "Ingress Port 80 TCP", 170 kind: ingress, 171 tests: ConnResultOnlyHTTP, 172 template: map[string]string{ 173 "Ports": `[{"port": "80", "protocol": "TCP"}]`, 174 }, 175 }, 176 l7: PolicyTestKind{ 177 name: "Ingress policy /private/", 178 kind: ingress, 179 tests: ConnResultOnlyHTTPPrivate, 180 template: map[string]string{ 181 "Rules": `{"http": [{"method": "GET", "path": "/private"}]}`, 182 "Ports": `[{"port": "80", "protocol": "TCP"}]`, 183 }, 184 }, 185 Destination: DestinationsTypes[0], 186 } 187 }