github.com/rohankumardubey/cilium@v1.6.12/daemon/k8s_watcher_test.go

github.com/rohankumardubey/cilium@v1.6.12/daemon/k8s_watcher_test.go (about)

     1  // Copyright 2017-2019 Authors of Cilium
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // +build !privileged_tests
    16  
    17  package main
    18  
    19  import (
    20  	"github.com/cilium/cilium/pkg/checker"
    21  	k8sConst "github.com/cilium/cilium/pkg/k8s/apis/cilium.io"
    22  	"github.com/cilium/cilium/pkg/k8s/apis/cilium.io/utils"
    23  	"github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
    24  	"github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/fake"
    25  	"github.com/cilium/cilium/pkg/k8s/types"
    26  	"github.com/cilium/cilium/pkg/labels"
    27  	"github.com/cilium/cilium/pkg/policy"
    28  	"github.com/cilium/cilium/pkg/policy/api"
    29  
    30  	. "gopkg.in/check.v1"
    31  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    32  	k8sTypes "k8s.io/apimachinery/pkg/types"
    33  	"k8s.io/client-go/tools/cache"
    34  )
    35  
    36  func (ds *DaemonSuite) Test_addCiliumNetworkPolicyV2(c *C) {
    37  	// ciliumV2Store cache.Store, oldRules api.Rules, cnp *cilium_v2.CiliumNetworkPolicy
    38  
    39  	uuid := k8sTypes.UID("13bba160-ddca-13e8-b697-0800273b04ff")
    40  	type args struct {
    41  		ciliumV2Store cache.Store
    42  		cnp           *types.SlimCNP
    43  		repo          *policy.Repository
    44  	}
    45  	type wanted struct {
    46  		err  error
    47  		repo *policy.Repository
    48  	}
    49  	tests := []struct {
    50  		name        string
    51  		setupArgs   func() args
    52  		setupWanted func() wanted
    53  	}{
    54  		{
    55  			name: "simple policy added",
    56  			setupArgs: func() args {
    57  				return args{
    58  					ciliumV2Store: &cache.FakeCustomStore{},
    59  					cnp: &types.SlimCNP{
    60  						CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{
    61  							ObjectMeta: metav1.ObjectMeta{
    62  								Name:      "db",
    63  								Namespace: "production",
    64  								UID:       uuid,
    65  							},
    66  							Spec: &api.Rule{
    67  								EndpointSelector: api.EndpointSelector{
    68  									LabelSelector: &metav1.LabelSelector{
    69  										MatchLabels: map[string]string{
    70  											"env": "cluster-1",
    71  										},
    72  									},
    73  								},
    74  							},
    75  						},
    76  					},
    77  					repo: policy.NewPolicyRepository(),
    78  				}
    79  			},
    80  			setupWanted: func() wanted {
    81  				r := policy.NewPolicyRepository()
    82  				r.AddList(api.Rules{
    83  					api.NewRule().
    84  						WithEndpointSelector(api.EndpointSelector{
    85  							LabelSelector: &metav1.LabelSelector{
    86  								MatchLabels: map[string]string{
    87  									"env": "cluster-1",
    88  									labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
    89  								},
    90  							},
    91  						}).
    92  						WithIngressRules(nil).
    93  						WithEgressRules(nil).
    94  						WithLabels(utils.GetPolicyLabels(
    95  							"production",
    96  							"db",
    97  							uuid,
    98  							utils.ResourceTypeCiliumNetworkPolicy),
    99  						),
   100  				})
   101  				return wanted{
   102  					err:  nil,
   103  					repo: r,
   104  				}
   105  			},
   106  		},
   107  		{
   108  			name: "have a rule with user labels and update it without user labels, all other rules should be deleted",
   109  			setupArgs: func() args {
   110  				r := policy.NewPolicyRepository()
   111  				lbls := utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy)
   112  				lbls = append(lbls, labels.ParseLabelArray("foo=bar")...).Sort()
   113  				r.AddList(api.Rules{
   114  					{
   115  						EndpointSelector: api.EndpointSelector{
   116  							LabelSelector: &metav1.LabelSelector{
   117  								MatchLabels: map[string]string{
   118  									"env": "cluster-1",
   119  									labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
   120  								},
   121  							},
   122  						},
   123  						Ingress:     nil,
   124  						Egress:      nil,
   125  						Labels:      lbls,
   126  						Description: "",
   127  					},
   128  				})
   129  				return args{
   130  					ciliumV2Store: &cache.FakeCustomStore{},
   131  					cnp: &types.SlimCNP{
   132  						CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{
   133  							ObjectMeta: metav1.ObjectMeta{
   134  								Name:      "db",
   135  								Namespace: "production",
   136  								UID:       uuid,
   137  							},
   138  							Spec: &api.Rule{
   139  								EndpointSelector: api.EndpointSelector{
   140  									LabelSelector: &metav1.LabelSelector{
   141  										MatchLabels: map[string]string{
   142  											"env": "cluster-1",
   143  										},
   144  									},
   145  								},
   146  							},
   147  						},
   148  					},
   149  					repo: r,
   150  				}
   151  			},
   152  			setupWanted: func() wanted {
   153  				r := policy.NewPolicyRepository()
   154  				r.AddList(api.Rules{
   155  					api.NewRule().
   156  						WithEndpointSelector(api.EndpointSelector{
   157  							LabelSelector: &metav1.LabelSelector{
   158  								MatchLabels: map[string]string{
   159  									"env": "cluster-1",
   160  									labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
   161  								},
   162  							},
   163  						}).
   164  						WithIngressRules(nil).
   165  						WithEgressRules(nil).
   166  						WithLabels(utils.GetPolicyLabels(
   167  							"production",
   168  							"db",
   169  							uuid,
   170  							utils.ResourceTypeCiliumNetworkPolicy,
   171  						)),
   172  				})
   173  				return wanted{
   174  					err:  nil,
   175  					repo: r,
   176  				}
   177  			},
   178  		},
   179  		{
   180  			name: "have a rule without user labels and update it with user labels, all other rules should be deleted",
   181  			setupArgs: func() args {
   182  				r := policy.NewPolicyRepository()
   183  				r.AddList(api.Rules{
   184  					{
   185  						EndpointSelector: api.EndpointSelector{
   186  							LabelSelector: &metav1.LabelSelector{
   187  								MatchLabels: map[string]string{
   188  									"env": "cluster-1",
   189  									labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
   190  								},
   191  							},
   192  						},
   193  						Ingress:     nil,
   194  						Egress:      nil,
   195  						Labels:      utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy),
   196  						Description: "",
   197  					},
   198  				})
   199  				return args{
   200  					ciliumV2Store: &cache.FakeCustomStore{},
   201  					cnp: &types.SlimCNP{
   202  						CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{
   203  							ObjectMeta: metav1.ObjectMeta{
   204  								Name:      "db",
   205  								Namespace: "production",
   206  								UID:       uuid,
   207  							},
   208  							Spec: &api.Rule{
   209  								EndpointSelector: api.EndpointSelector{
   210  									LabelSelector: &metav1.LabelSelector{
   211  										MatchLabels: map[string]string{
   212  											"env": "cluster-1",
   213  										},
   214  									},
   215  								},
   216  								Labels: labels.ParseLabelArray("foo=bar"),
   217  							},
   218  						},
   219  					},
   220  					repo: r,
   221  				}
   222  			},
   223  			setupWanted: func() wanted {
   224  				r := policy.NewPolicyRepository()
   225  				lbls := utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy)
   226  				lbls = append(lbls, labels.ParseLabelArray("foo=bar")...).Sort()
   227  				r.AddList(api.Rules{
   228  					api.NewRule().
   229  						WithEndpointSelector(api.EndpointSelector{
   230  							LabelSelector: &metav1.LabelSelector{
   231  								MatchLabels: map[string]string{
   232  									"env": "cluster-1",
   233  									labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
   234  								},
   235  							},
   236  						}).
   237  						WithIngressRules(nil).
   238  						WithEgressRules(nil).
   239  						WithLabels(lbls),
   240  				})
   241  				return wanted{
   242  					err:  nil,
   243  					repo: r,
   244  				}
   245  			},
   246  		},
   247  		{
   248  			name: "have a rule policy installed with multiple rules and apply an empty spec should delete all rules installed",
   249  			setupArgs: func() args {
   250  				r := policy.NewPolicyRepository()
   251  				r.AddList(api.Rules{
   252  					{
   253  						EndpointSelector: api.EndpointSelector{
   254  							LabelSelector: &metav1.LabelSelector{
   255  								MatchLabels: map[string]string{
   256  									"env": "cluster-1",
   257  									labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
   258  								},
   259  							},
   260  						},
   261  						Ingress: []api.IngressRule{
   262  							{
   263  								FromEndpoints: []api.EndpointSelector{
   264  									{
   265  										LabelSelector: &metav1.LabelSelector{
   266  											MatchLabels: map[string]string{
   267  												"env": "cluster-1",
   268  												labels.LabelSourceK8s + "." + k8sConst.PodNamespaceLabel: "production",
   269  											},
   270  										},
   271  									},
   272  								},
   273  							},
   274  						},
   275  						Egress:      nil,
   276  						Labels:      utils.GetPolicyLabels("production", "db", uuid, utils.ResourceTypeCiliumNetworkPolicy),
   277  						Description: "",
   278  					},
   279  				})
   280  				return args{
   281  					ciliumV2Store: &cache.FakeCustomStore{},
   282  					cnp: &types.SlimCNP{
   283  						CiliumNetworkPolicy: &v2.CiliumNetworkPolicy{
   284  							ObjectMeta: metav1.ObjectMeta{
   285  								Name:      "db",
   286  								Namespace: "production",
   287  								UID:       uuid,
   288  							},
   289  						},
   290  					},
   291  					repo: r,
   292  				}
   293  			},
   294  			setupWanted: func() wanted {
   295  				r := policy.NewPolicyRepository()
   296  				r.AddList(api.Rules{})
   297  				return wanted{
   298  					err:  nil,
   299  					repo: r,
   300  				}
   301  			},
   302  		},
   303  	}
   304  	for _, tt := range tests {
   305  		args := tt.setupArgs()
   306  		want := tt.setupWanted()
   307  		ds.d.policy = args.repo
   308  		err := ds.d.addCiliumNetworkPolicyV2(&fake.Clientset{}, args.ciliumV2Store, args.cnp)
   309  		c.Assert(err, checker.DeepEquals, want.err, Commentf("Test name: %q", tt.name))
   310  		c.Assert(ds.d.policy.GetRulesList().Policy, checker.DeepEquals, want.repo.GetRulesList().Policy, Commentf("Test name: %q", tt.name))
   311  	}
   312  }