github.com/solo-io/service-mesh-hub@v0.9.2/test/e2e/istio/access_policy_test.go (about) 1 package istio_test 2 3 import ( 4 . "github.com/onsi/ginkgo" 5 . "github.com/onsi/gomega" 6 networkingv1alpha2 "github.com/solo-io/service-mesh-hub/pkg/api/networking.smh.solo.io/v1alpha2" 7 "github.com/solo-io/service-mesh-hub/test/utils" 8 skv2core "github.com/solo-io/skv2/pkg/api/core.skv2.solo.io/v1" 9 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 10 ) 11 12 var _ = Describe("AccessPolicy", func() { 13 var ( 14 err error 15 manifest utils.Manifest 16 ) 17 18 AfterEach(func() { 19 manifest.Cleanup(BookinfoNamespace) 20 }) 21 22 It("controls global access policy enforcement", func() { 23 manifest, err = utils.NewManifest("access_policy_test_manifest.yaml") 24 Expect(err).ToNot(HaveOccurred()) 25 26 By("restricting connectivity when global access policy enforcement is enabled", func() { 27 VirtualMesh.Spec.GlobalAccessPolicy = networkingv1alpha2.VirtualMeshSpec_ENABLED 28 VirtualMeshManifest.CreateOrTruncate() 29 err := VirtualMeshManifest.AppendResources(VirtualMesh) 30 Expect(err).NotTo(HaveOccurred()) 31 err = VirtualMeshManifest.KubeApply(BookinfoNamespace) 32 Expect(err).NotTo(HaveOccurred()) 33 34 Eventually(curlReviews, "1m", "1s").Should(ContainSubstring("403 Forbidden")) 35 }) 36 37 By("restoring connectivity to the reviews service when AccessPolicy is created", func() { 38 accessPolicy := &networkingv1alpha2.AccessPolicy{ 39 TypeMeta: metav1.TypeMeta{ 40 Kind: "AccessPolicy", 41 APIVersion: networkingv1alpha2.SchemeGroupVersion.String(), 42 }, 43 ObjectMeta: metav1.ObjectMeta{ 44 Name: "allow-reviews", 45 Namespace: BookinfoNamespace, 46 }, 47 Spec: networkingv1alpha2.AccessPolicySpec{ 48 SourceSelector: []*networkingv1alpha2.IdentitySelector{ 49 { 50 KubeServiceAccountRefs: &networkingv1alpha2.IdentitySelector_KubeServiceAccountRefs{ 51 ServiceAccounts: []*skv2core.ClusterObjectRef{ 52 { 53 Name: "bookinfo-productpage", 54 Namespace: BookinfoNamespace, 55 ClusterName: mgmtClusterName, 56 }, 57 }, 58 }, 59 }, 60 }, 61 DestinationSelector: []*networkingv1alpha2.TrafficTargetSelector{ 62 { 63 KubeServiceRefs: &networkingv1alpha2.TrafficTargetSelector_KubeServiceRefs{ 64 Services: []*skv2core.ClusterObjectRef{ 65 { 66 Name: "reviews", 67 Namespace: BookinfoNamespace, 68 ClusterName: mgmtClusterName, 69 }, 70 }, 71 }, 72 }, 73 }, 74 }, 75 } 76 err := manifest.AppendResources(accessPolicy) 77 Expect(err).NotTo(HaveOccurred()) 78 err = manifest.KubeApply(BookinfoNamespace) 79 Expect(err).NotTo(HaveOccurred()) 80 81 Eventually(curlReviews, "1m", "1s").Should(ContainSubstring("200 OK")) 82 }) 83 84 By("restoring connectivity to all services when global access policy enforcement is disabled", func() { 85 VirtualMesh.Spec.GlobalAccessPolicy = networkingv1alpha2.VirtualMeshSpec_DISABLED 86 VirtualMeshManifest.CreateOrTruncate() 87 err := VirtualMeshManifest.AppendResources(VirtualMesh) 88 Expect(err).NotTo(HaveOccurred()) 89 err = VirtualMeshManifest.KubeApply(BookinfoNamespace) 90 Expect(err).NotTo(HaveOccurred()) 91 92 err = manifest.KubeDelete(BookinfoNamespace) 93 Expect(err).NotTo(HaveOccurred()) 94 95 Eventually(curlRatings, "1m", "1s").Should(ContainSubstring("200 OK")) 96 }) 97 }) 98 })