github.com/zhyoulun/cilium@v1.6.12/pkg/policy/api/egress_test.go (about) 1 // Copyright 2018-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build !privileged_tests 16 17 package api 18 19 import ( 20 "fmt" 21 "net" 22 23 "github.com/cilium/cilium/pkg/checker" 24 25 . "gopkg.in/check.v1" 26 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 27 ) 28 29 func (s *PolicyAPITestSuite) TestRequiresDerivativeRuleWithoutToGroups(c *C) { 30 eg := EgressRule{} 31 c.Assert(eg.RequiresDerivative(), Equals, false) 32 } 33 34 func (s *PolicyAPITestSuite) TestRequiresDerivativeRuleWithToGroups(c *C) { 35 eg := EgressRule{} 36 eg.ToGroups = []ToGroups{ 37 GetToGroupsRule(), 38 } 39 c.Assert(eg.RequiresDerivative(), Equals, true) 40 } 41 42 func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithoutToGroups(c *C) { 43 eg := &EgressRule{ 44 ToEndpoints: []EndpointSelector{ 45 { 46 LabelSelector: &metav1.LabelSelector{MatchLabels: map[string]string{ 47 "test": "true", 48 }, 49 }, 50 }, 51 }, 52 } 53 newRule, err := eg.CreateDerivative() 54 c.Assert(eg, checker.DeepEquals, newRule) 55 c.Assert(err, IsNil) 56 } 57 58 func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithToGroupsWitInvalidRegisterCallback(c *C) { 59 cb := func(group *ToGroups) ([]net.IP, error) { 60 return []net.IP{}, fmt.Errorf("Invalid error") 61 } 62 RegisterToGroupsProvider(AWSProvider, cb) 63 64 eg := &EgressRule{ 65 ToGroups: []ToGroups{ 66 GetToGroupsRule(), 67 }, 68 } 69 _, err := eg.CreateDerivative() 70 c.Assert(err, NotNil) 71 } 72 73 func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithToGroupsAndToPorts(c *C) { 74 cb := GetCallBackWithRule("192.168.1.1") 75 RegisterToGroupsProvider(AWSProvider, cb) 76 77 eg := &EgressRule{ 78 ToGroups: []ToGroups{ 79 GetToGroupsRule(), 80 }, 81 } 82 83 // Checking that the derivative rule is working correctly 84 c.Assert(eg.RequiresDerivative(), Equals, true) 85 86 newRule, err := eg.CreateDerivative() 87 c.Assert(err, IsNil) 88 c.Assert(len(newRule.ToGroups), Equals, 0) 89 c.Assert(len(newRule.ToCIDRSet), Equals, 1) 90 } 91 92 func (s *PolicyAPITestSuite) TestCreateDerivativeWithoutErrorAndNoIPs(c *C) { 93 // Testing that if the len of the Ips returned by provider is 0 to block 94 // all the IPS outside. 95 cb := GetCallBackWithRule() 96 RegisterToGroupsProvider(AWSProvider, cb) 97 98 eg := &EgressRule{ 99 ToGroups: []ToGroups{ 100 GetToGroupsRule(), 101 }, 102 } 103 104 // Checking that the derivative rule is working correctly 105 c.Assert(eg.RequiresDerivative(), Equals, true) 106 107 newRule, err := eg.CreateDerivative() 108 c.Assert(err, IsNil) 109 c.Assert(newRule, checker.DeepEquals, &EgressRule{}) 110 } 111 112 func (s *PolicyAPITestSuite) TestIsLabelBasedEgress(c *C) { 113 type args struct { 114 eg *EgressRule 115 } 116 type wanted struct { 117 isLabelBased bool 118 } 119 120 tests := []struct { 121 name string 122 setupArgs func() args 123 setupWanted func() wanted 124 }{ 125 { 126 name: "label-based-rule", 127 setupArgs: func() args { 128 return args{ 129 eg: &EgressRule{ 130 ToEndpoints: []EndpointSelector{ 131 { 132 LabelSelector: &metav1.LabelSelector{MatchLabels: map[string]string{ 133 "test": "true", 134 }, 135 }, 136 }, 137 }, 138 }, 139 } 140 }, 141 setupWanted: func() wanted { 142 return wanted{ 143 isLabelBased: true, 144 } 145 }, 146 }, 147 { 148 name: "cidr-based-rule", 149 setupArgs: func() args { 150 return args{ 151 &EgressRule{ 152 ToCIDR: CIDRSlice{"192.0.0.0/3"}, 153 }, 154 } 155 }, 156 setupWanted: func() wanted { 157 return wanted{ 158 isLabelBased: true, 159 } 160 }, 161 }, 162 { 163 name: "cidrset-based-rule", 164 setupArgs: func() args { 165 return args{ 166 &EgressRule{ 167 ToCIDRSet: CIDRRuleSlice{ 168 { 169 Cidr: "192.0.0.0/3", 170 }, 171 }, 172 }, 173 } 174 }, 175 setupWanted: func() wanted { 176 return wanted{ 177 isLabelBased: true, 178 } 179 }, 180 }, 181 { 182 name: "rule-with-requirements", 183 setupArgs: func() args { 184 return args{ 185 &EgressRule{ 186 ToRequires: []EndpointSelector{ 187 { 188 LabelSelector: &metav1.LabelSelector{MatchLabels: map[string]string{ 189 "test": "true", 190 }, 191 }, 192 }, 193 }, 194 }, 195 } 196 }, 197 setupWanted: func() wanted { 198 return wanted{ 199 isLabelBased: false, 200 } 201 }, 202 }, 203 { 204 name: "rule-with-services", 205 setupArgs: func() args { 206 207 svcLabels := map[string]string{ 208 "app": "tested-service", 209 } 210 selector := ServiceSelector(NewESFromMatchRequirements(svcLabels, nil)) 211 return args{ 212 &EgressRule{ 213 ToServices: []Service{ 214 { 215 K8sServiceSelector: &K8sServiceSelectorNamespace{ 216 Selector: selector, 217 Namespace: "", 218 }, 219 }, 220 }, 221 }, 222 } 223 }, 224 setupWanted: func() wanted { 225 return wanted{ 226 isLabelBased: false, 227 } 228 }, 229 }, 230 { 231 name: "rule-with-fqdn", 232 setupArgs: func() args { 233 return args{ 234 &EgressRule{ 235 ToFQDNs: FQDNSelectorSlice{ 236 { 237 MatchName: "cilium.io", 238 }, 239 }, 240 }, 241 } 242 }, 243 setupWanted: func() wanted { 244 return wanted{ 245 isLabelBased: false, 246 } 247 }, 248 }, 249 { 250 name: "rule-with-entities", 251 setupArgs: func() args { 252 return args{ 253 &EgressRule{ 254 ToEntities: EntitySlice{ 255 EntityHost, 256 }, 257 }, 258 } 259 }, 260 setupWanted: func() wanted { 261 return wanted{ 262 isLabelBased: true, 263 } 264 }, 265 }, 266 { 267 name: "rule-with-no-l3-specification", 268 setupArgs: func() args { 269 return args{ 270 &EgressRule{ 271 ToPorts: []PortRule{ 272 { 273 Ports: []PortProtocol{ 274 { 275 Port: "80", 276 Protocol: ProtoTCP, 277 }, 278 }, 279 }, 280 }, 281 }, 282 } 283 }, 284 setupWanted: func() wanted { 285 return wanted{ 286 isLabelBased: true, 287 } 288 }, 289 }, 290 } 291 292 for _, tt := range tests { 293 args := tt.setupArgs() 294 want := tt.setupWanted() 295 c.Assert(args.eg.sanitize(), Equals, nil, Commentf("Test name: %q", tt.name)) 296 isLabelBased := args.eg.IsLabelBased() 297 c.Assert(isLabelBased, checker.DeepEquals, want.isLabelBased, Commentf("Test name: %q", tt.name)) 298 } 299 }