github.phpd.cn/cilium/cilium@v1.6.12/pkg/k8s/rule_translate_test.go (about) 1 // Copyright 2016-2017 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build !privileged_tests 16 17 package k8s 18 19 import ( 20 "sort" 21 22 "github.com/cilium/cilium/pkg/checker" 23 "github.com/cilium/cilium/pkg/labels" 24 "github.com/cilium/cilium/pkg/loadbalancer" 25 "github.com/cilium/cilium/pkg/policy" 26 "github.com/cilium/cilium/pkg/policy/api" 27 "github.com/cilium/cilium/pkg/service" 28 29 . "gopkg.in/check.v1" 30 ) 31 32 func (s *K8sSuite) TestTranslatorDirect(c *C) { 33 repo := policy.NewPolicyRepository() 34 35 tag1 := labels.LabelArray{labels.ParseLabel("tag1")} 36 serviceInfo := ServiceID{ 37 Name: "svc", 38 Namespace: "default", 39 } 40 41 epIP := "10.1.1.1" 42 43 endpointInfo := Endpoints{ 44 Backends: map[string]service.PortConfiguration{ 45 epIP: map[string]*loadbalancer.L4Addr{ 46 "port": { 47 Protocol: loadbalancer.TCP, 48 Port: 80, 49 }, 50 }, 51 }, 52 } 53 54 rule1 := api.Rule{ 55 EndpointSelector: api.NewESFromLabels(labels.ParseSelectLabel("bar")), 56 Egress: []api.EgressRule{ 57 { 58 ToServices: []api.Service{ 59 { 60 K8sService: &api.K8sServiceNamespace{ 61 ServiceName: serviceInfo.Name, 62 Namespace: serviceInfo.Namespace, 63 }, 64 }, 65 }, 66 }, 67 }, 68 Labels: tag1, 69 } 70 71 translator := NewK8sTranslator(serviceInfo, endpointInfo, false, map[string]string{}, nil) 72 73 _, _, err := repo.Add(rule1, []policy.Endpoint{}) 74 c.Assert(err, IsNil) 75 76 result, err := repo.TranslateRules(translator) 77 c.Assert(err, IsNil) 78 c.Assert(result.NumToServicesRules, Equals, 1) 79 80 rule := repo.SearchRLocked(tag1)[0].Egress[0] 81 82 c.Assert(len(rule.ToCIDRSet), Equals, 1) 83 c.Assert(string(rule.ToCIDRSet[0].Cidr), Equals, epIP+"/32") 84 85 translator = NewK8sTranslator(serviceInfo, endpointInfo, true, map[string]string{}, nil) 86 result, err = repo.TranslateRules(translator) 87 c.Assert(result.NumToServicesRules, Equals, 1) 88 89 rule = repo.SearchRLocked(tag1)[0].Egress[0] 90 91 c.Assert(err, IsNil) 92 c.Assert(len(rule.ToCIDRSet), Equals, 0) 93 } 94 95 func (s *K8sSuite) TestServiceMatches(c *C) { 96 svcLabels := map[string]string{ 97 "app": "tested-service", 98 } 99 100 serviceInfo := ServiceID{ 101 Name: "doesn't matter", 102 Namespace: "default", 103 } 104 105 epIP := "10.1.1.1" 106 endpointInfo := Endpoints{ 107 Backends: map[string]service.PortConfiguration{ 108 epIP: map[string]*loadbalancer.L4Addr{ 109 "port": { 110 Protocol: loadbalancer.TCP, 111 Port: 80, 112 }, 113 }, 114 }, 115 } 116 117 selector := api.ServiceSelector(api.NewESFromMatchRequirements(svcLabels, nil)) 118 service := api.Service{ 119 K8sServiceSelector: &api.K8sServiceSelectorNamespace{ 120 Selector: selector, 121 Namespace: "", 122 }, 123 } 124 125 translator := NewK8sTranslator(serviceInfo, endpointInfo, false, svcLabels, nil) 126 c.Assert(translator.serviceMatches(service), Equals, true) 127 } 128 129 func (s *K8sSuite) TestTranslatorLabels(c *C) { 130 repo := policy.NewPolicyRepository() 131 svcLabels := map[string]string{ 132 "app": "tested-service", 133 } 134 135 tag1 := labels.LabelArray{labels.ParseLabel("tag1")} 136 serviceInfo := ServiceID{ 137 Name: "doesn't matter", 138 Namespace: "default", 139 } 140 141 epIP := "10.1.1.1" 142 143 endpointInfo := Endpoints{ 144 Backends: map[string]service.PortConfiguration{ 145 epIP: map[string]*loadbalancer.L4Addr{ 146 "port": { 147 Protocol: loadbalancer.TCP, 148 Port: 80, 149 }, 150 }, 151 }, 152 } 153 154 selector := api.ServiceSelector(api.NewESFromMatchRequirements(svcLabels, nil)) 155 rule1 := api.Rule{ 156 EndpointSelector: api.NewESFromLabels(labels.ParseSelectLabel("bar")), 157 Egress: []api.EgressRule{{ 158 ToServices: []api.Service{ 159 { 160 K8sServiceSelector: &api.K8sServiceSelectorNamespace{ 161 Selector: selector, 162 Namespace: "", 163 }, 164 }, 165 }}, 166 }, 167 Labels: tag1, 168 } 169 170 translator := NewK8sTranslator(serviceInfo, endpointInfo, false, svcLabels, nil) 171 172 _, _, err := repo.Add(rule1, []policy.Endpoint{}) 173 c.Assert(err, IsNil) 174 175 result, err := repo.TranslateRules(translator) 176 c.Assert(err, IsNil) 177 c.Assert(result.NumToServicesRules, Equals, 1) 178 179 rule := repo.SearchRLocked(tag1)[0].Egress[0] 180 181 c.Assert(len(rule.ToCIDRSet), Equals, 1) 182 c.Assert(string(rule.ToCIDRSet[0].Cidr), Equals, epIP+"/32") 183 184 translator = NewK8sTranslator(serviceInfo, endpointInfo, true, svcLabels, nil) 185 result, err = repo.TranslateRules(translator) 186 187 rule = repo.SearchRLocked(tag1)[0].Egress[0] 188 189 c.Assert(err, IsNil) 190 c.Assert(len(rule.ToCIDRSet), Equals, 0) 191 c.Assert(result.NumToServicesRules, Equals, 1) 192 } 193 194 func (s *K8sSuite) TestGenerateToCIDRFromEndpoint(c *C) { 195 rule := &api.EgressRule{} 196 197 epIP1 := "10.1.1.1" 198 epIP2 := "10.1.1.2" 199 200 endpointInfo := Endpoints{ 201 Backends: map[string]service.PortConfiguration{ 202 epIP1: map[string]*loadbalancer.L4Addr{ 203 "port": { 204 Protocol: loadbalancer.TCP, 205 Port: 80, 206 }, 207 }, 208 epIP2: map[string]*loadbalancer.L4Addr{ 209 "port": { 210 Protocol: loadbalancer.TCP, 211 Port: 80, 212 }, 213 }, 214 }, 215 } 216 217 err := generateToCidrFromEndpoint(rule, endpointInfo, nil) 218 c.Assert(err, IsNil) 219 220 cidrs := rule.ToCIDRSet.StringSlice() 221 sort.Strings(cidrs) 222 c.Assert(len(cidrs), Equals, 2) 223 c.Assert(cidrs, checker.DeepEquals, []string{ 224 epIP1 + "/32", 225 epIP2 + "/32", 226 }) 227 228 // second run, to make sure there are no duplicates added 229 err = generateToCidrFromEndpoint(rule, endpointInfo, nil) 230 c.Assert(err, IsNil) 231 232 cidrs = rule.ToCIDRSet.StringSlice() 233 sort.Strings(cidrs) 234 c.Assert(len(cidrs), Equals, 2) 235 c.Assert(cidrs, checker.DeepEquals, []string{ 236 epIP1 + "/32", 237 epIP2 + "/32", 238 }) 239 240 err = deleteToCidrFromEndpoint(rule, endpointInfo, nil) 241 c.Assert(err, IsNil) 242 c.Assert(len(rule.ToCIDRSet), Equals, 0) 243 244 // third run, to make sure there are no duplicates added 245 err = generateToCidrFromEndpoint(rule, endpointInfo, nil) 246 c.Assert(err, IsNil) 247 248 cidrs = rule.ToCIDRSet.StringSlice() 249 sort.Strings(cidrs) 250 c.Assert(len(cidrs), Equals, 2) 251 c.Assert(cidrs, checker.DeepEquals, []string{ 252 epIP1 + "/32", 253 epIP2 + "/32", 254 }) 255 256 err = deleteToCidrFromEndpoint(rule, endpointInfo, nil) 257 c.Assert(err, IsNil) 258 c.Assert(len(rule.ToCIDRSet), Equals, 0) 259 } 260 261 func (s *K8sSuite) TestPreprocessRules(c *C) { 262 tag1 := labels.LabelArray{labels.ParseLabel("tag1")} 263 serviceInfo := ServiceID{ 264 Name: "svc", 265 Namespace: "default", 266 } 267 268 epIP := "10.1.1.1" 269 270 cache := NewServiceCache() 271 272 endpointInfo := Endpoints{ 273 Backends: map[string]service.PortConfiguration{ 274 epIP: map[string]*loadbalancer.L4Addr{ 275 "port": { 276 Protocol: loadbalancer.TCP, 277 Port: 80, 278 }, 279 }, 280 }, 281 } 282 283 service := Service{IsHeadless: true} 284 285 rule1 := api.Rule{ 286 EndpointSelector: api.NewESFromLabels(labels.ParseSelectLabel("bar")), 287 Egress: []api.EgressRule{{ 288 ToServices: []api.Service{ 289 { 290 K8sService: &api.K8sServiceNamespace{ 291 ServiceName: serviceInfo.Name, 292 Namespace: serviceInfo.Namespace, 293 }, 294 }, 295 }}, 296 }, 297 Labels: tag1, 298 } 299 300 cache.endpoints = map[ServiceID]*Endpoints{ 301 serviceInfo: &endpointInfo, 302 } 303 304 cache.services = map[ServiceID]*Service{ 305 serviceInfo: &service, 306 } 307 308 rules := api.Rules{&rule1} 309 310 err := PreprocessRules(rules, &cache) 311 c.Assert(err, IsNil) 312 313 c.Assert(len(rule1.Egress[0].ToCIDRSet), Equals, 1) 314 c.Assert(string(rule1.Egress[0].ToCIDRSet[0].Cidr), Equals, epIP+"/32") 315 } 316 317 func (s *K8sSuite) TestDontDeleteUserRules(c *C) { 318 userCIDR := api.CIDR("10.1.1.2/32") 319 rule := &api.EgressRule{ 320 ToCIDRSet: []api.CIDRRule{ 321 { 322 Cidr: userCIDR, 323 }, 324 }, 325 } 326 327 epIP := "10.1.1.1" 328 329 endpointInfo := Endpoints{ 330 Backends: map[string]service.PortConfiguration{ 331 epIP: map[string]*loadbalancer.L4Addr{ 332 "port": { 333 Protocol: loadbalancer.TCP, 334 Port: 80, 335 }, 336 }, 337 }, 338 } 339 340 err := generateToCidrFromEndpoint(rule, endpointInfo, nil) 341 c.Assert(err, IsNil) 342 343 c.Assert(len(rule.ToCIDRSet), Equals, 2) 344 c.Assert(string(rule.ToCIDRSet[1].Cidr), Equals, epIP+"/32") 345 346 // second run, to make sure there are no duplicates added 347 err = generateToCidrFromEndpoint(rule, endpointInfo, nil) 348 c.Assert(err, IsNil) 349 350 c.Assert(len(rule.ToCIDRSet), Equals, 2) 351 c.Assert(string(rule.ToCIDRSet[1].Cidr), Equals, epIP+"/32") 352 353 err = deleteToCidrFromEndpoint(rule, endpointInfo, nil) 354 c.Assert(err, IsNil) 355 c.Assert(len(rule.ToCIDRSet), Equals, 1) 356 c.Assert(string(rule.ToCIDRSet[0].Cidr), Equals, string(userCIDR)) 357 }