github.phpd.cn/cilium/cilium@v1.6.12/test/k8sT/demos.go (about) 1 // Copyright 2018-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package k8sTest 16 17 import ( 18 "context" 19 "fmt" 20 "path/filepath" 21 22 . "github.com/cilium/cilium/test/ginkgo-ext" 23 "github.com/cilium/cilium/test/helpers" 24 25 . "github.com/onsi/gomega" 26 ) 27 28 var ( 29 starWarsDemoLinkRoot = "https://raw.githubusercontent.com/cilium/star-wars-demo/v1.0.1" 30 ) 31 32 func getStarWarsResourceLink(file string) string { 33 // Cannot use filepath.Join because it removes one of the '/' from 34 // https:// and results in a malformed URL. 35 return fmt.Sprintf("%s/%s", starWarsDemoLinkRoot, file) 36 } 37 38 var _ = Describe("K8sDemosTest", func() { 39 40 var ( 41 kubectl *helpers.Kubectl 42 microscopeErr error 43 microscopeCancel = func() error { return nil } 44 45 backgroundCancel context.CancelFunc = func() { return } 46 backgroundError error 47 48 deathStarYAMLLink = getStarWarsResourceLink("01-deathstar.yaml") 49 xwingYAMLLink = getStarWarsResourceLink("02-xwing.yaml") 50 l7PolicyYAMLLink = getStarWarsResourceLink("policy/l7_policy.yaml") 51 ) 52 53 BeforeAll(func() { 54 kubectl = helpers.CreateKubectl(helpers.K8s1VMName(), logger) 55 DeployCiliumAndDNS(kubectl) 56 }) 57 58 AfterFailed(func() { 59 kubectl.CiliumReport(helpers.KubeSystemNamespace, 60 "cilium endpoint list", 61 "cilium service list") 62 }) 63 64 JustBeforeEach(func() { 65 microscopeErr, microscopeCancel = kubectl.MicroscopeStart() 66 Expect(microscopeErr).To(BeNil(), "Microscope cannot be started") 67 68 backgroundCancel, backgroundError = kubectl.BackgroundReport("uptime") 69 Expect(backgroundError).To(BeNil(), "Cannot start background report process") 70 }) 71 72 JustAfterEach(func() { 73 kubectl.ValidateNoErrorsInLogs(CurrentGinkgoTestDescription().Duration) 74 Expect(microscopeCancel()).To(BeNil(), "cannot stop microscope") 75 backgroundCancel() 76 }) 77 78 AfterEach(func() { 79 By("Deleting all resources created during test") 80 kubectl.Delete(l7PolicyYAMLLink) 81 kubectl.Delete(deathStarYAMLLink) 82 kubectl.Delete(xwingYAMLLink) 83 84 By("Waiting for all pods to finish terminating") 85 ExpectAllPodsTerminated(kubectl) 86 }) 87 88 AfterAll(func() { 89 kubectl.CloseSSHClient() 90 }) 91 92 It("Tests Star Wars Demo", func() { 93 94 allianceLabel := "org=alliance" 95 deathstarServiceName := "deathstar" 96 deathstarFQDN := fmt.Sprintf("%s.%s.svc.cluster.local", deathstarServiceName, helpers.DefaultNamespace) 97 98 exhaustPortPath := filepath.Join(deathstarFQDN, "/v1/exhaust-port") 99 100 By("Applying deployments") 101 102 res := kubectl.ApplyDefault(deathStarYAMLLink) 103 res.ExpectSuccess("unable to apply %s: %s", deathStarYAMLLink, res.CombineOutput()) 104 105 res = kubectl.ApplyDefault(xwingYAMLLink) 106 res.ExpectSuccess("unable to apply %s: %s", xwingYAMLLink, res.CombineOutput()) 107 108 By("Waiting for pods to be ready") 109 err := kubectl.WaitforPods(helpers.DefaultNamespace, "", helpers.HelperTimeout) 110 Expect(err).Should(BeNil(), "Pods are not ready after timeout") 111 112 By("Getting xwing pod names") 113 xwingPods, err := kubectl.GetPodNames(helpers.DefaultNamespace, allianceLabel) 114 Expect(err).Should(BeNil()) 115 Expect(xwingPods).ShouldNot(BeEmpty(), "Unable to get xwing pod names") 116 117 // Test only needs to access one of the pods. 118 xwingPod := xwingPods[0] 119 120 By("Making sure all endpoints are in ready state") 121 err = kubectl.CiliumEndpointWaitReady() 122 Expect(err).To(BeNil(), "Endpoints are not ready after timeout") 123 124 By("Showing how alliance can execute REST API call to main API endpoint") 125 126 err = kubectl.WaitForKubeDNSEntry(deathstarServiceName, helpers.DefaultNamespace) 127 Expect(err).To(BeNil(), "DNS entry is not ready after timeout") 128 129 res = kubectl.ExecPodCmd(helpers.DefaultNamespace, xwingPod, 130 helpers.CurlFail("http://%s/v1", deathstarFQDN)) 131 res.ExpectSuccess("unable to curl %s/v1: %s", deathstarFQDN, res.Output()) 132 133 By("Importing L7 Policy which restricts access to %q", exhaustPortPath) 134 _, err = kubectl.CiliumPolicyAction( 135 helpers.DefaultNamespace, l7PolicyYAMLLink, helpers.KubectlApply, helpers.HelperTimeout) 136 Expect(err).Should(BeNil(), "Unable to apply %s", l7PolicyYAMLLink) 137 138 By("Waiting for endpoints to be ready after importing policy") 139 err = kubectl.CiliumEndpointWaitReady() 140 Expect(err).To(BeNil(), "Endpoints are not ready after timeout") 141 142 By("Showing how alliance cannot access %q without force header in API request after importing L7 Policy", exhaustPortPath) 143 res = kubectl.ExecPodCmd(helpers.DefaultNamespace, xwingPod, 144 helpers.CurlWithHTTPCode("-X PUT http://%s", exhaustPortPath)) 145 res.ExpectContains("403", "able to access %s when policy disallows it; %s", exhaustPortPath, res.Output()) 146 147 By("Showing how alliance can access %q with force header in API request to attack the deathstar", exhaustPortPath) 148 res = kubectl.ExecPodCmd(helpers.DefaultNamespace, xwingPod, 149 helpers.CurlWithHTTPCode("-X PUT -H 'X-Has-Force: True' http://%s", exhaustPortPath)) 150 By("Expecting 503 to be returned when using force header to attack the deathstar") 151 res.ExpectContains("503", "unable to access %s when policy allows it; %s", exhaustPortPath, res.Output()) 152 }) 153 })