open-cluster-management.io/governance-policy-propagator@v0.13.0/test/e2e/case16_selective_policy_enforcement_test.go (about) 1 // Copyright (c) 2023 Red Hat, Inc. 2 // Copyright Contributors to the Open Cluster Management project 3 4 package e2e 5 6 import ( 7 "context" 8 9 . "github.com/onsi/ginkgo/v2" 10 . "github.com/onsi/gomega" 11 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 12 13 "open-cluster-management.io/governance-policy-propagator/controllers/common" 14 "open-cluster-management.io/governance-policy-propagator/test/utils" 15 ) 16 17 var _ = Describe("Test selective policy enforcement", Ordered, func() { 18 const ( 19 case16PolicyName string = "case16-test-policy" 20 case16PolicyYaml string = "../resources/case16_selective_policy_enforcement/case16-test-policy.yaml" 21 case16BindingYaml string = "../resources/case16_selective_policy_enforcement/case16-enforce-binding.yaml" 22 ) 23 24 BeforeAll(func() { 25 By("Creating the test policy, the initial placement binding, and placement rule") 26 _, err := utils.KubectlWithOutput("apply", "-f", case16PolicyYaml, 27 "-n", testNamespace, "--kubeconfig="+kubeconfigHub) 28 Expect(err).ToNot(HaveOccurred()) 29 rootplc := utils.GetWithTimeout( 30 clientHubDynamic, gvrPolicy, case16PolicyName, testNamespace, true, defaultTimeoutSeconds, 31 ) 32 Expect(rootplc).NotTo(BeNil()) 33 34 By("Patching the placement rule with decisions managed1, managed2") 35 plr := utils.GetWithTimeout( 36 clientHubDynamic, gvrPlacementRule, case16PolicyName+"-plr", testNamespace, true, defaultTimeoutSeconds, 37 ) 38 plr.Object["status"] = utils.GeneratePlrStatus("managed1", "managed2") 39 _, err = clientHubDynamic.Resource(gvrPlacementRule).Namespace(testNamespace).UpdateStatus( 40 context.TODO(), plr, metav1.UpdateOptions{}, 41 ) 42 Expect(err).ToNot(HaveOccurred()) 43 44 By("Verifying the replicated policy was created in cluster ns managed1, managed2") 45 opt := metav1.ListOptions{ 46 LabelSelector: common.RootPolicyLabel + "=" + testNamespace + "." + case16PolicyName, 47 } 48 plcList := utils.ListWithTimeout(clientHubDynamic, gvrPolicy, opt, 2, true, defaultTimeoutSeconds) 49 for _, plc := range plcList.Items { 50 Expect(plc.GetName()).To(Equal(testNamespace + "." + case16PolicyName)) 51 Expect(plc.GetNamespace()).Should(BeElementOf("managed1", "managed2")) 52 } 53 }) 54 55 AfterAll(func() { 56 By("Cleaning up resources") 57 _, err := utils.KubectlWithOutput("delete", "-f", case16PolicyYaml, 58 "-n", testNamespace, "--kubeconfig="+kubeconfigHub, "--ignore-not-found") 59 Expect(err).ToNot(HaveOccurred()) 60 _, err = utils.KubectlWithOutput("delete", "-f", case16BindingYaml, 61 "-n", testNamespace, "--kubeconfig="+kubeconfigHub, "--ignore-not-found") 62 Expect(err).ToNot(HaveOccurred()) 63 }) 64 65 Describe("Testing enforcing with subFilter", Ordered, func() { 66 It("should update the policy's remediationAction to enforce on cluster ns managed1, managed2", func() { 67 By("Creating another placement rule and binding to selectively enforce policy") 68 _, err := utils.KubectlWithOutput("apply", "-f", case16BindingYaml, 69 "-n", testNamespace, "--kubeconfig="+kubeconfigHub) 70 Expect(err).ToNot(HaveOccurred()) 71 72 By("Patching the case16-test-policy-plr-enforce with decisions managed1, managed2, managed3") 73 plr := utils.GetWithTimeout( 74 clientHubDynamic, gvrPlacementRule, case16PolicyName+"-plr-enforce", 75 testNamespace, true, defaultTimeoutSeconds, 76 ) 77 plr.Object["status"] = utils.GeneratePlrStatus("managed1", "managed2", "managed3") 78 _, err = clientHubDynamic.Resource(gvrPlacementRule).Namespace(testNamespace).UpdateStatus( 79 context.TODO(), plr, metav1.UpdateOptions{}, 80 ) 81 Expect(err).ToNot(HaveOccurred()) 82 83 By("Verifying no replicated policy created on cluster ns managed3 because of the subfilter") 84 Eventually(func() interface{} { 85 replicatedPlc := utils.GetWithTimeout( 86 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 87 "managed3", false, defaultTimeoutSeconds, 88 ) 89 90 return replicatedPlc 91 }).Should(BeNil()) 92 93 By("Verifying the RemediationAction of the replicated policies on cluster ns managed1, managed2") 94 Eventually(func() interface{} { 95 replicatedPlc := utils.GetWithTimeout( 96 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 97 "managed1", true, defaultTimeoutSeconds, 98 ) 99 100 return replicatedPlc.Object["spec"].(map[string]interface{})["remediationAction"] 101 }).Should(Equal("enforce")) 102 103 Eventually(func() interface{} { 104 replicatedPlc := utils.GetWithTimeout( 105 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 106 "managed2", true, defaultTimeoutSeconds, 107 ) 108 109 return replicatedPlc.Object["spec"].(map[string]interface{})["remediationAction"] 110 }).Should(Equal("enforce")) 111 112 By("Verifying the root policy has correct placement status") 113 expectedPlacementStatus := []interface{}{ 114 map[string]interface{}{ 115 "placementBinding": case16PolicyName + "-pb", 116 "placementRule": case16PolicyName + "-plr", 117 }, 118 map[string]interface{}{ 119 "placementBinding": case16PolicyName + "-pb-enforce", 120 "placementRule": case16PolicyName + "-plr-enforce", 121 }, 122 } 123 Eventually(func() interface{} { 124 rootPlc := utils.GetWithTimeout(clientHubDynamic, gvrPolicy, 125 case16PolicyName, testNamespace, true, defaultTimeoutSeconds) 126 127 return rootPlc.Object["status"].(map[string]interface{})["placement"] 128 }, defaultTimeoutSeconds, 1).Should(utils.SemanticEqual(expectedPlacementStatus)) 129 }) 130 131 It("should update the replicated policy's remediationAction back to inform on cluster ns managed1", func() { 132 By("Removing managed1 from the case16-test-policy-plr-enforce decisions") 133 plr := utils.GetWithTimeout( 134 clientHubDynamic, gvrPlacementRule, case16PolicyName+"-plr-enforce", 135 testNamespace, true, defaultTimeoutSeconds, 136 ) 137 plr.Object["status"] = utils.GeneratePlrStatus("managed2") 138 _, err := clientHubDynamic.Resource(gvrPlacementRule).Namespace(testNamespace).UpdateStatus( 139 context.TODO(), plr, metav1.UpdateOptions{}, 140 ) 141 Expect(err).ToNot(HaveOccurred()) 142 143 By("Verifying the RemediationAction of the replicated policies on cluster ns managed1, managed2") 144 Eventually(func() interface{} { 145 replicatedPlc := utils.GetWithTimeout( 146 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 147 "managed1", true, defaultTimeoutSeconds, 148 ) 149 150 return replicatedPlc.Object["spec"].(map[string]interface{})["remediationAction"] 151 }).Should(Equal("inform")) 152 153 Eventually(func() interface{} { 154 replicatedPlc := utils.GetWithTimeout( 155 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 156 "managed2", true, defaultTimeoutSeconds, 157 ) 158 159 return replicatedPlc.Object["spec"].(map[string]interface{})["remediationAction"] 160 }).Should(Equal("enforce")) 161 }) 162 163 It("should delete the replicated policy on cluster ns managed2", func() { 164 By("Removing managed2 from the case16-test-policy-plr decisions") 165 plr := utils.GetWithTimeout( 166 clientHubDynamic, gvrPlacementRule, case16PolicyName+"-plr", 167 testNamespace, true, defaultTimeoutSeconds, 168 ) 169 plr.Object["status"] = utils.GeneratePlrStatus("managed1") 170 _, err := clientHubDynamic.Resource(gvrPlacementRule).Namespace(testNamespace).UpdateStatus( 171 context.TODO(), plr, metav1.UpdateOptions{}, 172 ) 173 Expect(err).ToNot(HaveOccurred()) 174 175 By("Verifying the replicated policy on cluster ns managed2 was deleted") 176 Eventually(func() interface{} { 177 replicatedPlc := utils.GetWithTimeout( 178 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 179 "managed2", false, defaultTimeoutSeconds, 180 ) 181 182 return replicatedPlc 183 }).Should(BeNil()) 184 185 By("Verifying the root policy has correct placement status") 186 expectedPlacementStatus := []interface{}{ 187 map[string]interface{}{ 188 "placementBinding": case16PolicyName + "-pb", 189 "placementRule": case16PolicyName + "-plr", 190 }, 191 } 192 Eventually(func() interface{} { 193 rootPlc := utils.GetWithTimeout(clientHubDynamic, gvrPolicy, 194 case16PolicyName, testNamespace, true, defaultTimeoutSeconds) 195 196 return rootPlc.Object["status"].(map[string]interface{})["placement"] 197 }, defaultTimeoutSeconds, 1).Should(utils.SemanticEqual(expectedPlacementStatus)) 198 }) 199 200 It("should propagate to all clusters when the subfilter is removed", func() { 201 By("Putting all clusters in the case16-test-policy-plr-enforce decisions") 202 plr := utils.GetWithTimeout( 203 clientHubDynamic, gvrPlacementRule, case16PolicyName+"-plr-enforce", 204 testNamespace, true, defaultTimeoutSeconds, 205 ) 206 plr.Object["status"] = utils.GeneratePlrStatus("managed1", "managed2", "managed3") 207 _, err := clientHubDynamic.Resource(gvrPlacementRule).Namespace(testNamespace).UpdateStatus( 208 context.TODO(), plr, metav1.UpdateOptions{}, 209 ) 210 Expect(err).ToNot(HaveOccurred()) 211 212 By("Verifying that the policy on managed3 is still not created") 213 Consistently(func() interface{} { 214 return utils.GetWithTimeout( 215 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 216 "managed3", false, defaultTimeoutSeconds, 217 ) 218 }, "5s", 1).Should(BeNil()) 219 220 By("Removing the subfilter from the binding") 221 utils.Kubectl("patch", "placementbinding", "case16-test-policy-pb-enforce", "-n", testNamespace, 222 "--kubeconfig="+kubeconfigHub, "--type=json", `-p=[{"op":"remove","path":"/subFilter"}]`) 223 224 By("Verifying the policies exist and are enforcing on all 3 clusters") 225 for _, clustername := range []string{"managed1", "managed2", "managed3"} { 226 Eventually(func() interface{} { 227 replicatedPlc := utils.GetWithTimeout( 228 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 229 clustername, true, defaultTimeoutSeconds, 230 ) 231 232 return replicatedPlc.Object["spec"].(map[string]interface{})["remediationAction"] 233 }, defaultTimeoutSeconds, 1).Should(Equal("enforce")) 234 } 235 }) 236 237 It("should change remediationAction when the bindingOverrides are removed", func() { 238 By("Removing the overrides from the binding") 239 utils.Kubectl("patch", "placementbinding", "case16-test-policy-pb-enforce", "-n", testNamespace, 240 "--kubeconfig="+kubeconfigHub, "--type=json", `-p=[{"op":"remove","path":"/bindingOverrides"}]`) 241 242 By("Verifying the policies are informing on all 3 clusters") 243 for _, clustername := range []string{"managed1", "managed2", "managed3"} { 244 Eventually(func() interface{} { 245 replicatedPlc := utils.GetWithTimeout( 246 clientHubDynamic, gvrPolicy, testNamespace+"."+case16PolicyName, 247 clustername, true, defaultTimeoutSeconds, 248 ) 249 250 return replicatedPlc.Object["spec"].(map[string]interface{})["remediationAction"] 251 }, defaultTimeoutSeconds, 1).Should(Equal("inform")) 252 } 253 }) 254 }) 255 })