From fb49cbf56ecae6056ffb3fb34907f86dcdeba455 Mon Sep 17 00:00:00 2001 From: Deng Yun Date: Tue, 23 Jan 2024 09:31:33 +0000 Subject: [PATCH] Temporarily disable traffic check in SP This patch is to temporarily disable traffic check and named ports check in Security Policy e2e test. In VPC mode, currently, it's unable to create a subnetport in k8s env, so, we can not check pod running and pod traffic. Also, creating named port related security policy will fail as well because there are no running pods created for the named port security policy. We still check securitypolicy creation, update and deletion for e2e test. --- test/e2e/framework.go | 13 ++- test/e2e/nsx_security_policy_test.go | 134 +++++++++++++++------------ test/e2e/util.go | 3 + 3 files changed, 88 insertions(+), 62 deletions(-) diff --git a/test/e2e/framework.go b/test/e2e/framework.go index b32ee0f08..fc7d07f50 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -8,20 +8,16 @@ import ( "net" "os/exec" "regexp" - "strconv" "strings" "time" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" clientset "k8s.io/client-go/kubernetes" - "k8s.io/client-go/kubernetes/scheme" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" - "k8s.io/client-go/tools/remotecommand" "github.com/vmware-tanzu/nsx-operator/pkg/client/clientset/versioned" "github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common" @@ -82,11 +78,14 @@ type TestData struct { var testData *TestData +//Temporarily disable traffic check +/* type PodIPs struct { ipv4 *net.IP ipv6 *net.IP ipStrings []string } +*/ func initProvider() error { providerFactory := map[string]func(string) (providers.ProviderInterface, error){ @@ -405,6 +404,8 @@ func (data *TestData) getCRResource(timeout time.Duration, cr string, namespace return crs, nil } +//Temporarily disable traffic check +/* // podWaitFor polls the K8s apiServer until the specified Pod is found (in the test Namespace) and // the condition predicate is met (or until the provided timeout expires). func (data *TestData) podWaitFor(timeout time.Duration, name, namespace string, condition PodCondition) (*corev1.Pod, error) { @@ -594,6 +595,7 @@ func (data *TestData) runNetcatCommandFromPod(namespace string, podName string, } return nil } +*/ func applyYAML(filename string, ns string) error { cmd := fmt.Sprintf("kubectl apply -f %s -n %s", filename, ns) @@ -615,6 +617,8 @@ func applyYAML(filename string, ns string) error { return nil } +//Temporarily disable traffic check +/* func runCommand(cmd string) (string, error) { err := wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, defaultTimeout, false, func(ctx context.Context) (bool, error) { var stdout, stderr bytes.Buffer @@ -636,6 +640,7 @@ func runCommand(cmd string) (string, error) { }) return "", err } +*/ func deleteYAML(filename string, ns string) error { cmd := fmt.Sprintf("kubectl delete -f %s -n %s", filename, ns) diff --git a/test/e2e/nsx_security_policy_test.go b/test/e2e/nsx_security_policy_test.go index 3b721eb41..ac7cbb0f8 100644 --- a/test/e2e/nsx_security_policy_test.go +++ b/test/e2e/nsx_security_policy_test.go @@ -15,12 +15,9 @@ package e2e import ( - "fmt" "path/filepath" "testing" - "github.com/stretchr/testify/assert" - "github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common" ) @@ -32,30 +29,33 @@ const ( // This is the very basic, blocking all in and out traffic between pods should take effect. func TestSecurityPolicyBasicTraffic(t *testing.T) { ns := "test-security-policy-1" - busybox := "busybox" - ncPod := "nc-pod" securityPolicyName := "isolate-policy-1" + var err error setupTest(t, ns) defer teardownTest(t, ns, defaultTimeout) - // Create pods - busyboxPath, _ := filepath.Abs("./manifest/testSecurityPolicy/busybox.yaml") - _ = applyYAML(busyboxPath, ns) - netcatPath, _ := filepath.Abs("./manifest/testSecurityPolicy/netcat-pod.yaml") - _ = applyYAML(netcatPath, ns) - - // Wait for pods - ps, err := testData.podWaitForIPs(defaultTimeout, busybox, ns) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod %s", busybox) - iPs, err := testData.podWaitForIPs(defaultTimeout, ncPod, ns) - t.Logf("Pods are %v", iPs) - assertNil(t, err, "Error when waiting for IP for Pod %s", ncPod) - - // Ping from pod - err = testData.runPingCommandFromPod(ns, busybox, iPs, 4) - assertNil(t, err, "Error when running ping command from test Pod %s", busybox) - + // Temporarily disable traffic check + /* + // Create pods + busyboxPath, _ := filepath.Abs("./manifest/testSecurityPolicy/busybox.yaml") + _ = applyYAML(busyboxPath, ns) + netcatPath, _ := filepath.Abs("./manifest/testSecurityPolicy/netcat-pod.yaml") + _ = applyYAML(netcatPath, ns) + + busybox := "busybox" + ncPod := "nc-pod + // Wait for pods + ps, err := testData.podWaitForIPs(defaultTimeout, busybox, ns) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod %s", busybox) + iPs, err := testData.podWaitForIPs(defaultTimeout, ncPod, ns) + t.Logf("Pods are %v", iPs) + assertNil(t, err, "Error when waiting for IP for Pod %s", ncPod) + + // Ping from pod + err = testData.runPingCommandFromPod(ns, busybox, iPs, 4) + assertNil(t, err, "Error when running ping command from test Pod %s", busybox) + */ // Create security policy nsIsolationPath, _ := filepath.Abs("./manifest/testSecurityPolicy/ns-isolation-policy.yaml") _ = applyYAML(nsIsolationPath, ns) @@ -69,9 +69,12 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) { err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, true) assertNil(t, err) - // Ping from pod - err = testData.runPingCommandFromPod(ns, busybox, iPs, 4) - assertNotNil(t, err, "Error when running ping command from test Pod %s", busybox) + //Temporarily disable traffic check + /* + // Ping from pod + err = testData.runPingCommandFromPod(ns, busybox, iPs, 4) + assertNotNil(t, err, "Error when running ping command from test Pod %s", busybox) + */ // Delete security policy _ = deleteYAML(nsIsolationPath, ns) @@ -84,9 +87,12 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) { err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, false) assertNil(t, err) - // Ping from pod - err = testData.runPingCommandFromPod(ns, busybox, iPs, 4) - assertNil(t, err, "Error when running ping command from test Pod %s", busybox) + //Temporarily disable traffic check + /* + // Ping from pod + err = testData.runPingCommandFromPod(ns, busybox, iPs, 4) + assertNil(t, err, "Error when running ping command from test Pod %s", busybox) + */ } // TestSecurityPolicyAddDeleteRule verifies that when adding or deleting rule, the security policy will be updated. @@ -144,9 +150,7 @@ func TestSecurityPolicyAddDeleteRule(t *testing.T) { func TestSecurityPolicyMatchExpression(t *testing.T) { ns := "test-security-policy-match-expression" securityPolicyName := "expression-policy-1" - clientA := "client-a" - clientB := "client-b" - podA := "pod-a" + var err error setupTest(t, ns) defer teardownTest(t, ns, defaultTimeout) @@ -155,22 +159,28 @@ func TestSecurityPolicyMatchExpression(t *testing.T) { _ = applyYAML(podPath, ns) defer deleteYAML(podPath, "") - // Wait for pods - ps, err := testData.podWaitForIPs(defaultTimeout, clientA, ns) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) - psb, err := testData.podWaitForIPs(defaultTimeout, clientB, ns) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod %s", clientB) - iPs, err := testData.podWaitForIPs(defaultTimeout, podA, ns) - t.Logf("Pods are %v", iPs) - assertNil(t, err, "Error when waiting for IP for Pod %s", podA) - - // Ping from pod - err = testData.runPingCommandFromPod(ns, clientA, iPs, 4) - assertNil(t, err, "Error when running ping command from Pod %s", clientA) - err = testData.runPingCommandFromPod(ns, clientB, iPs, 4) - assertNil(t, err, "Error when running ping command from Pod %s", clientB) + // Temporarily disable traffic check + //clientA := "client-a" + //clientB := "client-b" + //podA := "pod-a" + /* + // Wait for pods + ps, err := testData.podWaitForIPs(defaultTimeout, clientA, ns) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) + psb, err := testData.podWaitForIPs(defaultTimeout, clientB, ns) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod %s", clientB) + iPs, err := testData.podWaitForIPs(defaultTimeout, podA, ns) + t.Logf("Pods are %v", iPs) + assertNil(t, err, "Error when waiting for IP for Pod %s", podA) + + // Ping from pod + err = testData.runPingCommandFromPod(ns, clientA, iPs, 4) + assertNil(t, err, "Error when running ping command from Pod %s", clientA) + err = testData.runPingCommandFromPod(ns, clientB, iPs, 4) + assertNil(t, err, "Error when running ping command from Pod %s", clientB) + */ // Create security policy nsIsolationPath, _ := filepath.Abs("./manifest/testSecurityPolicy/match-expression.yaml") @@ -185,11 +195,14 @@ func TestSecurityPolicyMatchExpression(t *testing.T) { err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, true) assertNil(t, err) - // Ping from pod - err = testData.runPingCommandFromPod(ns, clientA, iPs, 4) - assertNil(t, err, "Error when running ping command from Pod %s", clientA) - err = testData.runPingCommandFromPod(ns, clientB, iPs, 4) - assert.NotNilf(t, err, "Error when running ping command from Pod %s", clientB) + // Temporarily disable traffic check + /* + // Ping from pod + err = testData.runPingCommandFromPod(ns, clientA, iPs, 4) + assertNil(t, err, "Error when running ping command from Pod %s", clientA) + err = testData.runPingCommandFromPod(ns, clientB, iPs, 4) + assert.NotNilf(t, err, "Error when running ping command from Pod %s", clientB) + */ // Delete security policy _ = deleteYAML(nsIsolationPath, ns) @@ -202,13 +215,17 @@ func TestSecurityPolicyMatchExpression(t *testing.T) { err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, false) assertNil(t, err) - // Ping from pod - err = testData.runPingCommandFromPod(ns, clientA, iPs, 4) - assertNil(t, err, "Error when running ping command from Pod %s", clientA) - err = testData.runPingCommandFromPod(ns, clientB, iPs, 4) - assertNil(t, err, "Error when running ping command from Pod %s", clientB) + // Temporarily disable traffic check + /* + // Ping from pod + err = testData.runPingCommandFromPod(ns, clientA, iPs, 4) + assertNil(t, err, "Error when running ping command from Pod %s", clientA) + err = testData.runPingCommandFromPod(ns, clientB, iPs, 4) + assertNil(t, err, "Error when running ping command from Pod %s", clientB) + */ } +/* // TestSecurityPolicyNamedPort0 verifies that the traffic of security policy when named port applied. // This test is to verify the named port feature of security policy. // When appliedTo is in policy level. @@ -763,3 +780,4 @@ func TestSecurityPolicyNamedPort7(t *testing.T) { err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) assertNil(t, err) } +*/ diff --git a/test/e2e/util.go b/test/e2e/util.go index 90ed9daaa..874b0d04a 100644 --- a/test/e2e/util.go +++ b/test/e2e/util.go @@ -30,6 +30,8 @@ func assertNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) bool panic("assertion failed") } +//Temporarily disable traffic check +/* func assertNotNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) bool { if assert.NotNil(t, object, msgAndArgs...) { t.Logf("assertNotNil: %v", object) @@ -37,6 +39,7 @@ func assertNotNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) b } panic("assertion failed") } +*/ func assertTrue(t *testing.T, value bool, msgAndArgs ...interface{}) bool { if assert.True(t, value, msgAndArgs...) {