Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Temporarily disable traffic check in SP #498

Merged
merged 1 commit into from
Jan 25, 2024
Merged

Temporarily disable traffic check in SP #498

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions test/e2e/framework.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,20 +8,16 @@ import (
"net"
"os/exec"
"regexp"
"strconv"
"strings"
"time"

corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/wait"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/scheme"
restclient "k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/tools/remotecommand"

"github.com/vmware-tanzu/nsx-operator/pkg/client/clientset/versioned"
"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
Expand Down Expand Up @@ -82,11 +78,14 @@ type TestData struct {

var testData *TestData

//Temporarily disable traffic check
/*
type PodIPs struct {
ipv4 *net.IP
ipv6 *net.IP
ipStrings []string
}
*/

func initProvider() error {
providerFactory := map[string]func(string) (providers.ProviderInterface, error){
Expand Down Expand Up @@ -405,6 +404,8 @@ func (data *TestData) getCRResource(timeout time.Duration, cr string, namespace
return crs, nil
}

//Temporarily disable traffic check
/*
// podWaitFor polls the K8s apiServer until the specified Pod is found (in the test Namespace) and
// the condition predicate is met (or until the provided timeout expires).
func (data *TestData) podWaitFor(timeout time.Duration, name, namespace string, condition PodCondition) (*corev1.Pod, error) {
Expand Down Expand Up @@ -594,6 +595,7 @@ func (data *TestData) runNetcatCommandFromPod(namespace string, podName string,
}
return nil
}
*/

func applyYAML(filename string, ns string) error {
cmd := fmt.Sprintf("kubectl apply -f %s -n %s", filename, ns)
Expand All @@ -615,6 +617,8 @@ func applyYAML(filename string, ns string) error {
return nil
}

//Temporarily disable traffic check
/*
func runCommand(cmd string) (string, error) {
err := wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, defaultTimeout, false, func(ctx context.Context) (bool, error) {
var stdout, stderr bytes.Buffer
Expand All @@ -636,6 +640,7 @@ func runCommand(cmd string) (string, error) {
})
return "", err
}
*/

func deleteYAML(filename string, ns string) error {
cmd := fmt.Sprintf("kubectl delete -f %s -n %s", filename, ns)
Expand Down
134 changes: 76 additions & 58 deletions test/e2e/nsx_security_policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,9 @@
package e2e

import (
"fmt"
"path/filepath"
"testing"

"github.com/stretchr/testify/assert"

"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
)

Expand All @@ -32,30 +29,33 @@ const (
// This is the very basic, blocking all in and out traffic between pods should take effect.
func TestSecurityPolicyBasicTraffic(t *testing.T) {
ns := "test-security-policy-1"
busybox := "busybox"
ncPod := "nc-pod"
securityPolicyName := "isolate-policy-1"
var err error
setupTest(t, ns)
defer teardownTest(t, ns, defaultTimeout)

// Create pods
busyboxPath, _ := filepath.Abs("./manifest/testSecurityPolicy/busybox.yaml")
_ = applyYAML(busyboxPath, ns)
netcatPath, _ := filepath.Abs("./manifest/testSecurityPolicy/netcat-pod.yaml")
_ = applyYAML(netcatPath, ns)

// Wait for pods
ps, err := testData.podWaitForIPs(defaultTimeout, busybox, ns)
t.Logf("Pods are %v", ps)
assertNil(t, err, "Error when waiting for IP for Pod %s", busybox)
iPs, err := testData.podWaitForIPs(defaultTimeout, ncPod, ns)
t.Logf("Pods are %v", iPs)
assertNil(t, err, "Error when waiting for IP for Pod %s", ncPod)

// Ping from pod
err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
assertNil(t, err, "Error when running ping command from test Pod %s", busybox)

// Temporarily disable traffic check
/*
// Create pods
busyboxPath, _ := filepath.Abs("./manifest/testSecurityPolicy/busybox.yaml")
_ = applyYAML(busyboxPath, ns)
netcatPath, _ := filepath.Abs("./manifest/testSecurityPolicy/netcat-pod.yaml")
_ = applyYAML(netcatPath, ns)

busybox := "busybox"
ncPod := "nc-pod
// Wait for pods
ps, err := testData.podWaitForIPs(defaultTimeout, busybox, ns)
t.Logf("Pods are %v", ps)
assertNil(t, err, "Error when waiting for IP for Pod %s", busybox)
iPs, err := testData.podWaitForIPs(defaultTimeout, ncPod, ns)
t.Logf("Pods are %v", iPs)
assertNil(t, err, "Error when waiting for IP for Pod %s", ncPod)

// Ping from pod
err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
*/
// Create security policy
nsIsolationPath, _ := filepath.Abs("./manifest/testSecurityPolicy/ns-isolation-policy.yaml")
_ = applyYAML(nsIsolationPath, ns)
Expand All @@ -69,9 +69,12 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) {
err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, true)
assertNil(t, err)

// Ping from pod
err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
assertNotNil(t, err, "Error when running ping command from test Pod %s", busybox)
//Temporarily disable traffic check
/*
// Ping from pod
err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
assertNotNil(t, err, "Error when running ping command from test Pod %s", busybox)
*/

// Delete security policy
_ = deleteYAML(nsIsolationPath, ns)
Expand All @@ -84,9 +87,12 @@ func TestSecurityPolicyBasicTraffic(t *testing.T) {
err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, false)
assertNil(t, err)

// Ping from pod
err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
//Temporarily disable traffic check
/*
// Ping from pod
err = testData.runPingCommandFromPod(ns, busybox, iPs, 4)
assertNil(t, err, "Error when running ping command from test Pod %s", busybox)
*/
}

// TestSecurityPolicyAddDeleteRule verifies that when adding or deleting rule, the security policy will be updated.
Expand Down Expand Up @@ -144,9 +150,7 @@ func TestSecurityPolicyAddDeleteRule(t *testing.T) {
func TestSecurityPolicyMatchExpression(t *testing.T) {
ns := "test-security-policy-match-expression"
securityPolicyName := "expression-policy-1"
clientA := "client-a"
clientB := "client-b"
podA := "pod-a"
var err error
setupTest(t, ns)
defer teardownTest(t, ns, defaultTimeout)

Expand All @@ -155,22 +159,28 @@ func TestSecurityPolicyMatchExpression(t *testing.T) {
_ = applyYAML(podPath, ns)
defer deleteYAML(podPath, "")

// Wait for pods
ps, err := testData.podWaitForIPs(defaultTimeout, clientA, ns)
t.Logf("Pods are %v", ps)
assertNil(t, err, "Error when waiting for IP for Pod %s", clientA)
psb, err := testData.podWaitForIPs(defaultTimeout, clientB, ns)
t.Logf("Pods are %v", psb)
assertNil(t, err, "Error when waiting for IP for Pod %s", clientB)
iPs, err := testData.podWaitForIPs(defaultTimeout, podA, ns)
t.Logf("Pods are %v", iPs)
assertNil(t, err, "Error when waiting for IP for Pod %s", podA)

// Ping from pod
err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientA)
err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientB)
// Temporarily disable traffic check
//clientA := "client-a"
//clientB := "client-b"
//podA := "pod-a"
/*
// Wait for pods
ps, err := testData.podWaitForIPs(defaultTimeout, clientA, ns)
t.Logf("Pods are %v", ps)
assertNil(t, err, "Error when waiting for IP for Pod %s", clientA)
psb, err := testData.podWaitForIPs(defaultTimeout, clientB, ns)
t.Logf("Pods are %v", psb)
assertNil(t, err, "Error when waiting for IP for Pod %s", clientB)
iPs, err := testData.podWaitForIPs(defaultTimeout, podA, ns)
t.Logf("Pods are %v", iPs)
assertNil(t, err, "Error when waiting for IP for Pod %s", podA)

// Ping from pod
err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientA)
err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientB)
*/

// Create security policy
nsIsolationPath, _ := filepath.Abs("./manifest/testSecurityPolicy/match-expression.yaml")
Expand All @@ -185,11 +195,14 @@ func TestSecurityPolicyMatchExpression(t *testing.T) {
err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, true)
assertNil(t, err)

// Ping from pod
err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientA)
err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
assert.NotNilf(t, err, "Error when running ping command from Pod %s", clientB)
// Temporarily disable traffic check
/*
// Ping from pod
err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientA)
err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
assert.NotNilf(t, err, "Error when running ping command from Pod %s", clientB)
*/

// Delete security policy
_ = deleteYAML(nsIsolationPath, ns)
Expand All @@ -202,13 +215,17 @@ func TestSecurityPolicyMatchExpression(t *testing.T) {
err = testData.waitForResourceExistOrNot(ns, common.ResourceTypeRule, securityPolicyName, false)
assertNil(t, err)

// Ping from pod
err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientA)
err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientB)
// Temporarily disable traffic check
/*
// Ping from pod
err = testData.runPingCommandFromPod(ns, clientA, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientA)
err = testData.runPingCommandFromPod(ns, clientB, iPs, 4)
assertNil(t, err, "Error when running ping command from Pod %s", clientB)
*/
}

/*
// TestSecurityPolicyNamedPort0 verifies that the traffic of security policy when named port applied.
// This test is to verify the named port feature of security policy.
// When appliedTo is in policy level.
Expand Down Expand Up @@ -763,3 +780,4 @@ func TestSecurityPolicyNamedPort7(t *testing.T) {
err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false)
assertNil(t, err)
}
*/
3 changes: 3 additions & 0 deletions test/e2e/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,16 @@ func assertNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) bool
panic("assertion failed")
}

//Temporarily disable traffic check
/*
func assertNotNil(t *testing.T, object interface{}, msgAndArgs ...interface{}) bool {
if assert.NotNil(t, object, msgAndArgs...) {
t.Logf("assertNotNil: %v", object)
return true
}
panic("assertion failed")
}
*/

func assertTrue(t *testing.T, value bool, msgAndArgs ...interface{}) bool {
if assert.True(t, value, msgAndArgs...) {
Expand Down
Loading