networkpolicy test script for github.com/cloudnativelabs/kube-router/issues/85

00-results-output.txt

###
### Stage 00-new-cluster complete. Logging to /tmp/np-test-logs/00-new-cluster.\{iptables,ipset\}
###
networkpolicy "test-network-policy" created
###
### Stage 01-np-created complete. Logging to /tmp/np-test-logs/01-np-created.\{iptables,ipset\}
###
deployment "test-np-server" created
service "test-np-server" exposed
###
### Stage 02-server-pod-unlabled-created complete. Logging to /tmp/np-test-logs/02-server-pod-unlabled-created.\{iptables,ipset\}
###
deployment "test-np-unlabeled" created
###
### Stage 03-other-unlabeled-created complete. Logging to /tmp/np-test-logs/03-other-unlabeled-created.\{iptables,ipset\}
###
# Stage 03-other-unlabeled-created: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
pod "test-np-server-2709856125-nrskw" labeled
###
### Stage 04-server-pod-labeled-protected complete. Logging to /tmp/np-test-logs/04-server-pod-labeled-protected.\{iptables,ipset\}
###
# Stage 04-server-pod-labeled-protected: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
deployment "test-np-client" created
###
### Stage 05-client-pod-labeled-allowed-created complete. Logging to /tmp/np-test-logs/05-client-pod-labeled-allowed-created.\{iptables,ipset\}
###
# Stage 05-client-pod-labeled-allowed-created: Testing for allowed HTTP connection.
error: pod name must be specified
ERROR: HTTP connection failed from test-np-client. This was not expected.
# Stage 05-client-pod-labeled-allowed-created: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
pod "test-np-server-2709856125-nrskw" labeled
###
### Stage 06-server-pod-label-removed complete. Logging to /tmp/np-test-logs/06-server-pod-label-removed.\{iptables,ipset\}
###
# Stage 06-server-pod-label-removed: Testing for allowed HTTP connection.
error: pod name must be specified
ERROR: HTTP connection failed from test-np-client. This was not expected.
# Stage 06-server-pod-label-removed: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
pod "test-np-server-2709856125-nrskw" labeled
###
### Stage 07-server-pod-labeled-protected complete. Logging to /tmp/np-test-logs/07-server-pod-labeled-protected.\{iptables,ipset\}
###
# Stage 07-server-pod-labeled-protected: Testing for allowed HTTP connection.
error: pod name must be specified
ERROR: HTTP connection failed from test-np-client. This was not expected.
# Stage 07-server-pod-labeled-protected: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
###
### Stage 08-client-pod-label-removed complete. Logging to /tmp/np-test-logs/08-client-pod-label-removed.\{iptables,ipset\}
###
# Stage 08-client-pod-label-removed: for blocked HTTP connection.
error: pod name must be specified
INFO: HTTP connection failed test-np-client. This was expected.
# Stage 08-client-pod-label-removed: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
deployment "test-np-client" deleted
Error from server (NotFound): services "test-np-client" not found
###
### Stage 09-client-pod-deleted complete. Logging to /tmp/np-test-logs/09-client-pod-deleted.\{iptables,ipset\}
###
# Stage 09-client-pod-deleted: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
pod "test-np-unlabeled-2719174803-cshhx" labeled
###
### Stage 10-other-pod-labeled-allowed complete. Logging to /tmp/np-test-logs/10-other-pod-labeled-allowed.\{iptables,ipset\}
###
# Stage 10-other-pod-labeled-allowed: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
networkpolicy "test-network-policy" deleted
###
### Stage 11-np-deleted complete. Logging to /tmp/np-test-logs/11-np-deleted.\{iptables,ipset\}
###
# Stage 11-np-deleted: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.

np-test.sh

#!/usr/bin/env sh

# [ -n "${DRY_RUN}" ] && export DRY_RUN="--dry-run"

[ -z "${LOGS_DIR}" ] && LOGS_DIR="/tmp/np-test-logs"

if [ -d "${LOGS_DIR}" ]; then
    echo "Error: ${LOGS_DIR} already exists."
    echo
    echo "Please move/delete ${LOGS_DIR} or provide a LOGS_DIR for ${0} to create."
    echo "Example: LOGS_DIR=/tmp/mylogs ${0}"
    exit 1
fi

[ -z "${NP_MANIFEST_PATH}" ] && NP_MANIFEST_PATH="/tmp/np-test.yaml"

if [ -f "${NP_MANIFEST_PATH}" ]; then
    echo "Error: Couldn't find a networkpolicy manifest file at ${NP_MANIFEST_PATH}"
    echo
    echo "Please put the manifest from the GitHub issue at ${NP_MANIFEST_PATH}"
    echo "or provide an alternative path to this manifest file with NP_MANIFEST_PATH."
    echo "Example: NP_MANIFEST_PATH=/tmp/my-np.yaml ${0}"
    exit 1
fi

SERVER_DEPLOYMENT="test-np-server"
CLIENT_DEPLOYMENT="test-np-client"
OTHER_DEPLOYMENT="test-np-unlabeled"
PROTECT_LABEL="np-test=protected"
ALLOW_LABEL="np-test=allowed"
NP_DISABLE_LABEL="np-test-"

KR_POD="$(basename "$(kubectl -n kube-system get pods -l k8s-app=kube-router --output name)")"
KR_EXEC="kubectl -n kube-system exec ${KR_POD}"
export IPTABLES_SAVE="${KR_EXEC} iptables-save"
export IPSET_SAVE="${KR_EXEC} ipset save"
export DEFAULT="kubectl -n default"
export DELAY="sleep 15s"

log_snapshot()
{
    echo "###"
    echo "### Stage ${1}: Logging to ${LOGS_DIR}/${1}.\{iptables,ipset\}"
    echo "###"
    ${DELAY}
    ${IPTABLES_SAVE} > "${LOGS_DIR}/${1}.iptables"
    ${IPSET_SAVE} > "${LOGS_DIR}/${1}.ipset"
}

# Usage: test_http DEPLOYMENT
test_http()
{
    CLIENT_POD="$(basename "$(${DEFAULT} get pods -l "run=${1}" --output name)")"
    ${DEFAULT} exec "${CLIENT_POD}" -- wget --spider --timeout=1 "${SERVER_DEPLOYMENT}" \
        && return 0 \
        || return 1
}

# Usage: test_allowed_http STAGE DEPLOYMENT
test_allowed_http()
{
    echo "# Stage ${1}: Testing for allowed HTTP connection."
    if test_http "${2}"; then
        echo "INFO: HTTP connection succeeded from ${2}. This was expected."
        return 0
    else
        echo "ERROR: HTTP connection failed from ${2}. This was not expected."
        return 1
    fi
}

# Usage: test_blocked_http STAGE DEPLOYMENT
test_blocked_http()
{
    echo "# Stage ${1}: for blocked HTTP connection."
    if test_http "${2}"; then
        echo "ERROR: HTTP connection succeeded from ${2}. This was not expected."
        return 1
    else
        echo "INFO: HTTP connection failed ${2}. This was expected."
        return 0
    fi
}

mkdir -p "${LOGS_DIR}"

STAGE="00-new-cluster"
log_snapshot "${STAGE}"

STAGE="01-np-created"
${DEFAULT} create -f "${NP_MANIFEST_PATH}"
log_snapshot "${STAGE}"

STAGE="02-server-pod-unlabled-created"
${DEFAULT} run "${SERVER_DEPLOYMENT}" --command --image alpine --replicas 1 --port 80 -- sh -c 'echo OK > index.html; httpd -fv'
${DEFAULT} expose deployment "${SERVER_DEPLOYMENT}" --port=80
log_snapshot "${STAGE}"

STAGE="03-other-unlabeled-created"
${DEFAULT} run "${OTHER_DEPLOYMENT}" --command --image alpine --replicas 1 -- sleep 300d
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="04-server-pod-labeled-protected"
${DEFAULT} label pod -l "run=${SERVER_DEPLOYMENT}" "${PROTECT_LABEL}"
log_snapshot "${STAGE}"
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="05-client-pod-labeled-allowed-created"
${DEFAULT} run "${CLIENT_DEPLOYMENT}" --command \
    --image alpine --replicas 1 --labels="${ALLOW_LABEL}" \
    -- sleep 300d
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="06-server-pod-label-removed"
${DEFAULT} label pod -l "run=${SERVER_DEPLOYMENT}" "${NP_DISABLE_LABEL}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="07-server-pod-labeled-protected"
${DEFAULT} label pod -l "run=${SERVER_DEPLOYMENT}" "${PROTECT_LABEL}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="08-client-pod-label-removed"
${DEFAULT} label pod -l "run=${CLIENT_DEPLOYMENT}" "${NP_DISABLE_LABEL}"
log_snapshot "${STAGE}"
test_blocked_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="09-client-pod-deleted"
${DEFAULT} delete deployment "${CLIENT_DEPLOYMENT}"
${DEFAULT} delete service "${CLIENT_DEPLOYMENT}"
log_snapshot "${STAGE}"
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="10-other-pod-labeled-allowed"
${DEFAULT} label pod -l "run=${OTHER_DEPLOYMENT}" "${ALLOW_LABEL}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1

STAGE="11-np-deleted"
${DEFAULT} delete -f "${NP_MANIFEST_PATH}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1