})
f.It("should support a 'default-deny-all' policy", feature.NetworkPolicy, func(ctx context.Context) {
- policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules())
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules())
CreatePolicy(ctx, k8s, policy, nsX)
reachability := NewReachability(k8s.AllPodStrings(), true)
})
f.It("should enforce policy to allow traffic from pods within server namespace based on PodSelector", feature.NetworkPolicy, func(ctx context.Context) {
+ protocols := []v1.Protocol{protocolTCP}
+ ports := []int32{80}
+ k8s = initializeResources(ctx, f, protocols, ports)
+ nsX, _, _ := getK8sNamespaces(k8s)
+
allowedPods := metav1.LabelSelector{
MatchLabels: map[string]string{
"pod": "b",
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &allowedPods})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("x-a-allows-x-b", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
-
- protocols := []v1.Protocol{protocolTCP}
- ports := []int32{80}
- k8s = initializeResources(ctx, f, protocols, ports)
- nsX, _, _ := getK8sNamespaces(k8s)
CreatePolicy(ctx, k8s, policy, nsX)
reachability := NewReachability(k8s.AllPodStrings(), true)
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
- ginkgo.By("having a deny all ingress policy", func() {
- // Deny all Ingress traffic policy to pods on namespace nsX
- policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
- CreatePolicy(ctx, k8s, policy, nsX)
- })
+
+ ginkgo.By("having a deny all ingress policy")
+ // Deny all Ingress traffic policy to pods on namespace nsX
+ policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
+ CreatePolicy(ctx, k8s, policy, nsX)
// Allow Ingress traffic only to pod x/a from any pod
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-from-another-ns", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: &metav1.LabelSelector{MatchLabels: map[string]string{namespaceLabelKey: nsY}}})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
})
f.It("should enforce policy based on PodSelector with MatchExpressions", feature.NetworkPolicy, func(ctx context.Context) {
+ protocols := []v1.Protocol{protocolTCP}
+ ports := []int32{80}
+ k8s = initializeResources(ctx, f, protocols, ports)
+ nsX, _, _ := getK8sNamespaces(k8s)
+
allowedPods := metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: "pod",
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &allowedPods})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("x-a-allows-x-b", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
-
- protocols := []v1.Protocol{protocolTCP}
- ports := []int32{80}
- k8s = initializeResources(ctx, f, protocols, ports)
- nsX, _, _ := getK8sNamespaces(k8s)
CreatePolicy(ctx, k8s, policy, nsX)
reachability := NewReachability(k8s.AllPodStrings(), true)
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: namespaceLabelKey,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: namespaceLabelKey,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: namespaceLabelKey,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: namespaceLabelKey,
Values: []string{"b", "c"},
}},
}
-
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedNamespaces, PodSelector: allowedPod})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ns-y-z-pod-b-c", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
ingressRule := networkingv1.NetworkPolicyIngressRule{}
for _, label := range []map[string]string{{"pod": "b"}, {"pod": "c"}} {
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: label}})
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, _ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
})
f.It("should enforce policy based on Ports", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
protocols := []v1.Protocol{protocolTCP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
allowedLabels := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
})
f.It("should enforce multiple, stacked policies with overlapping podSelectors", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80, 81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
allowedLabels := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
ingressRule = networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels})
ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 80}, Protocol: &protocolTCP})
-
allowPort80Policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-client-a-via-ns-selector-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
CreatePolicy(ctx, k8s, allowPort80Policy, nsX)
})
f.It("should support allow-all policy", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network policy which allows all traffic.")
- policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80, 81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network policy which allows all traffic.")
+ policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
CreatePolicy(ctx, k8s, policy, nsX)
ginkgo.By("Testing pods can connect to both ports when an 'allow-all' policy is present.")
})
f.It("should allow ingress access on one named port", feature.NetworkPolicy, func(ctx context.Context) {
- IngressRules := networkingv1.NetworkPolicyIngressRule{}
- IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-81-tcp"}})
- policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(IngressRules))
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80, 81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
- CreatePolicy(ctx, k8s, policy, nsX)
ginkgo.By("Blocking all ports other then 81 in the entire namespace")
+ IngressRules := networkingv1.NetworkPolicyIngressRule{}
+ IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-81-tcp"}})
+ policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all", map[string]string{}, SetSpecIngressRules(IngressRules))
+ CreatePolicy(ctx, k8s, policy, nsX)
reachabilityPort81 := NewReachability(k8s.AllPodStrings(), true)
ValidateOrFail(k8s, &TestCase{ToPort: 81, Protocol: v1.ProtocolTCP, Reachability: reachabilityPort81})
ports := []int32{80, 81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
allowedLabels := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
})
f.It("should allow egress access on one named port", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("validating egress from port 81 to port 80")
- egressRule := networkingv1.NetworkPolicyEgressRule{}
- egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80-tcp"}})
- policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress", map[string]string{}, SetSpecEgressRules(egressRule))
-
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80, 81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ egressRule := networkingv1.NetworkPolicyEgressRule{}
+ egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80-tcp"}})
+ policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress", map[string]string{}, SetSpecEgressRules(egressRule))
CreatePolicy(ctx, k8s, policy, nsX)
reachabilityPort80 := NewReachability(k8s.AllPodStrings(), true)
})
f.It("should enforce updated policy", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Using the simplest possible mutation: start with allow all, then switch to deny all")
- // part 1) allow all
- policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-mutate-to-deny-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
protocols := []v1.Protocol{protocolTCP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Using the simplest possible mutation: start with allow all, then switch to deny all")
+ // part 1) allow all
+ policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-all-mutate-to-deny-all", map[string]string{}, SetSpecIngressRules(networkingv1.NetworkPolicyIngressRule{}))
CreatePolicy(ctx, k8s, policy, nsX)
reachability := NewReachability(k8s.AllPodStrings(), true)
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
IngressRules := networkingv1.NetworkPolicyIngressRule{}
IngressRules.From = append(IngressRules.From, networkingv1.NetworkPolicyPeer{PodSelector: &metav1.LabelSelector{MatchLabels: map[string]string{}}})
policy := GenNetworkPolicyWithNameAndPodSelector("deny-empty-policy", metav1.LabelSelector{}, SetSpecIngressRules(IngressRules))
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-pod-a", metav1.LabelSelector{MatchLabels: map[string]string{"pod": "a"}}, SetSpecEgressRules())
CreatePolicy(ctx, k8s, policy, nsX)
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
policy := GenNetworkPolicyWithNameAndPodSelector("deny-egress-ns-x", metav1.LabelSelector{}, SetSpecEgressRules())
CreatePolicy(ctx, k8s, policy, nsX)
})
f.It("should work with Ingress, Egress specified together", feature.NetworkPolicy, func(ctx context.Context) {
+ protocols := []v1.Protocol{protocolTCP}
+ ports := []int32{80, 81}
+ k8s = initializeResources(ctx, f, protocols, ports)
+ nsX, _, _ := getK8sNamespaces(k8s)
+
allowedPodLabels := &metav1.LabelSelector{MatchLabels: map[string]string{"pod": "b"}}
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{PodSelector: allowedPodLabels})
},
}
policy.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}
- protocols := []v1.Protocol{protocolTCP}
- ports := []int32{80, 81}
- k8s = initializeResources(ctx, f, protocols, ports)
- nsX, _, _ := getK8sNamespaces(k8s)
CreatePolicy(ctx, k8s, policy, nsX)
reachabilityPort80 := NewReachability(k8s.AllPodStrings(), true)
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, _ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Protocol: &protocolTCP})
policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-by-proto", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
IngressRules := networkingv1.NetworkPolicyIngressRule{}
IngressRules.Ports = append(IngressRules.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}})
policyAllowOnlyPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-ingress-port-80", map[string]string{}, SetSpecIngressRules(IngressRules))
})
f.It("should enforce multiple egress policies with egress allow-all policy taking precedence", feature.NetworkPolicy, func(ctx context.Context) {
- egressRule := networkingv1.NetworkPolicyEgressRule{}
- egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}})
- policyAllowPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress-port-80", map[string]string{}, SetSpecEgressRules(egressRule))
protocols := []v1.Protocol{protocolTCP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ egressRule := networkingv1.NetworkPolicyEgressRule{}
+ egressRule.Ports = append(egressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}})
+ policyAllowPort80 := GenNetworkPolicyWithNameAndPodMatchLabel("allow-egress-port-80", map[string]string{}, SetSpecEgressRules(egressRule))
CreatePolicy(ctx, k8s, policyAllowPort80, nsX)
ginkgo.By("Making sure ingress doesn't work other than port 80")
})
f.It("should stop enforcing policies after they are deleted", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network policy for the server which denies all traffic.")
-
- // Deny all traffic into and out of "x".
- policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules())
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network policy for the server which denies all traffic.")
+ // Deny all traffic into and out of "x".
+ policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules(), SetSpecEgressRules())
CreatePolicy(ctx, k8s, policy, nsX)
reachability := NewReachability(k8s.AllPodStrings(), true)
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, _ := getK8sNamespaces(k8s)
+
podList, err := f.ClientSet.CoreV1().Pods(nsY).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
framework.ExpectNoError(err, "Failing to list pods in namespace y")
pod := podList.Items[0]
})
f.It("should enforce except clause while egress access to server in CIDR block", feature.NetworkPolicy, func(ctx context.Context) {
- // Getting podServer's status to get podServer's IP, to create the CIDR with except clause
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+ // Getting podServer's status to get podServer's IP, to create the CIDR with except clause
podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
framework.ExpectNoError(err, "Failing to find pod x/b")
podB := podList.Items[0]
})
f.It("should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed", feature.NetworkPolicy, func(ctx context.Context) {
- // Getting podServer's status to get podServer's IP, to create the CIDR with except clause
protocols := []v1.Protocol{protocolTCP}
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+ // Getting podServer's status to get podServer's IP, to create the CIDR with except clause
podList, err := f.ClientSet.CoreV1().Pods(nsX).List(ctx, metav1.ListOptions{LabelSelector: "pod=b"})
framework.ExpectNoError(err, "Failing to find pod x/b")
podB := podList.Items[0]
})
f.It("should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector", feature.NetworkPolicy, func(ctx context.Context) {
+ protocols := []v1.Protocol{protocolTCP}
+ ports := []int32{80}
+ k8s = initializeResources(ctx, f, protocols, ports)
+ nsX, _, _ := getK8sNamespaces(k8s)
+
/*
Test steps:
1. Verify every pod in every namespace can talk to each other
allowEgressPolicy := GenNetworkPolicyWithNameAndPodSelector("allow-egress-for-target",
metav1.LabelSelector{MatchLabels: targetLabels}, SetSpecEgressRules(networkingv1.NetworkPolicyEgressRule{}))
- protocols := []v1.Protocol{protocolTCP}
- ports := []int32{80}
- k8s = initializeResources(ctx, f, protocols, ports)
- nsX, _, _ := getK8sNamespaces(k8s)
CreatePolicy(ctx, k8s, allowEgressPolicy, nsX)
allowEgressReachability := NewReachability(k8s.AllPodStrings(), true)
// security hole if you fail this test, because you are allowing TCP
// traffic that is supposed to be blocked.
f.It("should properly isolate pods that are selected by a policy allowing SCTP, even if the plugin doesn't support SCTP", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network policy for the server which allows traffic only via SCTP on port 80.")
- ingressRule := networkingv1.NetworkPolicyIngressRule{}
- ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 80}, Protocol: &protocolSCTP})
- policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
protocols := []v1.Protocol{protocolTCP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network policy for the server which allows traffic only via SCTP on port 80.")
+ ingressRule := networkingv1.NetworkPolicyIngressRule{}
+ ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 80}, Protocol: &protocolSCTP})
+ policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-sctp-ingress-on-port-80", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
CreatePolicy(ctx, k8s, policy, nsX)
ginkgo.By("Trying to connect to TCP port 81, which should be blocked by implicit isolation.")
})
f.It("should not allow access by TCP when a policy specifies only UDP", feature.NetworkPolicy, func(ctx context.Context) {
- ingressRule := networkingv1.NetworkPolicyIngressRule{}
- ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP})
- policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
protocols := []v1.Protocol{protocolTCP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
+ ingressRule := networkingv1.NetworkPolicyIngressRule{}
+ ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP})
+ policy := GenNetworkPolicyWithNameAndPodMatchLabel("allow-only-udp-ingress-on-port-81", map[string]string{"pod": "a"}, SetSpecIngressRules(ingressRule))
CreatePolicy(ctx, k8s, policy, nsX)
ginkgo.By("Creating a network policy for the server which allows traffic only via UDP on port 81.")
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
allowedLabels := &metav1.LabelSelector{
MatchLabels: map[string]string{
v1.LabelMetadataName: nsY,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, _ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchExpressions: []metav1.LabelSelectorRequirement{{
Key: v1.LabelMetadataName,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
CreatePolicy(ctx, k8s, policy, nsX)
})
f.It("should enforce policy based on Ports", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network policy allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
protocols := []v1.Protocol{protocolUDP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network policy allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
allowedLabels := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
},
}
-
ingressRule := networkingv1.NetworkPolicyIngressRule{}
ingressRule.From = append(ingressRule.From, networkingv1.NetworkPolicyPeer{NamespaceSelector: allowedLabels})
ingressRule.Ports = append(ingressRule.Ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: 81}, Protocol: &protocolUDP})
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, _ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, _, _ := getK8sNamespaces(k8s)
+
policy := GenNetworkPolicyWithNameAndPodSelector("deny-all", metav1.LabelSelector{}, SetSpecIngressRules())
CreatePolicy(ctx, k8s, policy, nsX)
})
f.It("should enforce policy based on Ports", feature.NetworkPolicy, func(ctx context.Context) {
- ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
protocols := []v1.Protocol{protocolSCTP}
ports := []int32{81}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, nsZ := getK8sNamespaces(k8s)
+
+ ginkgo.By("Creating a network allowPort81Policy which only allows allow listed namespaces (y) to connect on exactly one port (81)")
allowedLabels := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
ports := []int32{80}
k8s = initializeResources(ctx, f, protocols, ports)
nsX, nsY, _ := getK8sNamespaces(k8s)
+
allowedNamespaces := &metav1.LabelSelector{
MatchLabels: map[string]string{
namespaceLabelKey: nsY,
projects / 0xmirror / kubernetes.git / commitdiff