Documentation
¶
Overview ¶
Copyright 2023- IBM Inc. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ANPConnectivityFromParsedResourcesTest = []ParsedResourcesTest{ { Name: "egress port number protocol unspecified", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test1_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allButTCP80, }, { Src: "x/b", Dst: "x/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Egress: egressRuleDenyPorts80, }, }, }), }, { Name: "ingress port number protocol unspecified", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test2_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "x/a", ExpResult: allButTCP80, }, { Src: "x/b", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods2, }, }, Ports: ports80, }, }, }, }, }), }, { Name: "ingress named port", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test3_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "x/a", ExpResult: allButTCP80, }, { Src: "y/b", Dst: "x/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods2, }, }, Ports: &([]v1alpha1.AdminNetworkPolicyPort{ { NamedPort: &serve80tcp, }, }), }, }, }, }, }), }, { Name: "ingress same labels port range", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test4_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/c", Dst: "x/a", ExpResult: allButTCP80A81, }, { Src: "y/c", Dst: "z/b", ExpResult: allConnsStr, }, }, Resources: initResources(&podInfo{namespaces: []string{"x", "y", "z"}, podNames: []string{"a", "b", "c"}, ports: []int32{80, 81}, protocols: []v1.Protocol{v1.ProtocolTCP, v1.ProtocolUDP}}), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, Ports: portsTCP8081, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: &v1alpha1.NamespacedPod{ NamespaceSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "x"}, }, PodSelector: metav1.LabelSelector{}, }, }, }, }, }, }, }, }), }, { Name: "not same labels", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test5_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "y/a", Dst: "x/a", ExpResult: allButUDP80, }, { Src: "y/b", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: &v1alpha1.NamespacedPod{ NamespaceSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "y"}, }, PodSelector: metav1.LabelSelector{}, }, }, }, Ports: portsUDP80, }, }, }, }, }), }, { Name: "ordering matters for overlapping rules (order #1)", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test6_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "y/b", Dst: "x/a", ExpResult: allButUDP80, }, { Src: "y/b", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods3, }, }, Ports: portsUDP80, }, { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: &v1alpha1.NamespacedPod{ NamespaceSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "y"}, }, PodSelector: metav1.LabelSelector{}, }, }, }, Ports: portsUDP80, }, }, }, }, }), }, { Name: "ordering matters for overlapping rules (order #2)", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test7_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "y/a", Dst: "x/a", ExpResult: allButUDP80, }, { Src: "y/b", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: &v1alpha1.NamespacedPod{ NamespaceSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "y"}, }, PodSelector: metav1.LabelSelector{}, }, }, }, Ports: portsUDP80, }, { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods3, }, }, Ports: portsUDP80, }, }, }, }, }), }, { Name: "deny all egress", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test8_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "y/a", ExpResult: allButTCP80A81UDP80A81, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: anp1, }, }), }, { Name: "multiple ANPs (priority order #1)", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test9_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 99, Subject: allNamespacesSubject, Egress: egressRuleAllowPortsTCPUDP8081, }, }, { Spec: anp1, }, }), }, { Name: "multiple ANPs (priority order #2)", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test10_anp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allButTCP80A81UDP80A81, }, { Src: "0.0.0.0/0", Dst: "x/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 101, Subject: allNamespacesSubject, Egress: egressRuleAllowPortsTCPUDP8081, }, }, { Spec: anp1, }, }), }, { Name: "ANP with unmatched ingress and egress connection #1", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test1_anp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: noConns, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: egressRulesAllowToXOnlyTCP80, Ingress: ingressRulesAllowFromYOnlyUDP80, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #2", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test2_anp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleAllowToXTCP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowFromYUDP80}, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #4", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test4_anp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleDenyToXUDP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowFromYUDP80}, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #6", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test6_anp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleAllowToXUDP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleDenyFromYUDP80}, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #7", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test7_anp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: connTCP80A81, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 15, Subject: subjectNsY, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleAllowToXTCP8081, egressRuleDenyAllToX}, }, }, { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 4, Subject: subjectNsX, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowFromYUDP80}, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #13", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test13_anp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: noConns, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRulePassToXTCP80, egressRuleDenyAllToX}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRulePassFromYUDP80, ingressRuleDenyAllFromY}, }, }, }), }, { Name: "ANP allow specific port - no other restrictions", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test_anp_allow_specific_port_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: anpAllowSpecificPort, }, }), }, { Name: "ANP deny specific port - no other restrictions", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test_anp_deny_specific_port_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: anpDenySpecificPort, }, }), }, } BANPConnectivityFromParsedResourcesTest = []ParsedResourcesTest{ { Name: "egress", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test1_banp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: noConns, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: anpSubject, Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, To: []v1alpha1.AdminNetworkPolicyEgressPeer{ { Pods: pods5, }, }, }, }, }, }), }, { Name: "ingress", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test2_banp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: anpSubject, Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods5, }, }, }, }, }, }), }, { Name: "ordering matters for overlapping rules (order #1)", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test3_banp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: noConns, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo2), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: allNamespacesSubject, Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods4, }, }, }, { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, }, }, }, }), }, { Name: "ordering matters for overlapping rules (order #2)", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test4_banp_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: noConns, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo2), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: allNamespacesSubject, Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, }, { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Pods: pods4, }, }, }, }, }, }), }, { Name: "banp allow specific port - no other restrictions", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test_banp_allow_specific_port_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), Banp: banpAllowSpecificPort, }, { Name: "banp deny specific port - no other restrictions", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test_banp_deny_specific_port_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allButTCP80, }, }, Resources: initResources(podInfo1), Banp: banpDenySpecificPort, }, } ANPWithNetPolV1FromParsedResourcesTest = []ParsedResourcesTest{ { Name: "ANP allow all over NetPol", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test1_anp_npv1_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "x/a", ExpResult: connTCP80A81UDP80A81, }, { Src: "x/b", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), NpList: initNpList([]*netv1.NetworkPolicy{ { ObjectMeta: metav1.ObjectMeta{ Namespace: "x", Name: "base", }, Spec: netv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"pod": "a"}, }, Ingress: []netv1.NetworkPolicyIngressRule{ { Ports: []netv1.NetworkPolicyPort{ { Protocol: &udp, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, }, }, }, }, PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress}, }, }, }), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 99, Subject: allNamespacesSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, Ports: portsTCPUDP8081, }, }, }, }, }), }, { Name: "ANP allow some over NetPol", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test2_anp_npv1_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "x/a", ExpResult: connTCP80A81UDP80A81, }, { Src: "x/b", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), NpList: initNpList([]*netv1.NetworkPolicy{ { ObjectMeta: metav1.ObjectMeta{ Namespace: "x", Name: "base", }, Spec: netv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"pod": "a"}, }, Ingress: []netv1.NetworkPolicyIngressRule{ { Ports: []netv1.NetworkPolicyPort{ { Protocol: &udp, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, }, }, }, }, PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress}, }, }, }), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 99, Subject: allNamespacesSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "x"}, }, }, }, Ports: portsTCPUDP8081, }, }, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #8", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test8_anp_np_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "y/a", ExpResult: noConns, }, { Src: "y/b", Dst: "x/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), NpList: initNpList([]*netv1.NetworkPolicy{ { ObjectMeta: metav1.ObjectMeta{ Namespace: "x", Name: "base", }, Spec: netv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeEgress}, }, }, }), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 15, Subject: subjectNsY, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowAllFromX}, }, }, }), }, } BANPWithNetPolV1FromParsedResourcesTest = []ParsedResourcesTest{ { Name: "BANP deny all after NetPol", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test1_banp_npv1_conn_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/b", Dst: "x/a", ExpResult: connUDP80, }, { Src: "0.0.0.0/0", Dst: "x/a", ExpResult: noConns, }, }, Resources: initResources(&podInfo{namespaces: []string{"x"}, podNames: []string{"a", "b"}, ports: []int32{80, 81}, protocols: []v1.Protocol{v1.ProtocolTCP, v1.ProtocolUDP}}), NpList: initNpList([]*netv1.NetworkPolicy{ { ObjectMeta: metav1.ObjectMeta{ Namespace: "x", Name: "base", }, Spec: netv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{ MatchLabels: map[string]string{"pod": "a"}, }, Ingress: []netv1.NetworkPolicyIngressRule{ { From: []netv1.NetworkPolicyPeer{ { PodSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{"pod": "b"}, }, }, }, Ports: []netv1.NetworkPolicyPort{ { Protocol: &udp, Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 80}, }, }, }, }, PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeIngress}, }, }, }), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: allNamespacesSubject, Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, }, }, }, }), }, } ANPWithBANPFromParsedResourcesTest = []ParsedResourcesTest{ { Name: "BANP deny all after ANP", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test1_anp_banp_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: noConns, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "x"}, }, }, }, Ports: portsUDP80, }, }, }, }, }), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: allNamespacesSubject, Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, }, }, }, }), }, { Name: "ANP pass some and allow rest over BANP", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test2_anp_banp_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "0.0.0.0/0", Dst: "y/a", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: anpSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionPass, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{ MatchLabels: map[string]string{"ns": "x"}, }, }, }, Ports: portsUDP80, }, }, }, }, { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: 101, Subject: allNamespacesSubject, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, }, }, }, }, }), Banp: initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ Subject: allNamespacesSubject, Ingress: []v1alpha1.BaselineAdminNetworkPolicyIngressRule{ { Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, From: []v1alpha1.AdminNetworkPolicyIngressPeer{ { Namespaces: &metav1.LabelSelector{}, }, }, }, }, }, }), }, { Name: "ANP with unmatched ingress and egress connection #3", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: connUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRulePassToXUDP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowFromYUDP80}, }, }, }), Banp: banpDenyAllFromY, }, { Name: "ANP with unmatched ingress and egress connection #5", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test5_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: noConns, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleAllowToXUDP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRulePassFromYUDP80}, }, }, }), Banp: banpDenyAllFromY, }, { Name: "ANP with unmatched ingress and egress connection #11", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test11_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRulePassToXUDP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleDenyFromYUDP80}, }, }, }), Banp: banpAllowAllFromY, }, { Name: "ANP with unmatched ingress and egress connection #12", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test12_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleDenyToXUDP80}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRulePassFromYUDP80}, }, }, }), Banp: banpAllowAllFromY, }, { Name: "ANP with unmatched ingress and egress connection #14", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRulePassToXTCP80, egressRuleAllowAllToX}, Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRulePassFromYUDP80, ingressRuleAllowAllFromY}, }, }, }), Banp: banpDenyAllFromY, }, { Name: "ANP with unmatched ingress and egress connection #9", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test9_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "y/b", ExpResult: allConnsStr, }, { Src: "y/a", Dst: "x/b", ExpResult: noConns, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: subjectNsY, Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRulePassAllToX}, }, }, }), Banp: banpDenyAllToX, }, { Name: "ANP and BANP allow specific ports - no other restrictions", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test_anp_banp_allow_specific_ports_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allConnsStr, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: anpAllowSpecificPort, }, }), Banp: banpAllowSpecificPort, }, { Name: "ANP and BANP deny specific ports - no other restrictions", OutputFormat: output.TextFormat, ExpectedOutputFileName: "test_anp_banp_deny_specific_ports_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ { Src: "x/a", Dst: "x/b", ExpResult: allButTCP80UDP80, }, }, Resources: initResources(podInfo1), AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ { Spec: anpDenySpecificPort, }, }), Banp: banpDenySpecificPort, }, } )
testing examples for K8S Network Policy API
Functions ¶
This section is empty.
Types ¶
type EvalAllowedConnTest ¶
type ParsedResourcesTest ¶
type ParsedResourcesTest struct {
Name string
OutputFormat string
ExpectedOutputFileName string
EvalTests []EvalAllowedConnTest
Resources *resources
AnpList []*v1alpha1.AdminNetworkPolicy
Banp *v1alpha1.BaselineAdminNetworkPolicy
NpList []*netv1.NetworkPolicy
TestInfo string
}
The following struct holds all test data needed for running a test from parsed resources and for verifying its results
func (*ParsedResourcesTest) GetK8sObjects ¶
func (test *ParsedResourcesTest) GetK8sObjects() []parser.K8sObject
Source Files
Click to show internal directories.
Click to hide internal directories.