Documentation ¶
Index ¶
- func AddPodLabels(k8s *kubeManager, pod *Pod, newPodLabels map[string]string)
- func CheckSCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool
- func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
- func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy
- func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
- func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
- func ProbePodToPodConnectivity(prober Prober, model *Model, testCase *TestCase)
- func ResetNamespaceLabels(k8s *kubeManager, ns string)
- func ResetPodLabels(k8s *kubeManager, pod *Pod)
- func UpdateNamespaceLabels(k8s *kubeManager, ns string, newNsLabel map[string]string)
- func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
- func ValidateOrFail(k8s *kubeManager, model *Model, testCase *TestCase)
- type Container
- type Model
- type Namespace
- type Peer
- type Pod
- type PodString
- type ProbeJob
- type ProbeJobResults
- type Prober
- type Reachability
- func (r *Reachability) AllowLoopback()
- func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
- func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
- func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
- func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
- func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
- func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
- func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
- type SetFunc
- func SetGenerateName(name string) SetFunc
- func SetObjectMetaLabel(targetLabels map[string]string) SetFunc
- func SetObjectMetaName(name string) SetFunc
- func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc
- func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc
- func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc
- func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc
- type TestCase
- type TruthTable
- func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
- func (tt *TruthTable) Get(from string, to string) bool
- func (tt *TruthTable) IsComplete() bool
- func (tt *TruthTable) PrettyPrint(indent string) string
- func (tt *TruthTable) Set(from string, to string, value bool)
- func (tt *TruthTable) SetAllFrom(from string, value bool)
- func (tt *TruthTable) SetAllTo(to string, value bool)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddPodLabels ¶
AddPodLabels adds new labels to a deployment's template
func CheckSCTPModuleLoadedOnNodes ¶
CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.
func CreatePolicy ¶
func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
CreatePolicy creates a policy in the given namespace
func GenNetworkPolicy ¶ added in v1.22.0
func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy
func GenNetworkPolicyWithNameAndPodMatchLabel ¶ added in v1.22.0
func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
func GenNetworkPolicyWithNameAndPodSelector ¶ added in v1.22.0
func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
func ProbePodToPodConnectivity ¶
ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`
func ResetNamespaceLabels ¶
func ResetNamespaceLabels(k8s *kubeManager, ns string)
ResetNamespaceLabels resets the labels for a namespace
func ResetPodLabels ¶
func ResetPodLabels(k8s *kubeManager, pod *Pod)
ResetPodLabels resets the labels for a deployment's template
func UpdateNamespaceLabels ¶
UpdateNamespaceLabels sets the labels for a namespace
func UpdatePolicy ¶
func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
UpdatePolicy updates a networkpolicy
func ValidateOrFail ¶
ValidateOrFail validates connectivity
Types ¶
type Container ¶
Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details
type Model ¶
type Model struct { Namespaces []*Namespace // the raw data NamespaceNames []string PodNames []string Ports []int32 Protocols []v1.Protocol DNSDomain string // contains filtered or unexported fields }
Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth
func NewModel ¶
func NewModel(namespaces []string, podNames []string, ports []int32, protocols []v1.Protocol, dnsDomain string) *Model
NewModel instantiates a model based on: - namespaces - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.
func NewWindowsModel ¶ added in v1.22.0
func NewWindowsModel(namespaces []string, podNames []string, ports []int32, dnsDomain string) *Model
NewWindowsModel returns a model specific to windows testing.
func (*Model) AllPodStrings ¶
AllPodStrings returns a slice of all pod strings
func (*Model) GetProbeTimeoutSeconds ¶ added in v1.22.0
GetProbeTimeoutSeconds returns a timeout for how long the probe should work before failing a check, and takes windows heuristics into account, where requests can take longer sometimes.
func (*Model) GetWorkers ¶ added in v1.22.0
GetWorkers returns the number of workers suggested to run when testing, taking windows heuristics into account, where parallel probing is flakier.
func (*Model) NewReachability ¶
func (m *Model) NewReachability() *Reachability
NewReachability instantiates a default-true reachability from the model's pods
type Namespace ¶
Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details
func (*Namespace) LabelSelector ¶
LabelSelector returns the default labels that should be placed on a namespace in order for it to be uniquely selectable by label selectors
type Peer ¶
Peer is used for matching pods by either or both of the pod's namespace and name.
type Pod ¶
Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details
func (*Pod) ContainerSpecs ¶
ContainerSpecs builds kubernetes container specs for the pod
func (*Pod) KubePod ¶
KubePod returns the kube pod (will add label selectors for windows if needed).
func (*Pod) LabelSelector ¶
LabelSelector returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors
func (*Pod) QualifiedServiceAddress ¶
QualifiedServiceAddress returns the address that can be used to hit a service from any namespace in the cluster
func (*Pod) ServiceName ¶
ServiceName returns the unqualified service name
type PodString ¶
type PodString string
PodString represents a namespace 'x' + pod 'a' as "x/a".
func NewPodString ¶
NewPodString instantiates a PodString from the given namespace and name.
type ProbeJob ¶
type ProbeJob struct { PodFrom *Pod PodTo *Pod ToPort int ToPodDNSDomain string Protocol v1.Protocol }
ProbeJob packages the data for the input of a pod->pod connectivity probe
type ProbeJobResults ¶
ProbeJobResults packages the data for the results of a pod->pod connectivity probe
type Prober ¶ added in v1.22.0
type Prober interface {
// contains filtered or unexported methods
}
decouple us from k8smanager.go
type Reachability ¶
type Reachability struct { Expected *TruthTable Observed *TruthTable Pods []*Pod }
Reachability packages the data for a cluster-wide connectivity probe
func NewReachability ¶
func NewReachability(pods []*Pod, defaultExpectation bool) *Reachability
NewReachability instantiates a reachability
func (*Reachability) AllowLoopback ¶
func (r *Reachability) AllowLoopback()
AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.
func (*Reachability) Expect ¶
func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
Expect sets the expected value for a single observation
func (*Reachability) ExpectAllEgress ¶
func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)
func (*Reachability) ExpectAllIngress ¶
func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)
func (*Reachability) ExpectPeer ¶
func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
ExpectPeer sets expected values using Peer matchers
func (*Reachability) Observe ¶
func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
Observe records a single connectivity observation
func (*Reachability) PrintSummary ¶
func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
PrintSummary prints the summary
func (*Reachability) Summary ¶
func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
Summary produces a useful summary of expected and observed data
type SetFunc ¶ added in v1.22.0
type SetFunc func(policy *networkingv1.NetworkPolicy)
func SetGenerateName ¶ added in v1.22.0
func SetObjectMetaLabel ¶ added in v1.22.0
func SetObjectMetaName ¶ added in v1.22.0
func SetSpecEgressRules ¶ added in v1.22.0
func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc
func SetSpecIngressRules ¶ added in v1.22.0
func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc
func SetSpecPodSelector ¶ added in v1.22.0
func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc
func SetSpecPodSelectorMatchLabels ¶ added in v1.22.0
type TestCase ¶
type TestCase struct { ToPort int Protocol v1.Protocol Reachability *Reachability }
TestCase describes the data for a netpol test
type TruthTable ¶
type TruthTable struct { Froms []string Tos []string Values map[string]map[string]bool // contains filtered or unexported fields }
TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair
func NewTruthTable ¶
func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable
NewTruthTable creates a new truth table with froms and tos
func NewTruthTableFromItems ¶
func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable
NewTruthTableFromItems creates a new truth table with items
func (*TruthTable) Compare ¶
func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.
func (*TruthTable) Get ¶
func (tt *TruthTable) Get(from string, to string) bool
Get gets the specified value
func (*TruthTable) IsComplete ¶
func (tt *TruthTable) IsComplete() bool
IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.
func (*TruthTable) PrettyPrint ¶
func (tt *TruthTable) PrettyPrint(indent string) string
PrettyPrint produces a nice visual representation.
func (*TruthTable) Set ¶
func (tt *TruthTable) Set(from string, to string, value bool)
Set sets the value for from->to
func (*TruthTable) SetAllFrom ¶
func (tt *TruthTable) SetAllFrom(from string, value bool)
SetAllFrom sets all values where from = 'from'
func (*TruthTable) SetAllTo ¶
func (tt *TruthTable) SetAllTo(to string, value bool)
SetAllTo sets all values where to = 'to'