scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 19:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #97638 from knabben/netpol-egress-func

Browse Source 
Moving egress deny with DNS to a policy function
This commit is contained in:
Kubernetes Prow Robot
2021-01-13 04:18:35 -08:00
committed by GitHub
parent 69a8bb7f34 d378fca35a
commit f6e04cd3ad
2 changed files with 27 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
test/e2e/network/netpol/network_policy.go
View File

@@ -18,7 +18,6 @@ package netpol
import ( import (
"context" "context"
"encoding/json"
"fmt" "fmt"
"time" "time"
@@ -159,39 +158,9 @@ var _ = SIGDescribeCopy("Netpol [LinuxOnly]", func() {
}) })
ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() { ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
np := &networkingv1.NetworkPolicy{} policy := GetDenyAllWithEgressDNS()
policy := `
{
"kind": "NetworkPolicy",
"apiVersion": "networking.k8s.io/v1",
"metadata": {
"name": "deny-all-tcp-allow-dns"
},
"spec": {
"podSelector": {
"matchLabels": {}
},
"ingress": [],
"egress": [{
"ports": [
{
"protocol": "UDP",
"port": 53
}
]
}],
"policyTypes": [
"Ingress",
"Egress"
]
}
}
`
err := json.Unmarshal([]byte(policy), np)
framework.ExpectNoError(err, "unmarshal network policy")
nsX, _, _, model, k8s := getK8SModel(f) nsX, _, _, model, k8s := getK8SModel(f)
CreatePolicy(k8s, np, nsX) CreatePolicy(k8s, policy, nsX)
reachability := NewReachability(model.AllPods(), true) reachability := NewReachability(model.AllPods(), true)
reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false) reachability.ExpectPeer(&Peer{}, &Peer{Namespace: nsX}, false)

25
test/e2e/network/netpol/policies.go
View File

@@ -157,6 +157,31 @@ func GetDenyAll(name string) *networkingv1.NetworkPolicy {
return policy return policy
} }
// GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port
func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy {
protocolUDP := v1.ProtocolUDP
return &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "deny-all-tcp-allow-dns",
},
Spec: networkingv1.NetworkPolicySpec{
PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress},
PodSelector: metav1.LabelSelector{},
Ingress: []networkingv1.NetworkPolicyIngressRule{},
Egress: []networkingv1.NetworkPolicyEgressRule{
{
Ports: []networkingv1.NetworkPolicyPort{
{
Protocol: &protocolUDP,
Port: &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
},
},
},
},
},
}
}
// GetAllowIngressByPod allows ingress by pod labels // GetAllowIngressByPod allows ingress by pod labels
func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy { func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy {
policy := &networkingv1.NetworkPolicy{ policy := &networkingv1.NetworkPolicy{