Sākums Izpētīt Palīdzība
Pierakstīties
tzeneto
/
custom-kube-scheduler
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: a958e8cfaa
Atzari Tagi
custom-kube-...
/
kubernetes
/
test
/
e2e
/
network
/
network_policy.go

network_policy.go 69 KB
Vēsture Neapstrādāts

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package network
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	v1 "k8s.io/api/core/v1"
    23. 

  23. 	networkingv1 "k8s.io/api/networking/v1"
    24. 

  24. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25. 

  25. 	"k8s.io/apimachinery/pkg/types"
    26. 

  26. 	"k8s.io/apimachinery/pkg/util/intstr"
    27. 

  27. 	"k8s.io/kubernetes/test/e2e/framework"
    28. 

  28. 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
    29. 

  29. 	e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
    30. 

  30. 	imageutils "k8s.io/kubernetes/test/utils/image"
    31. 

  31. 

  32. 	"fmt"
    33. 

  33. 

  34. 	"github.com/onsi/ginkgo"
    35. 

  35. )
    36. 

  36. 

  37. /*
    38. 

  38. The following Network Policy tests verify that policy object definitions
    39. 

  39. are correctly enforced by a networking plugin. It accomplishes this by launching
    40. 

  40. a simple netcat server, and two clients with different
    41. 

  41. attributes. Each test case creates a network policy which should only allow
    42. 

  42. connections from one of the clients. The test then asserts that the clients
    43. 

  43. failed or successfully connected as expected.
    44. 

  44. */
    45. 

  45. 

  46. var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() {
    47. 

  47. 	var service *v1.Service
    48. 

  48. 	var podServer *v1.Pod
    49. 

  49. 	var podServerLabelSelector string
    50. 

  50. 	f := framework.NewDefaultFramework("network-policy")
    51. 

  51. 

  52. 	ginkgo.BeforeEach(func() {
    53. 

  53. 		// Windows does not support network policies.
    54. 

  54. 		e2eskipper.SkipIfNodeOSDistroIs("windows")
    55. 

  55. 	})
    56. 

  56. 

  57. 	ginkgo.Context("NetworkPolicy between server and client", func() {
    58. 

  58. 		ginkgo.BeforeEach(func() {
    59. 

  59. 			ginkgo.By("Creating a simple server that serves on port 80 and 81.")
    60. 

  60. 			podServer, service = createServerPodAndService(f, f.Namespace, "server", []int{80, 81})
    61. 

  61. 

  62. 			ginkgo.By("Waiting for pod ready", func() {
    63. 

  63. 				err := f.WaitForPodReady(podServer.Name)
    64. 

  64. 				framework.ExpectNoError(err)
    65. 

  65. 			})
    66. 

  66. 

  67. 			// podServerLabelSelector holds the value for the podServer's label "pod-name".
    68. 

  68. 			podServerLabelSelector = podServer.ObjectMeta.Labels["pod-name"]
    69. 

  69. 

  70. 			// Create pods, which should be able to communicate with the server on port 80 and 81.
    71. 

  71. 			ginkgo.By("Testing pods can connect to both ports when no policy is present.")
    72. 

  72. 			testCanConnect(f, f.Namespace, "client-can-connect-80", service, 80)
    73. 

  73. 			testCanConnect(f, f.Namespace, "client-can-connect-81", service, 81)
    74. 

  74. 		})
    75. 

  75. 

  76. 		ginkgo.AfterEach(func() {
    77. 

  77. 			cleanupServerPodAndService(f, podServer, service)
    78. 

  78. 		})
    79. 

  79. 

  80. 		ginkgo.It("should support a 'default-deny' policy [Feature:NetworkPolicy]", func() {
    81. 

  81. 			policy := &networkingv1.NetworkPolicy{
    82. 

  82. 				ObjectMeta: metav1.ObjectMeta{
    83. 

  83. 					Name: "deny-all",
    84. 

  84. 				},
    85. 

  85. 				Spec: networkingv1.NetworkPolicySpec{
    86. 

  86. 					PodSelector: metav1.LabelSelector{},
    87. 

  87. 					Ingress:     []networkingv1.NetworkPolicyIngressRule{},
    88. 

  88. 				},
    89. 

  89. 			}
    90. 

  90. 

  91. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    92. 

  92. 			framework.ExpectNoError(err)
    93. 

  93. 			defer cleanupNetworkPolicy(f, policy)
    94. 

  94. 

  95. 			// Create a pod with name 'client-cannot-connect', which will attempt to communicate with the server,
    96. 

  96. 			// but should not be able to now that isolation is on.
    97. 

  97. 			testCannotConnect(f, f.Namespace, "client-cannot-connect", service, 80)
    98. 

  98. 		})
    99. 

  99. 

  100. 		ginkgo.It("should enforce policy to allow traffic from pods within server namespace based on PodSelector [Feature:NetworkPolicy]", func() {
    101. 

  101. 			nsA := f.Namespace
    102. 

  102. 			nsBName := f.BaseName + "-b"
    103. 

  103. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    104. 

  104. 				"ns-name": nsBName,
    105. 

  105. 			})
    106. 

  106. 			framework.ExpectNoError(err, "Error occurred while creating namespace-b.")
    107. 

  107. 

  108. 			// All communication should be possible before applying the policy.
    109. 

  109. 			ginkgo.By("Creating client-a, in server's namespace, which should be able to contact the server.", func() {
    110. 

  110. 				testCanConnect(f, nsA, "client-a", service, 80)
    111. 

  111. 			})
    112. 

  112. 			ginkgo.By("Creating client-b, in server's namespace, which should be able to contact the server.", func() {
    113. 

  113. 				testCanConnect(f, nsA, "client-b", service, 80)
    114. 

  114. 			})
    115. 

  115. 			ginkgo.By("Creating client-a, not in server's namespace, which should be able to contact the server.", func() {
    116. 

  116. 				testCanConnect(f, nsB, "client-a", service, 80)
    117. 

  117. 			})
    118. 

  118. 

  119. 			ginkgo.By("Creating a network policy for the server which allows traffic from the pod 'client-a' in same namespace.")
    120. 

  120. 			policy := &networkingv1.NetworkPolicy{
    121. 

  121. 				ObjectMeta: metav1.ObjectMeta{
    122. 

  122. 					Name: "allow-client-a-via-pod-selector",
    123. 

  123. 				},
    124. 

  124. 				Spec: networkingv1.NetworkPolicySpec{
    125. 

  125. 					// Apply this policy to the Server
    126. 

  126. 					PodSelector: metav1.LabelSelector{
    127. 

  127. 						MatchLabels: map[string]string{
    128. 

  128. 							"pod-name": podServerLabelSelector,
    129. 

  129. 						},
    130. 

  130. 					},
    131. 

  131. 					// Allow traffic only from client-a
    132. 

  132. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    133. 

  133. 						From: []networkingv1.NetworkPolicyPeer{{
    134. 

  134. 							PodSelector: &metav1.LabelSelector{
    135. 

  135. 								MatchLabels: map[string]string{
    136. 

  136. 									"pod-name": "client-a",
    137. 

  137. 								},
    138. 

  138. 							},
    139. 

  139. 						}},
    140. 

  140. 					}},
    141. 

  141. 				},
    142. 

  142. 			}
    143. 

  143. 

  144. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    145. 

  145. 			framework.ExpectNoError(err)
    146. 

  146. 			defer cleanupNetworkPolicy(f, policy)
    147. 

  147. 

  148. 			ginkgo.By("Creating client-a, in server's namespace, which should be able to contact the server.", func() {
    149. 

  149. 				testCanConnect(f, nsA, "client-a", service, 80)
    150. 

  150. 			})
    151. 

  151. 			ginkgo.By("Creating client-b, in server's namespace, which should not be able to contact the server.", func() {
    152. 

  152. 				testCannotConnect(f, nsA, "client-b", service, 80)
    153. 

  153. 			})
    154. 

  154. 			ginkgo.By("Creating client-a, not in server's namespace, which should not be able to contact the server.", func() {
    155. 

  155. 				testCannotConnect(f, nsB, "client-a", service, 80)
    156. 

  156. 			})
    157. 

  157. 		})
    158. 

  158. 

  159. 		ginkgo.It("should enforce policy to allow traffic only from a different namespace, based on NamespaceSelector [Feature:NetworkPolicy]", func() {
    160. 

  160. 			nsA := f.Namespace
    161. 

  161. 			nsBName := f.BaseName + "-b"
    162. 

  162. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    163. 

  163. 				"ns-name": nsBName,
    164. 

  164. 			})
    165. 

  165. 			framework.ExpectNoError(err)
    166. 

  166. 

  167. 			// Create Server with Service in NS-B
    168. 

  168. 			framework.Logf("Waiting for server to come up.")
    169. 

  169. 			err = e2epod.WaitForPodRunningInNamespace(f.ClientSet, podServer)
    170. 

  170. 			framework.ExpectNoError(err)
    171. 

  171. 

  172. 			// Create Policy for that service that allows traffic only via namespace B
    173. 

  173. 			ginkgo.By("Creating a network policy for the server which allows traffic from namespace-b.")
    174. 

  174. 			policy := &networkingv1.NetworkPolicy{
    175. 

  175. 				ObjectMeta: metav1.ObjectMeta{
    176. 

  176. 					Name: "allow-ns-b-via-namespace-selector",
    177. 

  177. 				},
    178. 

  178. 				Spec: networkingv1.NetworkPolicySpec{
    179. 

  179. 					// Apply to server
    180. 

  180. 					PodSelector: metav1.LabelSelector{
    181. 

  181. 						MatchLabels: map[string]string{
    182. 

  182. 							"pod-name": podServerLabelSelector,
    183. 

  183. 						},
    184. 

  184. 					},
    185. 

  185. 					// Allow traffic only from NS-B
    186. 

  186. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    187. 

  187. 						From: []networkingv1.NetworkPolicyPeer{{
    188. 

  188. 							NamespaceSelector: &metav1.LabelSelector{
    189. 

  189. 								MatchLabels: map[string]string{
    190. 

  190. 									"ns-name": nsBName,
    191. 

  191. 								},
    192. 

  192. 							},
    193. 

  193. 						}},
    194. 

  194. 					}},
    195. 

  195. 				},
    196. 

  196. 			}
    197. 

  197. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(nsA.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    198. 

  198. 			framework.ExpectNoError(err)
    199. 

  199. 			defer cleanupNetworkPolicy(f, policy)
    200. 

  200. 

  201. 			testCannotConnect(f, nsA, "client-a", service, 80)
    202. 

  202. 			testCanConnect(f, nsB, "client-b", service, 80)
    203. 

  203. 		})
    204. 

  204. 

  205. 		ginkgo.It("should enforce policy based on PodSelector with MatchExpressions[Feature:NetworkPolicy]", func() {
    206. 

  206. 			ginkgo.By("Creating a network policy for the server which allows traffic from the pod 'client-a'.")
    207. 

  207. 			policy := &networkingv1.NetworkPolicy{
    208. 

  208. 				ObjectMeta: metav1.ObjectMeta{
    209. 

  209. 					Name: "allow-client-a-via-pod-selector-with-match-expressions",
    210. 

  210. 				},
    211. 

  211. 				Spec: networkingv1.NetworkPolicySpec{
    212. 

  212. 					PodSelector: metav1.LabelSelector{
    213. 

  213. 						MatchLabels: map[string]string{
    214. 

  214. 							"pod-name": podServerLabelSelector,
    215. 

  215. 						},
    216. 

  216. 					},
    217. 

  217. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    218. 

  218. 						From: []networkingv1.NetworkPolicyPeer{{
    219. 

  219. 							PodSelector: &metav1.LabelSelector{
    220. 

  220. 								MatchExpressions: []metav1.LabelSelectorRequirement{{
    221. 

  221. 									Key:      "pod-name",
    222. 

  222. 									Operator: metav1.LabelSelectorOpIn,
    223. 

  223. 									Values:   []string{"client-a"},
    224. 

  224. 								}},
    225. 

  225. 							},
    226. 

  226. 						}},
    227. 

  227. 					}},
    228. 

  228. 				},
    229. 

  229. 			}
    230. 

  230. 

  231. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    232. 

  232. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    233. 

  233. 			defer cleanupNetworkPolicy(f, policy)
    234. 

  234. 

  235. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    236. 

  236. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    237. 

  237. 			})
    238. 

  238. 			ginkgo.By("Creating client-b which should not be able to contact the server.", func() {
    239. 

  239. 				testCannotConnect(f, f.Namespace, "client-b", service, 80)
    240. 

  240. 			})
    241. 

  241. 		})
    242. 

  242. 

  243. 		ginkgo.It("should enforce policy based on NamespaceSelector with MatchExpressions[Feature:NetworkPolicy]", func() {
    244. 

  244. 			nsA := f.Namespace
    245. 

  245. 			nsBName := f.BaseName + "-b"
    246. 

  246. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    247. 

  247. 				"ns-name": nsBName,
    248. 

  248. 			})
    249. 

  249. 			framework.ExpectNoError(err, "Error creating namespace %v: %v", nsBName, err)
    250. 

  250. 

  251. 			nsCName := f.BaseName + "-c"
    252. 

  252. 			nsC, err := f.CreateNamespace(nsCName, map[string]string{
    253. 

  253. 				"ns-name": nsCName,
    254. 

  254. 			})
    255. 

  255. 			framework.ExpectNoError(err, "Error creating namespace %v: %v", nsCName, err)
    256. 

  256. 

  257. 			// Create Policy for the server that allows traffic from namespace different than namespace-a
    258. 

  258. 			ginkgo.By("Creating a network policy for the server which allows traffic from ns different than namespace-a.")
    259. 

  259. 			policy := &networkingv1.NetworkPolicy{
    260. 

  260. 				ObjectMeta: metav1.ObjectMeta{
    261. 

  261. 					Name: "allow-any-ns-different-than-ns-a-via-ns-selector-with-match-expressions",
    262. 

  262. 				},
    263. 

  263. 				Spec: networkingv1.NetworkPolicySpec{
    264. 

  264. 					PodSelector: metav1.LabelSelector{
    265. 

  265. 						MatchLabels: map[string]string{
    266. 

  266. 							"pod-name": podServerLabelSelector,
    267. 

  267. 						},
    268. 

  268. 					},
    269. 

  269. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    270. 

  270. 						From: []networkingv1.NetworkPolicyPeer{{
    271. 

  271. 							NamespaceSelector: &metav1.LabelSelector{
    272. 

  272. 								MatchExpressions: []metav1.LabelSelectorRequirement{{
    273. 

  273. 									Key:      "ns-name",
    274. 

  274. 									Operator: metav1.LabelSelectorOpNotIn,
    275. 

  275. 									Values:   []string{nsCName},
    276. 

  276. 								}},
    277. 

  277. 							},
    278. 

  278. 						}},
    279. 

  279. 					}},
    280. 

  280. 				},
    281. 

  281. 			}
    282. 

  282. 

  283. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(nsA.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    284. 

  284. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    285. 

  285. 			defer cleanupNetworkPolicy(f, policy)
    286. 

  286. 

  287. 			testCannotConnect(f, nsC, "client-a", service, 80)
    288. 

  288. 			testCanConnect(f, nsB, "client-a", service, 80)
    289. 

  289. 		})
    290. 

  290. 

  291. 		ginkgo.It("should enforce policy based on PodSelector or NamespaceSelector [Feature:NetworkPolicy]", func() {
    292. 

  292. 			nsA := f.Namespace
    293. 

  293. 			nsBName := f.BaseName + "-b"
    294. 

  294. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    295. 

  295. 				"ns-name": nsBName,
    296. 

  296. 			})
    297. 

  297. 			framework.ExpectNoError(err, "Error creating namespace %v: %v", nsBName, err)
    298. 

  298. 

  299. 			// Create Policy for the server that allows traffic only via client B or namespace B
    300. 

  300. 			ginkgo.By("Creating a network policy for the server which allows traffic from client-b or namespace-b.")
    301. 

  301. 			policy := &networkingv1.NetworkPolicy{
    302. 

  302. 				ObjectMeta: metav1.ObjectMeta{
    303. 

  303. 					Name: "allow-ns-b-via-namespace-selector-or-client-b-via-pod-selector",
    304. 

  304. 				},
    305. 

  305. 				Spec: networkingv1.NetworkPolicySpec{
    306. 

  306. 					PodSelector: metav1.LabelSelector{
    307. 

  307. 						MatchLabels: map[string]string{
    308. 

  308. 							"pod-name": podServerLabelSelector,
    309. 

  309. 						},
    310. 

  310. 					},
    311. 

  311. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    312. 

  312. 						From: []networkingv1.NetworkPolicyPeer{{
    313. 

  313. 							PodSelector: &metav1.LabelSelector{
    314. 

  314. 								MatchLabels: map[string]string{
    315. 

  315. 									"pod-name": "client-b",
    316. 

  316. 								},
    317. 

  317. 							},
    318. 

  318. 						}, {
    319. 

  319. 							NamespaceSelector: &metav1.LabelSelector{
    320. 

  320. 								MatchLabels: map[string]string{
    321. 

  321. 									"ns-name": nsBName,
    322. 

  322. 								},
    323. 

  323. 							},
    324. 

  324. 						}},
    325. 

  325. 					}},
    326. 

  326. 				},
    327. 

  327. 			}
    328. 

  328. 

  329. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(nsA.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    330. 

  330. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    331. 

  331. 			defer cleanupNetworkPolicy(f, policy)
    332. 

  332. 

  333. 			testCanConnect(f, nsB, "client-a", service, 80)
    334. 

  334. 			testCanConnect(f, nsA, "client-b", service, 80)
    335. 

  335. 			testCannotConnect(f, nsA, "client-c", service, 80)
    336. 

  336. 		})
    337. 

  337. 

  338. 		ginkgo.It("should enforce policy based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
    339. 

  339. 			nsA := f.Namespace
    340. 

  340. 			nsBName := f.BaseName + "-b"
    341. 

  341. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    342. 

  342. 				"ns-name": nsBName,
    343. 

  343. 			})
    344. 

  344. 			framework.ExpectNoError(err, "Error creating namespace %v: %v", nsBName, err)
    345. 

  345. 

  346. 			// Create Policy for the server that allows traffic only via client-b in namespace B
    347. 

  347. 			ginkgo.By("Creating a network policy for the server which allows traffic from client-b in namespace-b.")
    348. 

  348. 			policy := &networkingv1.NetworkPolicy{
    349. 

  349. 				ObjectMeta: metav1.ObjectMeta{
    350. 

  350. 					Name: "allow-client-b-in-ns-b-via-ns-selector-and-pod-selector",
    351. 

  351. 				},
    352. 

  352. 				Spec: networkingv1.NetworkPolicySpec{
    353. 

  353. 					PodSelector: metav1.LabelSelector{
    354. 

  354. 						MatchLabels: map[string]string{
    355. 

  355. 							"pod-name": podServerLabelSelector,
    356. 

  356. 						},
    357. 

  357. 					},
    358. 

  358. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    359. 

  359. 						From: []networkingv1.NetworkPolicyPeer{{
    360. 

  360. 							PodSelector: &metav1.LabelSelector{
    361. 

  361. 								MatchLabels: map[string]string{
    362. 

  362. 									"pod-name": "client-b",
    363. 

  363. 								},
    364. 

  364. 							},
    365. 

  365. 							NamespaceSelector: &metav1.LabelSelector{
    366. 

  366. 								MatchLabels: map[string]string{
    367. 

  367. 									"ns-name": nsBName,
    368. 

  368. 								},
    369. 

  369. 							},
    370. 

  370. 						}},
    371. 

  371. 					}},
    372. 

  372. 				},
    373. 

  373. 			}
    374. 

  374. 

  375. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(nsA.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    376. 

  376. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    377. 

  377. 			defer cleanupNetworkPolicy(f, policy)
    378. 

  378. 

  379. 			testCannotConnect(f, nsB, "client-a", service, 80)
    380. 

  380. 			testCannotConnect(f, nsA, "client-b", service, 80)
    381. 

  381. 			testCanConnect(f, nsB, "client-b", service, 80)
    382. 

  382. 		})
    383. 

  383. 

  384. 		ginkgo.It("should enforce policy to allow traffic only from a pod in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
    385. 

  385. 			nsA := f.Namespace
    386. 

  386. 			nsBName := f.BaseName + "-b"
    387. 

  387. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    388. 

  388. 				"ns-name": nsBName,
    389. 

  389. 			})
    390. 

  390. 			framework.ExpectNoError(err, "Error occurred while creating namespace-b.")
    391. 

  391. 

  392. 			// Wait for Server in namespaces-a to be ready
    393. 

  393. 			framework.Logf("Waiting for server to come up.")
    394. 

  394. 			err = e2epod.WaitForPodRunningInNamespace(f.ClientSet, podServer)
    395. 

  395. 			framework.ExpectNoError(err, "Error occurred while waiting for pod status in namespace: Running.")
    396. 

  396. 

  397. 			// Before application of the policy, all communication should be successful.
    398. 

  398. 			ginkgo.By("Creating client-a, in server's namespace, which should be able to contact the server.", func() {
    399. 

  399. 				testCanConnect(f, nsA, "client-a", service, 80)
    400. 

  400. 			})
    401. 

  401. 			ginkgo.By("Creating client-b, in server's namespace, which should be able to contact the server.", func() {
    402. 

  402. 				testCanConnect(f, nsA, "client-b", service, 80)
    403. 

  403. 			})
    404. 

  404. 			ginkgo.By("Creating client-a, not in server's namespace, which should be able to contact the server.", func() {
    405. 

  405. 				testCanConnect(f, nsB, "client-a", service, 80)
    406. 

  406. 			})
    407. 

  407. 			ginkgo.By("Creating client-b, not in server's namespace, which should be able to contact the server.", func() {
    408. 

  408. 				testCanConnect(f, nsB, "client-b", service, 80)
    409. 

  409. 			})
    410. 

  410. 

  411. 			ginkgo.By("Creating a network policy for the server which allows traffic only from client-a in namespace-b.")
    412. 

  412. 			policy := &networkingv1.NetworkPolicy{
    413. 

  413. 				ObjectMeta: metav1.ObjectMeta{
    414. 

  414. 					Namespace: nsA.Name,
    415. 

  415. 					Name:      "allow-ns-b-client-a-via-namespace-pod-selector",
    416. 

  416. 				},
    417. 

  417. 				Spec: networkingv1.NetworkPolicySpec{
    418. 

  418. 					// Apply this policy to the Server
    419. 

  419. 					PodSelector: metav1.LabelSelector{
    420. 

  420. 						MatchLabels: map[string]string{
    421. 

  421. 							"pod-name": podServerLabelSelector,
    422. 

  422. 						},
    423. 

  423. 					},
    424. 

  424. 					// Allow traffic only from client-a in namespace-b
    425. 

  425. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    426. 

  426. 						From: []networkingv1.NetworkPolicyPeer{{
    427. 

  427. 							NamespaceSelector: &metav1.LabelSelector{
    428. 

  428. 								MatchLabels: map[string]string{
    429. 

  429. 									"ns-name": nsBName,
    430. 

  430. 								},
    431. 

  431. 							},
    432. 

  432. 							PodSelector: &metav1.LabelSelector{
    433. 

  433. 								MatchLabels: map[string]string{
    434. 

  434. 									"pod-name": "client-a",
    435. 

  435. 								},
    436. 

  436. 							},
    437. 

  437. 						}},
    438. 

  438. 					}},
    439. 

  439. 				},
    440. 

  440. 			}
    441. 

  441. 

  442. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    443. 

  443. 			framework.ExpectNoError(err, "Error occurred while creating policy: policy.")
    444. 

  444. 			defer cleanupNetworkPolicy(f, policy)
    445. 

  445. 

  446. 			ginkgo.By("Creating client-a, in server's namespace, which should not be able to contact the server.", func() {
    447. 

  447. 				testCannotConnect(f, nsA, "client-a", service, 80)
    448. 

  448. 			})
    449. 

  449. 			ginkgo.By("Creating client-b, in server's namespace, which should not be able to contact the server.", func() {
    450. 

  450. 				testCannotConnect(f, nsA, "client-b", service, 80)
    451. 

  451. 			})
    452. 

  452. 			ginkgo.By("Creating client-a, not in server's namespace, which should be able to contact the server.", func() {
    453. 

  453. 				testCanConnect(f, nsB, "client-a", service, 80)
    454. 

  454. 			})
    455. 

  455. 			ginkgo.By("Creating client-b, not in server's namespace, which should not be able to contact the server.", func() {
    456. 

  456. 				testCannotConnect(f, nsB, "client-b", service, 80)
    457. 

  457. 			})
    458. 

  458. 		})
    459. 

  459. 

  460. 		ginkgo.It("should enforce policy based on Ports [Feature:NetworkPolicy]", func() {
    461. 

  461. 			ginkgo.By("Creating a network policy for the Service which allows traffic only to one port.")
    462. 

  462. 			policy := &networkingv1.NetworkPolicy{
    463. 

  463. 				ObjectMeta: metav1.ObjectMeta{
    464. 

  464. 					Name: "allow-ingress-on-port-81",
    465. 

  465. 				},
    466. 

  466. 				Spec: networkingv1.NetworkPolicySpec{
    467. 

  467. 					// Apply to server
    468. 

  468. 					PodSelector: metav1.LabelSelector{
    469. 

  469. 						MatchLabels: map[string]string{
    470. 

  470. 							"pod-name": podServerLabelSelector,
    471. 

  471. 						},
    472. 

  472. 					},
    473. 

  473. 					// Allow traffic only to one port.
    474. 

  474. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    475. 

  475. 						Ports: []networkingv1.NetworkPolicyPort{{
    476. 

  476. 							Port: &intstr.IntOrString{IntVal: 81},
    477. 

  477. 						}},
    478. 

  478. 					}},
    479. 

  479. 				},
    480. 

  480. 			}
    481. 

  481. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    482. 

  482. 			framework.ExpectNoError(err)
    483. 

  483. 			defer cleanupNetworkPolicy(f, policy)
    484. 

  484. 

  485. 			ginkgo.By("Testing pods can connect only to the port allowed by the policy.")
    486. 

  486. 			testCannotConnect(f, f.Namespace, "client-a", service, 80)
    487. 

  487. 			testCanConnect(f, f.Namespace, "client-b", service, 81)
    488. 

  488. 		})
    489. 

  489. 

  490. 		ginkgo.It("should enforce multiple, stacked policies with overlapping podSelectors [Feature:NetworkPolicy]", func() {
    491. 

  491. 			ginkgo.By("Creating a network policy for the Service which allows traffic only to one port.")
    492. 

  492. 			policy := &networkingv1.NetworkPolicy{
    493. 

  493. 				ObjectMeta: metav1.ObjectMeta{
    494. 

  494. 					Name: "allow-ingress-on-port-80",
    495. 

  495. 				},
    496. 

  496. 				Spec: networkingv1.NetworkPolicySpec{
    497. 

  497. 					// Apply to server
    498. 

  498. 					PodSelector: metav1.LabelSelector{
    499. 

  499. 						MatchLabels: map[string]string{
    500. 

  500. 							"pod-name": podServerLabelSelector,
    501. 

  501. 						},
    502. 

  502. 					},
    503. 

  503. 					// Allow traffic only to one port.
    504. 

  504. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    505. 

  505. 						Ports: []networkingv1.NetworkPolicyPort{{
    506. 

  506. 							Port: &intstr.IntOrString{IntVal: 80},
    507. 

  507. 						}},
    508. 

  508. 					}},
    509. 

  509. 				},
    510. 

  510. 			}
    511. 

  511. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    512. 

  512. 			framework.ExpectNoError(err)
    513. 

  513. 			defer cleanupNetworkPolicy(f, policy)
    514. 

  514. 

  515. 			ginkgo.By("Creating a network policy for the Service which allows traffic only to another port.")
    516. 

  516. 			policy2 := &networkingv1.NetworkPolicy{
    517. 

  517. 				ObjectMeta: metav1.ObjectMeta{
    518. 

  518. 					Name: "allow-ingress-on-port-81",
    519. 

  519. 				},
    520. 

  520. 				Spec: networkingv1.NetworkPolicySpec{
    521. 

  521. 					// Apply to server
    522. 

  522. 					PodSelector: metav1.LabelSelector{
    523. 

  523. 						MatchLabels: map[string]string{
    524. 

  524. 							"pod-name": podServerLabelSelector,
    525. 

  525. 						},
    526. 

  526. 					},
    527. 

  527. 					// Allow traffic only to one port.
    528. 

  528. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    529. 

  529. 						Ports: []networkingv1.NetworkPolicyPort{{
    530. 

  530. 							Port: &intstr.IntOrString{IntVal: 81},
    531. 

  531. 						}},
    532. 

  532. 					}},
    533. 

  533. 				},
    534. 

  534. 			}
    535. 

  535. 			policy2, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy2, metav1.CreateOptions{})
    536. 

  536. 			framework.ExpectNoError(err)
    537. 

  537. 			defer cleanupNetworkPolicy(f, policy2)
    538. 

  538. 

  539. 			ginkgo.By("Testing pods can connect to both ports when both policies are present.")
    540. 

  540. 			testCanConnect(f, f.Namespace, "client-a", service, 80)
    541. 

  541. 			testCanConnect(f, f.Namespace, "client-b", service, 81)
    542. 

  542. 		})
    543. 

  543. 

  544. 		ginkgo.It("should support allow-all policy [Feature:NetworkPolicy]", func() {
    545. 

  545. 			ginkgo.By("Creating a network policy which allows all traffic.")
    546. 

  546. 			policy := &networkingv1.NetworkPolicy{
    547. 

  547. 				ObjectMeta: metav1.ObjectMeta{
    548. 

  548. 					Name: "allow-all",
    549. 

  549. 				},
    550. 

  550. 				Spec: networkingv1.NetworkPolicySpec{
    551. 

  551. 					// Allow all traffic
    552. 

  552. 					PodSelector: metav1.LabelSelector{
    553. 

  553. 						MatchLabels: map[string]string{},
    554. 

  554. 					},
    555. 

  555. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{}},
    556. 

  556. 				},
    557. 

  557. 			}
    558. 

  558. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    559. 

  559. 			framework.ExpectNoError(err)
    560. 

  560. 			defer cleanupNetworkPolicy(f, policy)
    561. 

  561. 

  562. 			ginkgo.By("Testing pods can connect to both ports when an 'allow-all' policy is present.")
    563. 

  563. 			testCanConnect(f, f.Namespace, "client-a", service, 80)
    564. 

  564. 			testCanConnect(f, f.Namespace, "client-b", service, 81)
    565. 

  565. 		})
    566. 

  566. 

  567. 		ginkgo.It("should allow ingress access on one named port [Feature:NetworkPolicy]", func() {
    568. 

  568. 			policy := &networkingv1.NetworkPolicy{
    569. 

  569. 				ObjectMeta: metav1.ObjectMeta{
    570. 

  570. 					Name: "allow-client-a-via-named-port-ingress-rule",
    571. 

  571. 				},
    572. 

  572. 				Spec: networkingv1.NetworkPolicySpec{
    573. 

  573. 					// Apply this policy to the Server
    574. 

  574. 					PodSelector: metav1.LabelSelector{
    575. 

  575. 						MatchLabels: map[string]string{
    576. 

  576. 							"pod-name": podServerLabelSelector,
    577. 

  577. 						},
    578. 

  578. 					},
    579. 

  579. 					// Allow traffic to only one named port: "serve-80".
    580. 

  580. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    581. 

  581. 						Ports: []networkingv1.NetworkPolicyPort{{
    582. 

  582. 							Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80"},
    583. 

  583. 						}},
    584. 

  584. 					}},
    585. 

  585. 				},
    586. 

  586. 			}
    587. 

  587. 

  588. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    589. 

  589. 			framework.ExpectNoError(err)
    590. 

  590. 			defer cleanupNetworkPolicy(f, policy)
    591. 

  591. 

  592. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    593. 

  593. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    594. 

  594. 			})
    595. 

  595. 			ginkgo.By("Creating client-b which should not be able to contact the server on port 81.", func() {
    596. 

  596. 				testCannotConnect(f, f.Namespace, "client-b", service, 81)
    597. 

  597. 			})
    598. 

  598. 		})
    599. 

  599. 

  600. 		ginkgo.It("should allow ingress access from namespace on one named port [Feature:NetworkPolicy]", func() {
    601. 

  601. 			nsBName := f.BaseName + "-b"
    602. 

  602. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    603. 

  603. 				"ns-name": nsBName,
    604. 

  604. 			})
    605. 

  605. 			framework.ExpectNoError(err, "Error creating namespace %v: %v", nsBName, err)
    606. 

  606. 

  607. 			const allowedPort = 80
    608. 

  608. 			policy := &networkingv1.NetworkPolicy{
    609. 

  609. 				ObjectMeta: metav1.ObjectMeta{
    610. 

  610. 					Name: "allow-client-in-ns-b-via-named-port-ingress-rule",
    611. 

  611. 				},
    612. 

  612. 				Spec: networkingv1.NetworkPolicySpec{
    613. 

  613. 					// Apply this policy to the Server
    614. 

  614. 					PodSelector: metav1.LabelSelector{
    615. 

  615. 						MatchLabels: map[string]string{
    616. 

  616. 							"pod-name": podServerLabelSelector,
    617. 

  617. 						},
    618. 

  618. 					},
    619. 

  619. 					// Allow traffic to only one named port: "serve-80" from namespace-b.
    620. 

  620. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    621. 

  621. 						From: []networkingv1.NetworkPolicyPeer{{
    622. 

  622. 							NamespaceSelector: &metav1.LabelSelector{
    623. 

  623. 								MatchLabels: map[string]string{
    624. 

  624. 									"ns-name": nsBName,
    625. 

  625. 								},
    626. 

  626. 							},
    627. 

  627. 						}},
    628. 

  628. 						Ports: []networkingv1.NetworkPolicyPort{{
    629. 

  629. 							Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80"},
    630. 

  630. 						}},
    631. 

  631. 					}},
    632. 

  632. 				},
    633. 

  633. 			}
    634. 

  634. 

  635. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    636. 

  636. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    637. 

  637. 			defer cleanupNetworkPolicy(f, policy)
    638. 

  638. 

  639. 			testCannotConnect(f, f.Namespace, "client-a", service, allowedPort)
    640. 

  640. 			testCanConnect(f, nsB, "client-b", service, allowedPort)
    641. 

  641. 		})
    642. 

  642. 

  643. 		ginkgo.It("should allow egress access on one named port [Feature:NetworkPolicy]", func() {
    644. 

  644. 			clientPodName := "client-a"
    645. 

  645. 			protocolUDP := v1.ProtocolUDP
    646. 

  646. 			policy := &networkingv1.NetworkPolicy{
    647. 

  647. 				ObjectMeta: metav1.ObjectMeta{
    648. 

  648. 					Name: "allow-client-a-via-named-port-egress-rule",
    649. 

  649. 				},
    650. 

  650. 				Spec: networkingv1.NetworkPolicySpec{
    651. 

  651. 					// Apply this policy to client-a
    652. 

  652. 					PodSelector: metav1.LabelSelector{
    653. 

  653. 						MatchLabels: map[string]string{
    654. 

  654. 							"pod-name": clientPodName,
    655. 

  655. 						},
    656. 

  656. 					},
    657. 

  657. 					// Allow traffic to only one named port: "serve-80".
    658. 

  658. 					Egress: []networkingv1.NetworkPolicyEgressRule{{
    659. 

  659. 						Ports: []networkingv1.NetworkPolicyPort{
    660. 

  660. 							{
    661. 

  661. 								Port: &intstr.IntOrString{Type: intstr.String, StrVal: "serve-80"},
    662. 

  662. 							},
    663. 

  663. 							// Allow DNS look-ups
    664. 

  664. 							{
    665. 

  665. 								Protocol: &protocolUDP,
    666. 

  666. 								Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
    667. 

  667. 							},
    668. 

  668. 						},
    669. 

  669. 					}},
    670. 

  670. 				},
    671. 

  671. 			}
    672. 

  672. 

  673. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    674. 

  674. 			framework.ExpectNoError(err)
    675. 

  675. 			defer cleanupNetworkPolicy(f, policy)
    676. 

  676. 

  677. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    678. 

  678. 				testCanConnect(f, f.Namespace, clientPodName, service, 80)
    679. 

  679. 			})
    680. 

  680. 			ginkgo.By("Creating client-a which should not be able to contact the server on port 81.", func() {
    681. 

  681. 				testCannotConnect(f, f.Namespace, clientPodName, service, 81)
    682. 

  682. 			})
    683. 

  683. 		})
    684. 

  684. 

  685. 		ginkgo.It("should enforce updated policy [Feature:NetworkPolicy]", func() {
    686. 

  686. 			const (
    687. 

  687. 				clientAAllowedPort    = 80
    688. 

  688. 				clientANotAllowedPort = 81
    689. 

  689. 			)
    690. 

  690. 			ginkgo.By("Creating a network policy for the Service which allows traffic from pod at a port")
    691. 

  691. 			policy := &networkingv1.NetworkPolicy{
    692. 

  692. 				ObjectMeta: metav1.ObjectMeta{
    693. 

  693. 					Name: "allow-ingress",
    694. 

  694. 				},
    695. 

  695. 				Spec: networkingv1.NetworkPolicySpec{
    696. 

  696. 					// Apply to server
    697. 

  697. 					PodSelector: metav1.LabelSelector{
    698. 

  698. 						MatchLabels: map[string]string{
    699. 

  699. 							"pod-name": podServerLabelSelector,
    700. 

  700. 						},
    701. 

  701. 					},
    702. 

  702. 					// Allow traffic only to one port.
    703. 

  703. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    704. 

  704. 						From: []networkingv1.NetworkPolicyPeer{{
    705. 

  705. 							PodSelector: &metav1.LabelSelector{
    706. 

  706. 								MatchLabels: map[string]string{
    707. 

  707. 									"pod-name": "client-a",
    708. 

  708. 								},
    709. 

  709. 							},
    710. 

  710. 						}},
    711. 

  711. 						Ports: []networkingv1.NetworkPolicyPort{{
    712. 

  712. 							Port: &intstr.IntOrString{IntVal: clientAAllowedPort},
    713. 

  713. 						}},
    714. 

  714. 					}},
    715. 

  715. 				},
    716. 

  716. 			}
    717. 

  717. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    718. 

  718. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    719. 

  719. 

  720. 			testCanConnect(f, f.Namespace, "client-a", service, clientAAllowedPort)
    721. 

  721. 			err = f.WaitForPodNotFound("client-a", framework.PodDeleteTimeout)
    722. 

  722. 			framework.ExpectNoError(err, "Expected pod to be not found.")
    723. 

  723. 

  724. 			testCannotConnect(f, f.Namespace, "client-b", service, clientAAllowedPort)
    725. 

  725. 			err = f.WaitForPodNotFound("client-b", framework.PodDeleteTimeout)
    726. 

  726. 			framework.ExpectNoError(err, "Expected pod to be not found.")
    727. 

  727. 

  728. 			testCannotConnect(f, f.Namespace, "client-a", service, clientANotAllowedPort)
    729. 

  729. 			err = f.WaitForPodNotFound("client-a", framework.PodDeleteTimeout)
    730. 

  730. 			framework.ExpectNoError(err, "Expected pod to be not found.")
    731. 

  731. 

  732. 			const (
    733. 

  733. 				clientBAllowedPort    = 81
    734. 

  734. 				clientBNotAllowedPort = 80
    735. 

  735. 			)
    736. 

  736. 			ginkgo.By("Updating a network policy for the Service which allows traffic from another pod at another port.")
    737. 

  737. 			policy = &networkingv1.NetworkPolicy{
    738. 

  738. 				ObjectMeta: metav1.ObjectMeta{
    739. 

  739. 					Name: "allow-ingress",
    740. 

  740. 				},
    741. 

  741. 				Spec: networkingv1.NetworkPolicySpec{
    742. 

  742. 					// Apply to server
    743. 

  743. 					PodSelector: metav1.LabelSelector{
    744. 

  744. 						MatchLabels: map[string]string{
    745. 

  745. 							"pod-name": podServerLabelSelector,
    746. 

  746. 						},
    747. 

  747. 					},
    748. 

  748. 					// Allow traffic only to one port.
    749. 

  749. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    750. 

  750. 						From: []networkingv1.NetworkPolicyPeer{{
    751. 

  751. 							PodSelector: &metav1.LabelSelector{
    752. 

  752. 								MatchLabels: map[string]string{
    753. 

  753. 									"pod-name": "client-b",
    754. 

  754. 								},
    755. 

  755. 							},
    756. 

  756. 						}},
    757. 

  757. 						Ports: []networkingv1.NetworkPolicyPort{{
    758. 

  758. 							Port: &intstr.IntOrString{IntVal: clientBAllowedPort},
    759. 

  759. 						}},
    760. 

  760. 					}},
    761. 

  761. 				},
    762. 

  762. 			}
    763. 

  763. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Update(context.TODO(), policy, metav1.UpdateOptions{})
    764. 

  764. 			framework.ExpectNoError(err, "Error updating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    765. 

  765. 			defer cleanupNetworkPolicy(f, policy)
    766. 

  766. 

  767. 			testCannotConnect(f, f.Namespace, "client-b", service, clientBNotAllowedPort)
    768. 

  768. 			err = f.WaitForPodNotFound("client-b", framework.PodDeleteTimeout)
    769. 

  769. 			framework.ExpectNoError(err, "Expected pod to be not found.")
    770. 

  770. 

  771. 			testCannotConnect(f, f.Namespace, "client-a", service, clientBNotAllowedPort)
    772. 

  772. 			testCanConnect(f, f.Namespace, "client-b", service, clientBAllowedPort)
    773. 

  773. 		})
    774. 

  774. 

  775. 		ginkgo.It("should allow ingress access from updated namespace [Feature:NetworkPolicy]", func() {
    776. 

  776. 			nsA := f.Namespace
    777. 

  777. 			nsBName := f.BaseName + "-b"
    778. 

  778. 			newNsBName := nsBName + "-updated"
    779. 

  779. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    780. 

  780. 				"ns-name": nsBName,
    781. 

  781. 			})
    782. 

  782. 			framework.ExpectNoError(err, "Error creating namespace %v: %v", nsBName, err)
    783. 

  783. 

  784. 			const allowedPort = 80
    785. 

  785. 			// Create Policy for that service that allows traffic only via namespace B
    786. 

  786. 			ginkgo.By("Creating a network policy for the server which allows traffic from namespace-b.")
    787. 

  787. 			policy := &networkingv1.NetworkPolicy{
    788. 

  788. 				ObjectMeta: metav1.ObjectMeta{
    789. 

  789. 					Name: "allow-ns-b-via-namespace-selector",
    790. 

  790. 				},
    791. 

  791. 				Spec: networkingv1.NetworkPolicySpec{
    792. 

  792. 					PodSelector: metav1.LabelSelector{
    793. 

  793. 						MatchLabels: map[string]string{
    794. 

  794. 							"pod-name": podServerLabelSelector,
    795. 

  795. 						},
    796. 

  796. 					},
    797. 

  797. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    798. 

  798. 						From: []networkingv1.NetworkPolicyPeer{{
    799. 

  799. 							NamespaceSelector: &metav1.LabelSelector{
    800. 

  800. 								MatchLabels: map[string]string{
    801. 

  801. 									"ns-name": newNsBName,
    802. 

  802. 								},
    803. 

  803. 							},
    804. 

  804. 						}},
    805. 

  805. 					}},
    806. 

  806. 				},
    807. 

  807. 			}
    808. 

  808. 

  809. 			policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(nsA.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    810. 

  810. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    811. 

  811. 			defer cleanupNetworkPolicy(f, policy)
    812. 

  812. 

  813. 			testCannotConnect(f, nsB, "client-a", service, allowedPort)
    814. 

  814. 

  815. 			nsB, err = f.ClientSet.CoreV1().Namespaces().Get(context.TODO(), nsB.Name, metav1.GetOptions{})
    816. 

  816. 			framework.ExpectNoError(err, "Error getting Namespace %v: %v", nsB.ObjectMeta.Name, err)
    817. 

  817. 

  818. 			nsB.ObjectMeta.Labels["ns-name"] = newNsBName
    819. 

  819. 			nsB, err = f.ClientSet.CoreV1().Namespaces().Update(context.TODO(), nsB, metav1.UpdateOptions{})
    820. 

  820. 			framework.ExpectNoError(err, "Error updating Namespace %v: %v", nsB.ObjectMeta.Name, err)
    821. 

  821. 

  822. 			testCanConnect(f, nsB, "client-b", service, allowedPort)
    823. 

  823. 		})
    824. 

  824. 

  825. 		ginkgo.It("should allow ingress access from updated pod [Feature:NetworkPolicy]", func() {
    826. 

  826. 			const allowedPort = 80
    827. 

  827. 			ginkgo.By("Creating a network policy for the server which allows traffic from client-a-updated.")
    828. 

  828. 			policy := &networkingv1.NetworkPolicy{
    829. 

  829. 				ObjectMeta: metav1.ObjectMeta{
    830. 

  830. 					Name: "allow-pod-b-via-pod-selector",
    831. 

  831. 				},
    832. 

  832. 				Spec: networkingv1.NetworkPolicySpec{
    833. 

  833. 					PodSelector: metav1.LabelSelector{
    834. 

  834. 						MatchLabels: map[string]string{
    835. 

  835. 							"pod-name": podServerLabelSelector,
    836. 

  836. 						},
    837. 

  837. 					},
    838. 

  838. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    839. 

  839. 						From: []networkingv1.NetworkPolicyPeer{{
    840. 

  840. 							PodSelector: &metav1.LabelSelector{
    841. 

  841. 								MatchExpressions: []metav1.LabelSelectorRequirement{{
    842. 

  842. 									Key:      "pod-name",
    843. 

  843. 									Operator: metav1.LabelSelectorOpDoesNotExist,
    844. 

  844. 								}},
    845. 

  845. 							},
    846. 

  846. 						}},
    847. 

  847. 					}},
    848. 

  848. 				},
    849. 

  849. 			}
    850. 

  850. 

  851. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    852. 

  852. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    853. 

  853. 			defer cleanupNetworkPolicy(f, policy)
    854. 

  854. 

  855. 			ginkgo.By(fmt.Sprintf("Creating client pod %s that should not be able to connect to %s.", "client-a", service.Name))
    856. 

  856. 			// Specify RestartPolicy to OnFailure so we can check the client pod fails in the beginning and succeeds
    857. 

  857. 			// after updating its label, otherwise it would not restart after the first failure.
    858. 

  858. 			podClient := createNetworkClientPodWithRestartPolicy(f, f.Namespace, "client-a", service, allowedPort, v1.RestartPolicyOnFailure)
    859. 

  859. 			defer func() {
    860. 

  860. 				ginkgo.By(fmt.Sprintf("Cleaning up the pod %s", podClient.Name))
    861. 

  861. 				if err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Delete(context.TODO(), podClient.Name, nil); err != nil {
    862. 

  862. 					framework.Failf("unable to cleanup pod %v: %v", podClient.Name, err)
    863. 

  863. 				}
    864. 

  864. 			}()
    865. 

  865. 			// Check Container exit code as restartable Pod's Phase will be Running even when container fails.
    866. 

  866. 			checkNoConnectivityByExitCode(f, f.Namespace, podClient, service)
    867. 

  867. 

  868. 			ginkgo.By(fmt.Sprintf("Updating client pod %s that should successfully connect to %s.", podClient.Name, service.Name))
    869. 

  869. 			podClient = updatePodLabel(f, f.Namespace, podClient.Name, "replace", "/metadata/labels", map[string]string{})
    870. 

  870. 			checkConnectivity(f, f.Namespace, podClient, service)
    871. 

  871. 		})
    872. 

  872. 

  873. 		ginkgo.It("should deny ingress access to updated pod [Feature:NetworkPolicy]", func() {
    874. 

  874. 			const allowedPort = 80
    875. 

  875. 			ginkgo.By("Creating a network policy for the server which denies all traffic.")
    876. 

  876. 			policy := &networkingv1.NetworkPolicy{
    877. 

  877. 				ObjectMeta: metav1.ObjectMeta{
    878. 

  878. 					Name: "deny-ingress-via-isolated-label-selector",
    879. 

  879. 				},
    880. 

  880. 				Spec: networkingv1.NetworkPolicySpec{
    881. 

  881. 					PodSelector: metav1.LabelSelector{
    882. 

  882. 						MatchLabels: map[string]string{
    883. 

  883. 							"pod-name": podServerLabelSelector,
    884. 

  884. 						},
    885. 

  885. 						MatchExpressions: []metav1.LabelSelectorRequirement{{
    886. 

  886. 							Key:      "isolated",
    887. 

  887. 							Operator: metav1.LabelSelectorOpExists,
    888. 

  888. 						}},
    889. 

  889. 					},
    890. 

  890. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
    891. 

  891. 					Ingress:     []networkingv1.NetworkPolicyIngressRule{},
    892. 

  892. 				},
    893. 

  893. 			}
    894. 

  894. 

  895. 			policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
    896. 

  896. 			framework.ExpectNoError(err, "Error creating Network Policy %v: %v", policy.ObjectMeta.Name, err)
    897. 

  897. 			defer cleanupNetworkPolicy(f, policy)
    898. 

  898. 

  899. 			// Client can connect to service when the network policy doesn't apply to the server pod.
    900. 

  900. 			testCanConnect(f, f.Namespace, "client-a", service, allowedPort)
    901. 

  901. 

  902. 			// Client cannot connect to service after updating the server pod's labels to match the network policy's selector.
    903. 

  903. 			ginkgo.By(fmt.Sprintf("Updating server pod %s to be selected by network policy %s.", podServer.Name, policy.Name))
    904. 

  904. 			updatePodLabel(f, f.Namespace, podServer.Name, "add", "/metadata/labels/isolated", nil)
    905. 

  905. 			testCannotConnect(f, f.Namespace, "client-a", service, allowedPort)
    906. 

  906. 		})
    907. 

  907. 

  908. 		ginkgo.It("should enforce egress policy allowing traffic to a server in a different namespace based on PodSelector and NamespaceSelector [Feature:NetworkPolicy]", func() {
    909. 

  909. 			var nsBserviceA, nsBserviceB *v1.Service
    910. 

  910. 			var nsBpodServerA, nsBpodServerB *v1.Pod
    911. 

  911. 

  912. 			nsA := f.Namespace
    913. 

  913. 			nsBName := f.BaseName + "-b"
    914. 

  914. 			nsB, err := f.CreateNamespace(nsBName, map[string]string{
    915. 

  915. 				"ns-name": nsBName,
    916. 

  916. 			})
    917. 

  917. 			framework.ExpectNoError(err, "Error occurred while creating namespace-b.")
    918. 

  918. 

  919. 			// Creating pods and services in namespace-b
    920. 

  920. 			nsBpodServerA, nsBserviceA = createServerPodAndService(f, nsB, "ns-b-server-a", []int{80})
    921. 

  921. 			defer cleanupServerPodAndService(f, nsBpodServerA, nsBserviceA)
    922. 

  922. 			nsBpodServerB, nsBserviceB = createServerPodAndService(f, nsB, "ns-b-server-b", []int{80})
    923. 

  923. 			defer cleanupServerPodAndService(f, nsBpodServerB, nsBserviceB)
    924. 

  924. 

  925. 			// Wait for Server with Service in NS-A to be ready
    926. 

  926. 			framework.Logf("Waiting for servers to be ready.")
    927. 

  927. 			err = e2epod.WaitTimeoutForPodReadyInNamespace(f.ClientSet, podServer.Name, podServer.Namespace, framework.PodStartTimeout)
    928. 

  928. 			framework.ExpectNoError(err, "Error occurred while waiting for pod status in namespace: Ready.")
    929. 

  929. 

  930. 			// Wait for Servers with Services in NS-B to be ready
    931. 

  931. 			err = e2epod.WaitTimeoutForPodReadyInNamespace(f.ClientSet, nsBpodServerA.Name, nsBpodServerA.Namespace, framework.PodStartTimeout)
    932. 

  932. 			framework.ExpectNoError(err, "Error occurred while waiting for pod status in namespace: Ready.")
    933. 

  933. 

  934. 			err = e2epod.WaitTimeoutForPodReadyInNamespace(f.ClientSet, nsBpodServerB.Name, nsBpodServerB.Namespace, framework.PodStartTimeout)
    935. 

  935. 			framework.ExpectNoError(err, "Error occurred while waiting for pod status in namespace: Ready.")
    936. 

  936. 

  937. 			ginkgo.By("Creating a network policy for the server which allows traffic only to a server in different namespace.")
    938. 

  938. 			protocolUDP := v1.ProtocolUDP
    939. 

  939. 			policyAllowToServerInNSB := &networkingv1.NetworkPolicy{
    940. 

  940. 				ObjectMeta: metav1.ObjectMeta{
    941. 

  941. 					Namespace: nsA.Name,
    942. 

  942. 					Name:      "allow-to-ns-b-server-a-via-namespace-selector",
    943. 

  943. 				},
    944. 

  944. 				Spec: networkingv1.NetworkPolicySpec{
    945. 

  945. 					// Apply this policy to the client
    946. 

  946. 					PodSelector: metav1.LabelSelector{
    947. 

  947. 						MatchLabels: map[string]string{
    948. 

  948. 							"pod-name": "client-a",
    949. 

  949. 						},
    950. 

  950. 					},
    951. 

  951. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
    952. 

  952. 					// Allow traffic only to server-a in namespace-b
    953. 

  953. 					Egress: []networkingv1.NetworkPolicyEgressRule{
    954. 

  954. 						{
    955. 

  955. 							Ports: []networkingv1.NetworkPolicyPort{
    956. 

  956. 								// Allow DNS look-ups
    957. 

  957. 								{
    958. 

  958. 									Protocol: &protocolUDP,
    959. 

  959. 									Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
    960. 

  960. 								},
    961. 

  961. 							},
    962. 

  962. 						},
    963. 

  963. 						{
    964. 

  964. 							To: []networkingv1.NetworkPolicyPeer{
    965. 

  965. 								{
    966. 

  966. 									NamespaceSelector: &metav1.LabelSelector{
    967. 

  967. 										MatchLabels: map[string]string{
    968. 

  968. 											"ns-name": nsBName,
    969. 

  969. 										},
    970. 

  970. 									},
    971. 

  971. 									PodSelector: &metav1.LabelSelector{
    972. 

  972. 										MatchLabels: map[string]string{
    973. 

  973. 											"pod-name": nsBpodServerA.ObjectMeta.Labels["pod-name"],
    974. 

  974. 										},
    975. 

  975. 									},
    976. 

  976. 								},
    977. 

  977. 							},
    978. 

  978. 						},
    979. 

  979. 					},
    980. 

  980. 				},
    981. 

  981. 			}
    982. 

  982. 

  983. 			policyAllowToServerInNSB, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowToServerInNSB, metav1.CreateOptions{})
    984. 

  984. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowToServerInNSB.")
    985. 

  985. 			defer cleanupNetworkPolicy(f, policyAllowToServerInNSB)
    986. 

  986. 

  987. 			ginkgo.By("Creating client-a, in 'namespace-a', which should be able to contact the server-a in namespace-b.", func() {
    988. 

  988. 				testCanConnect(f, nsA, "client-a", nsBserviceA, 80)
    989. 

  989. 			})
    990. 

  990. 			ginkgo.By("Creating client-a, in 'namespace-a', which should not be able to contact the server-b in namespace-b.", func() {
    991. 

  991. 				testCannotConnect(f, nsA, "client-a", nsBserviceB, 80)
    992. 

  992. 			})
    993. 

  993. 			ginkgo.By("Creating client-a, in 'namespace-a', which should not be able to contact the server in namespace-a.", func() {
    994. 

  994. 				testCannotConnect(f, nsA, "client-a", service, 80)
    995. 

  995. 			})
    996. 

  996. 		})
    997. 

  997. 

  998. 		ginkgo.It("should enforce multiple ingress policies with ingress allow-all policy taking precedence [Feature:NetworkPolicy]", func() {
    999. 

  999. 			ginkgo.By("Creating a network policy for the server which allows traffic only from client-b.")
    1000. 

  1000. 			policyAllowOnlyFromClientB := &networkingv1.NetworkPolicy{
    1001. 

  1001. 				ObjectMeta: metav1.ObjectMeta{
    1002. 

  1002. 					Namespace: f.Namespace.Name,
    1003. 

  1003. 					Name:      "allow-from-client-b-pod-selector",
    1004. 

  1004. 				},
    1005. 

  1005. 				Spec: networkingv1.NetworkPolicySpec{
    1006. 

  1006. 					// Apply this policy to the Server
    1007. 

  1007. 					PodSelector: metav1.LabelSelector{
    1008. 

  1008. 						MatchLabels: map[string]string{
    1009. 

  1009. 							"pod-name": podServerLabelSelector,
    1010. 

  1010. 						},
    1011. 

  1011. 					},
    1012. 

  1012. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
    1013. 

  1013. 					// Allow traffic only from "client-b"
    1014. 

  1014. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    1015. 

  1015. 						From: []networkingv1.NetworkPolicyPeer{{
    1016. 

  1016. 							PodSelector: &metav1.LabelSelector{
    1017. 

  1017. 								MatchLabels: map[string]string{
    1018. 

  1018. 									"pod-name": "client-b",
    1019. 

  1019. 								},
    1020. 

  1020. 							},
    1021. 

  1021. 						}},
    1022. 

  1022. 					}},
    1023. 

  1023. 				},
    1024. 

  1024. 			}
    1025. 

  1025. 

  1026. 			policyAllowOnlyFromClientB, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowOnlyFromClientB, metav1.CreateOptions{})
    1027. 

  1027. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowOnlyFromClientB.")
    1028. 

  1028. 			defer cleanupNetworkPolicy(f, policyAllowOnlyFromClientB)
    1029. 

  1029. 

  1030. 			ginkgo.By("Creating client-a which should not be able to contact the server.", func() {
    1031. 

  1031. 				testCannotConnect(f, f.Namespace, "client-a", service, 80)
    1032. 

  1032. 			})
    1033. 

  1033. 			ginkgo.By("Creating client-b which should be able to contact the server.", func() {
    1034. 

  1034. 				testCanConnect(f, f.Namespace, "client-b", service, 80)
    1035. 

  1035. 			})
    1036. 

  1036. 

  1037. 			ginkgo.By("Creating a network policy for the server which allows traffic from all clients.")
    1038. 

  1038. 			policyIngressAllowAll := &networkingv1.NetworkPolicy{
    1039. 

  1039. 				ObjectMeta: metav1.ObjectMeta{
    1040. 

  1040. 					//Namespace: f.Namespace.Name,
    1041. 

  1041. 					Name: "allow-all",
    1042. 

  1042. 				},
    1043. 

  1043. 				Spec: networkingv1.NetworkPolicySpec{
    1044. 

  1044. 					// Apply this policy to all pods
    1045. 

  1045. 					PodSelector: metav1.LabelSelector{
    1046. 

  1046. 						MatchLabels: map[string]string{},
    1047. 

  1047. 					},
    1048. 

  1048. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
    1049. 

  1049. 					Ingress:     []networkingv1.NetworkPolicyIngressRule{{}},
    1050. 

  1050. 				},
    1051. 

  1051. 			}
    1052. 

  1052. 

  1053. 			policyIngressAllowAll, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyIngressAllowAll, metav1.CreateOptions{})
    1054. 

  1054. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyIngressAllowAll.")
    1055. 

  1055. 			defer cleanupNetworkPolicy(f, policyIngressAllowAll)
    1056. 

  1056. 

  1057. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    1058. 

  1058. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1059. 

  1059. 			})
    1060. 

  1060. 			ginkgo.By("Creating client-b which should be able to contact the server.", func() {
    1061. 

  1061. 				testCanConnect(f, f.Namespace, "client-b", service, 80)
    1062. 

  1062. 			})
    1063. 

  1063. 		})
    1064. 

  1064. 

  1065. 		ginkgo.It("should enforce multiple egress policies with egress allow-all policy taking precedence [Feature:NetworkPolicy]", func() {
    1066. 

  1066. 			podServerB, serviceB := createServerPodAndService(f, f.Namespace, "server-b", []int{80})
    1067. 

  1067. 			defer cleanupServerPodAndService(f, podServerB, serviceB)
    1068. 

  1068. 

  1069. 			ginkgo.By("Waiting for pod ready", func() {
    1070. 

  1070. 				err := f.WaitForPodReady(podServerB.Name)
    1071. 

  1071. 				framework.ExpectNoError(err, "Error occurred while waiting for pod type: Ready.")
    1072. 

  1072. 			})
    1073. 

  1073. 

  1074. 			protocolUDP := v1.ProtocolUDP
    1075. 

  1075. 

  1076. 			ginkgo.By("Creating client-a which should be able to contact the server before applying policy.", func() {
    1077. 

  1077. 				testCanConnect(f, f.Namespace, "client-a", serviceB, 80)
    1078. 

  1078. 			})
    1079. 

  1079. 

  1080. 			ginkgo.By("Creating a network policy for the server which allows traffic only to server-a.")
    1081. 

  1081. 			policyAllowOnlyToServerA := &networkingv1.NetworkPolicy{
    1082. 

  1082. 				ObjectMeta: metav1.ObjectMeta{
    1083. 

  1083. 					Namespace: f.Namespace.Name,
    1084. 

  1084. 					Name:      "allow-to-server-a-pod-selector",
    1085. 

  1085. 				},
    1086. 

  1086. 				Spec: networkingv1.NetworkPolicySpec{
    1087. 

  1087. 					// Apply this policy to the "client-a"
    1088. 

  1088. 					PodSelector: metav1.LabelSelector{
    1089. 

  1089. 						MatchLabels: map[string]string{
    1090. 

  1090. 							"pod-name": "client-a",
    1091. 

  1091. 						},
    1092. 

  1092. 					},
    1093. 

  1093. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
    1094. 

  1094. 					// Allow traffic only to "server-a"
    1095. 

  1095. 					Egress: []networkingv1.NetworkPolicyEgressRule{
    1096. 

  1096. 						{
    1097. 

  1097. 							Ports: []networkingv1.NetworkPolicyPort{
    1098. 

  1098. 								// Allow DNS look-ups
    1099. 

  1099. 								{
    1100. 

  1100. 									Protocol: &protocolUDP,
    1101. 

  1101. 									Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
    1102. 

  1102. 								},
    1103. 

  1103. 							},
    1104. 

  1104. 						},
    1105. 

  1105. 						{
    1106. 

  1106. 							To: []networkingv1.NetworkPolicyPeer{
    1107. 

  1107. 								{
    1108. 

  1108. 									PodSelector: &metav1.LabelSelector{
    1109. 

  1109. 										MatchLabels: map[string]string{
    1110. 

  1110. 											"pod-name": podServerLabelSelector,
    1111. 

  1111. 										},
    1112. 

  1112. 									},
    1113. 

  1113. 								},
    1114. 

  1114. 							},
    1115. 

  1115. 						},
    1116. 

  1116. 					},
    1117. 

  1117. 				},
    1118. 

  1118. 			}
    1119. 

  1119. 			policyAllowOnlyToServerA, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowOnlyToServerA, metav1.CreateOptions{})
    1120. 

  1120. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowOnlyToServerA.")
    1121. 

  1121. 			defer cleanupNetworkPolicy(f, policyAllowOnlyToServerA)
    1122. 

  1122. 

  1123. 			ginkgo.By("Creating client-a which should not be able to contact the server-b.", func() {
    1124. 

  1124. 				testCannotConnect(f, f.Namespace, "client-a", serviceB, 80)
    1125. 

  1125. 			})
    1126. 

  1126. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    1127. 

  1127. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1128. 

  1128. 			})
    1129. 

  1129. 

  1130. 			ginkgo.By("Creating a network policy which allows traffic to all pods.")
    1131. 

  1131. 			policyEgressAllowAll := &networkingv1.NetworkPolicy{
    1132. 

  1132. 				ObjectMeta: metav1.ObjectMeta{
    1133. 

  1133. 					Name: "allow-all",
    1134. 

  1134. 				},
    1135. 

  1135. 				Spec: networkingv1.NetworkPolicySpec{
    1136. 

  1136. 					// Apply this policy to all pods
    1137. 

  1137. 					PodSelector: metav1.LabelSelector{
    1138. 

  1138. 						MatchLabels: map[string]string{},
    1139. 

  1139. 					},
    1140. 

  1140. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
    1141. 

  1141. 					Egress:      []networkingv1.NetworkPolicyEgressRule{{}},
    1142. 

  1142. 				},
    1143. 

  1143. 			}
    1144. 

  1144. 

  1145. 			policyEgressAllowAll, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyEgressAllowAll, metav1.CreateOptions{})
    1146. 

  1146. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyEgressAllowAll.")
    1147. 

  1147. 			defer cleanupNetworkPolicy(f, policyEgressAllowAll)
    1148. 

  1148. 

  1149. 			ginkgo.By("Creating client-a which should be able to contact the server-b.", func() {
    1150. 

  1150. 				testCanConnect(f, f.Namespace, "client-a", serviceB, 80)
    1151. 

  1151. 			})
    1152. 

  1152. 			ginkgo.By("Creating client-a which should be able to contact the server-a.", func() {
    1153. 

  1153. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1154. 

  1154. 			})
    1155. 

  1155. 		})
    1156. 

  1156. 

  1157. 		ginkgo.It("should stop enforcing policies after they are deleted [Feature:NetworkPolicy]", func() {
    1158. 

  1158. 			ginkgo.By("Creating a network policy for the server which denies all traffic.")
    1159. 

  1159. 			policyDenyAll := &networkingv1.NetworkPolicy{
    1160. 

  1160. 				ObjectMeta: metav1.ObjectMeta{
    1161. 

  1161. 					Namespace: f.Namespace.Name,
    1162. 

  1162. 					Name:      "deny-all",
    1163. 

  1163. 				},
    1164. 

  1164. 				Spec: networkingv1.NetworkPolicySpec{
    1165. 

  1165. 					// Deny all traffic
    1166. 

  1166. 					PodSelector: metav1.LabelSelector{},
    1167. 

  1167. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
    1168. 

  1168. 					Ingress:     []networkingv1.NetworkPolicyIngressRule{},
    1169. 

  1169. 				},
    1170. 

  1170. 			}
    1171. 

  1171. 

  1172. 			policyDenyAll, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyDenyAll, metav1.CreateOptions{})
    1173. 

  1173. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyDenyAll.")
    1174. 

  1174. 

  1175. 			ginkgo.By("Creating client-a which should not be able to contact the server.", func() {
    1176. 

  1176. 				testCannotConnect(f, f.Namespace, "client-a", service, 80)
    1177. 

  1177. 			})
    1178. 

  1178. 

  1179. 			ginkgo.By("Creating a network policy for the server which allows traffic only from client-a.")
    1180. 

  1180. 			policyAllowFromClientA := &networkingv1.NetworkPolicy{
    1181. 

  1181. 				ObjectMeta: metav1.ObjectMeta{
    1182. 

  1182. 					Namespace: f.Namespace.Name,
    1183. 

  1183. 					Name:      "allow-from-client-a-pod-selector",
    1184. 

  1184. 				},
    1185. 

  1185. 				Spec: networkingv1.NetworkPolicySpec{
    1186. 

  1186. 					// Apply this policy to the Server
    1187. 

  1187. 					PodSelector: metav1.LabelSelector{
    1188. 

  1188. 						MatchLabels: map[string]string{
    1189. 

  1189. 							"pod-name": podServerLabelSelector,
    1190. 

  1190. 						},
    1191. 

  1191. 					},
    1192. 

  1192. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
    1193. 

  1193. 					// Allow traffic from "client-a"
    1194. 

  1194. 					Ingress: []networkingv1.NetworkPolicyIngressRule{{
    1195. 

  1195. 						From: []networkingv1.NetworkPolicyPeer{{
    1196. 

  1196. 							PodSelector: &metav1.LabelSelector{
    1197. 

  1197. 								MatchLabels: map[string]string{
    1198. 

  1198. 									"pod-name": "client-a",
    1199. 

  1199. 								},
    1200. 

  1200. 							},
    1201. 

  1201. 						}},
    1202. 

  1202. 					}},
    1203. 

  1203. 				},
    1204. 

  1204. 			}
    1205. 

  1205. 

  1206. 			policyAllowFromClientA, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowFromClientA, metav1.CreateOptions{})
    1207. 

  1207. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowFromClientA.")
    1208. 

  1208. 

  1209. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    1210. 

  1210. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1211. 

  1211. 			})
    1212. 

  1212. 

  1213. 			ginkgo.By("Deleting the network policy allowing traffic from client-a")
    1214. 

  1214. 			cleanupNetworkPolicy(f, policyAllowFromClientA)
    1215. 

  1215. 

  1216. 			ginkgo.By("Creating client-a which should not be able to contact the server.", func() {
    1217. 

  1217. 				testCannotConnect(f, f.Namespace, "client-a", service, 80)
    1218. 

  1218. 			})
    1219. 

  1219. 

  1220. 			ginkgo.By("Deleting the network policy denying all traffic.")
    1221. 

  1221. 			cleanupNetworkPolicy(f, policyDenyAll)
    1222. 

  1222. 

  1223. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    1224. 

  1224. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1225. 

  1225. 			})
    1226. 

  1226. 

  1227. 		})
    1228. 

  1228. 

  1229. 		ginkgo.It("should allow egress access to server in CIDR block [Feature:NetworkPolicy]", func() {
    1230. 

  1230. 			var serviceB *v1.Service
    1231. 

  1231. 			var podServerB *v1.Pod
    1232. 

  1232. 

  1233. 			protocolUDP := v1.ProtocolUDP
    1234. 

  1234. 

  1235. 			// Getting podServer's status to get podServer's IP, to create the CIDR
    1236. 

  1236. 			podServerStatus, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), podServer.Name, metav1.GetOptions{})
    1237. 

  1237. 			if err != nil {
    1238. 

  1238. 				framework.ExpectNoError(err, "Error occurred while getting pod status.")
    1239. 

  1239. 			}
    1240. 

  1240. 

  1241. 			podServerCIDR := fmt.Sprintf("%s/32", podServerStatus.Status.PodIP)
    1242. 

  1242. 

  1243. 			// Creating pod-b and service-b
    1244. 

  1244. 			podServerB, serviceB = createServerPodAndService(f, f.Namespace, "pod-b", []int{80})
    1245. 

  1245. 			ginkgo.By("Waiting for pod-b to be ready", func() {
    1246. 

  1246. 				err = f.WaitForPodReady(podServerB.Name)
    1247. 

  1247. 				framework.ExpectNoError(err, "Error occurred while waiting for pod type: Ready.")
    1248. 

  1248. 			})
    1249. 

  1249. 			defer cleanupServerPodAndService(f, podServerB, serviceB)
    1250. 

  1250. 

  1251. 			// Wait for podServerB with serviceB to be ready
    1252. 

  1252. 			err = e2epod.WaitForPodRunningInNamespace(f.ClientSet, podServerB)
    1253. 

  1253. 			framework.ExpectNoError(err, "Error occurred while waiting for pod status in namespace: Running.")
    1254. 

  1254. 

  1255. 			ginkgo.By("Creating client-a which should be able to contact the server-b.", func() {
    1256. 

  1256. 				testCanConnect(f, f.Namespace, "client-a", serviceB, 80)
    1257. 

  1257. 			})
    1258. 

  1258. 

  1259. 			policyAllowCIDR := &networkingv1.NetworkPolicy{
    1260. 

  1260. 				ObjectMeta: metav1.ObjectMeta{
    1261. 

  1261. 					Namespace: f.Namespace.Name,
    1262. 

  1262. 					Name:      "allow-client-a-via-cidr-egress-rule",
    1263. 

  1263. 				},
    1264. 

  1264. 				Spec: networkingv1.NetworkPolicySpec{
    1265. 

  1265. 					// Apply this policy to the Server
    1266. 

  1266. 					PodSelector: metav1.LabelSelector{
    1267. 

  1267. 						MatchLabels: map[string]string{
    1268. 

  1268. 							"pod-name": "client-a",
    1269. 

  1269. 						},
    1270. 

  1270. 					},
    1271. 

  1271. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
    1272. 

  1272. 					// Allow traffic to only one CIDR block.
    1273. 

  1273. 					Egress: []networkingv1.NetworkPolicyEgressRule{
    1274. 

  1274. 						{
    1275. 

  1275. 							Ports: []networkingv1.NetworkPolicyPort{
    1276. 

  1276. 								// Allow DNS look-ups
    1277. 

  1277. 								{
    1278. 

  1278. 									Protocol: &protocolUDP,
    1279. 

  1279. 									Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
    1280. 

  1280. 								},
    1281. 

  1281. 							},
    1282. 

  1282. 						},
    1283. 

  1283. 						{
    1284. 

  1284. 							To: []networkingv1.NetworkPolicyPeer{
    1285. 

  1285. 								{
    1286. 

  1286. 									IPBlock: &networkingv1.IPBlock{
    1287. 

  1287. 										CIDR: podServerCIDR,
    1288. 

  1288. 									},
    1289. 

  1289. 								},
    1290. 

  1290. 							},
    1291. 

  1291. 						},
    1292. 

  1292. 					},
    1293. 

  1293. 				},
    1294. 

  1294. 			}
    1295. 

  1295. 

  1296. 			policyAllowCIDR, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowCIDR, metav1.CreateOptions{})
    1297. 

  1297. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowCIDR.")
    1298. 

  1298. 			defer cleanupNetworkPolicy(f, policyAllowCIDR)
    1299. 

  1299. 

  1300. 			ginkgo.By("Creating client-a which should not be able to contact the server-b.", func() {
    1301. 

  1301. 				testCannotConnect(f, f.Namespace, "client-a", serviceB, 80)
    1302. 

  1302. 			})
    1303. 

  1303. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    1304. 

  1304. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1305. 

  1305. 			})
    1306. 

  1306. 		})
    1307. 

  1307. 

  1308. 		ginkgo.It("should enforce except clause while egress access to server in CIDR block [Feature:NetworkPolicy]", func() {
    1309. 

  1309. 			protocolUDP := v1.ProtocolUDP
    1310. 

  1310. 

  1311. 			// Getting podServer's status to get podServer's IP, to create the CIDR with except clause
    1312. 

  1312. 			podServerStatus, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(context.TODO(), podServer.Name, metav1.GetOptions{})
    1313. 

  1313. 			if err != nil {
    1314. 

  1314. 				framework.ExpectNoError(err, "Error occurred while getting pod status.")
    1315. 

  1315. 			}
    1316. 

  1316. 

  1317. 			podServerAllowCIDR := fmt.Sprintf("%s/24", podServerStatus.Status.PodIP)
    1318. 

  1318. 			// Exclude podServer's IP with an Except clause
    1319. 

  1319. 			podServerExceptList := []string{fmt.Sprintf("%s/32", podServerStatus.Status.PodIP)}
    1320. 

  1320. 

  1321. 			// client-a can connect to server prior to applying the NetworkPolicy
    1322. 

  1322. 			ginkgo.By("Creating client-a which should be able to contact the server.", func() {
    1323. 

  1323. 				testCanConnect(f, f.Namespace, "client-a", service, 80)
    1324. 

  1324. 			})
    1325. 

  1325. 

  1326. 			policyAllowCIDRWithExcept := &networkingv1.NetworkPolicy{
    1327. 

  1327. 				ObjectMeta: metav1.ObjectMeta{
    1328. 

  1328. 					Namespace: f.Namespace.Name,
    1329. 

  1329. 					Name:      "deny-client-a-via-except-cidr-egress-rule",
    1330. 

  1330. 				},
    1331. 

  1331. 				Spec: networkingv1.NetworkPolicySpec{
    1332. 

  1332. 					// Apply this policy to the client.
    1333. 

  1333. 					PodSelector: metav1.LabelSelector{
    1334. 

  1334. 						MatchLabels: map[string]string{
    1335. 

  1335. 							"pod-name": "client-a",
    1336. 

  1336. 						},
    1337. 

  1337. 					},
    1338. 

  1338. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
    1339. 

  1339. 					// Allow traffic to only one CIDR block except subnet which includes Server.
    1340. 

  1340. 					Egress: []networkingv1.NetworkPolicyEgressRule{
    1341. 

  1341. 						{
    1342. 

  1342. 							Ports: []networkingv1.NetworkPolicyPort{
    1343. 

  1343. 								// Allow DNS look-ups
    1344. 

  1344. 								{
    1345. 

  1345. 									Protocol: &protocolUDP,
    1346. 

  1346. 									Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
    1347. 

  1347. 								},
    1348. 

  1348. 							},
    1349. 

  1349. 						},
    1350. 

  1350. 						{
    1351. 

  1351. 							To: []networkingv1.NetworkPolicyPeer{
    1352. 

  1352. 								{
    1353. 

  1353. 									IPBlock: &networkingv1.IPBlock{
    1354. 

  1354. 										CIDR:   podServerAllowCIDR,
    1355. 

  1355. 										Except: podServerExceptList,
    1356. 

  1356. 									},
    1357. 

  1357. 								},
    1358. 

  1358. 							},
    1359. 

  1359. 						},
    1360. 

  1360. 					},
    1361. 

  1361. 				},
    1362. 

  1362. 			}
    1363. 

  1363. 

  1364. 			policyAllowCIDRWithExcept, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowCIDRWithExcept, metav1.CreateOptions{})
    1365. 

  1365. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowCIDRWithExcept.")
    1366. 

  1366. 			defer cleanupNetworkPolicy(f, policyAllowCIDRWithExcept)
    1367. 

  1367. 

  1368. 			ginkgo.By("Creating client-a which should no longer be able to contact the server.", func() {
    1369. 

  1369. 				testCannotConnect(f, f.Namespace, "client-a", service, 80)
    1370. 

  1370. 			})
    1371. 

  1371. 		})
    1372. 

  1372. 

  1373. 		ginkgo.It("should enforce policies to check ingress and egress policies can be controlled independently based on PodSelector [Feature:NetworkPolicy]", func() {
    1374. 

  1374. 			var serviceA, serviceB *v1.Service
    1375. 

  1375. 			var podA, podB *v1.Pod
    1376. 

  1376. 			var err error
    1377. 

  1377. 

  1378. 			protocolUDP := v1.ProtocolUDP
    1379. 

  1379. 

  1380. 			// Before applying policy, communication should be successful between pod-a and pod-b
    1381. 

  1381. 			podA, serviceA = createServerPodAndService(f, f.Namespace, "pod-a", []int{80})
    1382. 

  1382. 			ginkgo.By("Waiting for pod-a to be ready", func() {
    1383. 

  1383. 				err = f.WaitForPodReady(podA.Name)
    1384. 

  1384. 				framework.ExpectNoError(err, "Error occurred while waiting for pod type: Ready.")
    1385. 

  1385. 			})
    1386. 

  1386. 			ginkgo.By("Creating client pod-b which should be able to contact the server pod-a.", func() {
    1387. 

  1387. 				testCanConnect(f, f.Namespace, "pod-b", serviceA, 80)
    1388. 

  1388. 			})
    1389. 

  1389. 			cleanupServerPodAndService(f, podA, serviceA)
    1390. 

  1390. 

  1391. 			podB, serviceB = createServerPodAndService(f, f.Namespace, "pod-b", []int{80})
    1392. 

  1392. 			ginkgo.By("Waiting for pod-b to be ready", func() {
    1393. 

  1393. 				err = f.WaitForPodReady(podB.Name)
    1394. 

  1394. 				framework.ExpectNoError(err, "Error occurred while waiting for pod type: Ready.")
    1395. 

  1395. 			})
    1396. 

  1396. 			ginkgo.By("Creating client pod-a which should be able to contact the server pod-b.", func() {
    1397. 

  1397. 				testCanConnect(f, f.Namespace, "pod-a", serviceB, 80)
    1398. 

  1398. 			})
    1399. 

  1399. 

  1400. 			ginkgo.By("Creating a network policy for pod-a which allows Egress traffic to pod-b.")
    1401. 

  1401. 			policyAllowToPodB := &networkingv1.NetworkPolicy{
    1402. 

  1402. 				ObjectMeta: metav1.ObjectMeta{
    1403. 

  1403. 					Namespace: f.Namespace.Name,
    1404. 

  1404. 					Name:      "allow-pod-a-to-pod-b-using-pod-selector",
    1405. 

  1405. 				},
    1406. 

  1406. 				Spec: networkingv1.NetworkPolicySpec{
    1407. 

  1407. 					// Apply this policy on pod-a
    1408. 

  1408. 					PodSelector: metav1.LabelSelector{
    1409. 

  1409. 						MatchLabels: map[string]string{
    1410. 

  1410. 							"pod-name": "pod-a",
    1411. 

  1411. 						},
    1412. 

  1412. 					},
    1413. 

  1413. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
    1414. 

  1414. 					// Allow traffic to server on pod-b
    1415. 

  1415. 					Egress: []networkingv1.NetworkPolicyEgressRule{
    1416. 

  1416. 						{
    1417. 

  1417. 							Ports: []networkingv1.NetworkPolicyPort{
    1418. 

  1418. 								// Allow DNS look-ups
    1419. 

  1419. 								{
    1420. 

  1420. 									Protocol: &protocolUDP,
    1421. 

  1421. 									Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: 53},
    1422. 

  1422. 								},
    1423. 

  1423. 							},
    1424. 

  1424. 						},
    1425. 

  1425. 						{
    1426. 

  1426. 							To: []networkingv1.NetworkPolicyPeer{
    1427. 

  1427. 								{
    1428. 

  1428. 									PodSelector: &metav1.LabelSelector{
    1429. 

  1429. 										MatchLabels: map[string]string{
    1430. 

  1430. 											"pod-name": "pod-b",
    1431. 

  1431. 										},
    1432. 

  1432. 									},
    1433. 

  1433. 								},
    1434. 

  1434. 							},
    1435. 

  1435. 						},
    1436. 

  1436. 					},
    1437. 

  1437. 				},
    1438. 

  1438. 			}
    1439. 

  1439. 

  1440. 			policyAllowToPodB, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyAllowToPodB, metav1.CreateOptions{})
    1441. 

  1441. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyAllowToPodB.")
    1442. 

  1442. 			defer cleanupNetworkPolicy(f, policyAllowToPodB)
    1443. 

  1443. 

  1444. 			ginkgo.By("Creating a network policy for pod-a that denies traffic from pod-b.")
    1445. 

  1445. 			policyDenyFromPodB := &networkingv1.NetworkPolicy{
    1446. 

  1446. 				ObjectMeta: metav1.ObjectMeta{
    1447. 

  1447. 					Namespace: f.Namespace.Name,
    1448. 

  1448. 					Name:      "deny-pod-b-to-pod-a-pod-selector",
    1449. 

  1449. 				},
    1450. 

  1450. 				Spec: networkingv1.NetworkPolicySpec{
    1451. 

  1451. 					// Apply this policy on the server on pod-a
    1452. 

  1452. 					PodSelector: metav1.LabelSelector{
    1453. 

  1453. 						MatchLabels: map[string]string{
    1454. 

  1454. 							"pod-name": "pod-a",
    1455. 

  1455. 						},
    1456. 

  1456. 					},
    1457. 

  1457. 					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
    1458. 

  1458. 					// Deny traffic from all pods, including pod-b
    1459. 

  1459. 					Ingress: []networkingv1.NetworkPolicyIngressRule{},
    1460. 

  1460. 				},
    1461. 

  1461. 			}
    1462. 

  1462. 

  1463. 			policyDenyFromPodB, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policyDenyFromPodB, metav1.CreateOptions{})
    1464. 

  1464. 			framework.ExpectNoError(err, "Error occurred while creating policy: policyDenyFromPodB.")
    1465. 

  1465. 			defer cleanupNetworkPolicy(f, policyDenyFromPodB)
    1466. 

  1466. 

  1467. 			ginkgo.By("Creating client pod-a which should be able to contact the server pod-b.", func() {
    1468. 

  1468. 				testCanConnect(f, f.Namespace, "pod-a", serviceB, 80)
    1469. 

  1469. 			})
    1470. 

  1470. 			cleanupServerPodAndService(f, podB, serviceB)
    1471. 

  1471. 

  1472. 			// Creating server pod with label "pod-name": "pod-a" to deny traffic from client pod with label "pod-name": "pod-b"
    1473. 

  1473. 			podA, serviceA = createServerPodAndService(f, f.Namespace, "pod-a", []int{80})
    1474. 

  1474. 			ginkgo.By("Waiting for pod-a to be ready", func() {
    1475. 

  1475. 				err = f.WaitForPodReady(podA.Name)
    1476. 

  1476. 				framework.ExpectNoError(err, "Error occurred while waiting for pod type: Ready.")
    1477. 

  1477. 			})
    1478. 

  1478. 

  1479. 			ginkgo.By("Creating client pod-b which should be able to contact the server pod-a.", func() {
    1480. 

  1480. 				testCannotConnect(f, f.Namespace, "pod-b", serviceA, 80)
    1481. 

  1481. 			})
    1482. 

  1482. 			cleanupServerPodAndService(f, podA, serviceA)
    1483. 

  1483. 		})
    1484. 

  1484. 

  1485. 	})
    1486. 

  1486. 

  1487. })
    1488. 

  1488. 

  1489. func testCanConnect(f *framework.Framework, ns *v1.Namespace, podName string, service *v1.Service, targetPort int) {
    1490. 

  1490. 	ginkgo.By(fmt.Sprintf("Creating client pod %s that should successfully connect to %s.", podName, service.Name))
    1491. 

  1491. 	podClient := createNetworkClientPod(f, ns, podName, service, targetPort)
    1492. 

  1492. 	defer func() {
    1493. 

  1493. 		ginkgo.By(fmt.Sprintf("Cleaning up the pod %s", podClient.Name))
    1494. 

  1494. 		if err := f.ClientSet.CoreV1().Pods(ns.Name).Delete(context.TODO(), podClient.Name, nil); err != nil {
    1495. 

  1495. 			framework.Failf("unable to cleanup pod %v: %v", podClient.Name, err)
    1496. 

  1496. 		}
    1497. 

  1497. 	}()
    1498. 

  1498. 	checkConnectivity(f, ns, podClient, service)
    1499. 

  1499. }
    1500. 

  1500. 

  1501. func testCannotConnect(f *framework.Framework, ns *v1.Namespace, podName string, service *v1.Service, targetPort int) {
    1502. 

  1502. 	ginkgo.By(fmt.Sprintf("Creating client pod %s that should not be able to connect to %s.", podName, service.Name))
    1503. 

  1503. 	podClient := createNetworkClientPod(f, ns, podName, service, targetPort)
    1504. 

  1504. 	defer func() {
    1505. 

  1505. 		ginkgo.By(fmt.Sprintf("Cleaning up the pod %s", podClient.Name))
    1506. 

  1506. 		if err := f.ClientSet.CoreV1().Pods(ns.Name).Delete(context.TODO(), podClient.Name, nil); err != nil {
    1507. 

  1507. 			framework.Failf("unable to cleanup pod %v: %v", podClient.Name, err)
    1508. 

  1508. 		}
    1509. 

  1509. 	}()
    1510. 

  1510. 	checkNoConnectivity(f, ns, podClient, service)
    1511. 

  1511. }
    1512. 

  1512. 

  1513. func checkConnectivity(f *framework.Framework, ns *v1.Namespace, podClient *v1.Pod, service *v1.Service) {
    1514. 

  1514. 	framework.Logf("Waiting for %s to complete.", podClient.Name)
    1515. 

  1515. 	err := e2epod.WaitForPodNoLongerRunningInNamespace(f.ClientSet, podClient.Name, ns.Name)
    1516. 

  1516. 	framework.ExpectNoError(err, "Pod did not finish as expected.")
    1517. 

  1517. 

  1518. 	framework.Logf("Waiting for %s to complete.", podClient.Name)
    1519. 

  1519. 	err = e2epod.WaitForPodSuccessInNamespace(f.ClientSet, podClient.Name, ns.Name)
    1520. 

  1520. 	if err != nil {
    1521. 

  1521. 		pods, policies, logs := collectPodsAndNetworkPolicies(f, podClient)
    1522. 

  1522. 		framework.Failf("Pod %s should be able to connect to service %s, but was not able to connect.\nPod logs:\n%s\n\n Current NetworkPolicies:\n\t%v\n\n Pods:\n\t%v\n\n", podClient.Name, service.Name, logs, policies.Items, pods)
    1523. 

  1523. 

  1524. 		// Dump debug information for the test namespace.
    1525. 

  1525. 		framework.DumpDebugInfo(f.ClientSet, f.Namespace.Name)
    1526. 

  1526. 	}
    1527. 

  1527. }
    1528. 

  1528. 

  1529. func checkNoConnectivity(f *framework.Framework, ns *v1.Namespace, podClient *v1.Pod, service *v1.Service) {
    1530. 

  1530. 	framework.Logf("Waiting for %s to complete.", podClient.Name)
    1531. 

  1531. 	err := e2epod.WaitForPodSuccessInNamespace(f.ClientSet, podClient.Name, ns.Name)
    1532. 

  1532. 

  1533. 	// We expect an error here since it's a cannot connect test.
    1534. 

  1534. 	// Dump debug information if the error was nil.
    1535. 

  1535. 	if err == nil {
    1536. 

  1536. 		pods, policies, logs := collectPodsAndNetworkPolicies(f, podClient)
    1537. 

  1537. 		framework.Failf("Pod %s should not be able to connect to service %s, but was able to connect.\nPod logs:\n%s\n\n Current NetworkPolicies:\n\t%v\n\n Pods:\n\t %v\n\n", podClient.Name, service.Name, logs, policies.Items, pods)
    1538. 

  1538. 

  1539. 		// Dump debug information for the test namespace.
    1540. 

  1540. 		framework.DumpDebugInfo(f.ClientSet, f.Namespace.Name)
    1541. 

  1541. 	}
    1542. 

  1542. }
    1543. 

  1543. 

  1544. func checkNoConnectivityByExitCode(f *framework.Framework, ns *v1.Namespace, podClient *v1.Pod, service *v1.Service) {
    1545. 

  1545. 	err := e2epod.WaitForPodCondition(f.ClientSet, ns.Name, podClient.Name, "terminated", framework.PodStartTimeout, func(pod *v1.Pod) (bool, error) {
    1546. 

  1546. 		statuses := pod.Status.ContainerStatuses
    1547. 

  1547. 		if len(statuses) == 0 || statuses[0].State.Terminated == nil {
    1548. 

  1548. 			return false, nil
    1549. 

  1549. 		}
    1550. 

  1550. 		if statuses[0].State.Terminated.ExitCode != 0 {
    1551. 

  1551. 			return true, fmt.Errorf("pod %q container exited with code: %d", podClient.Name, statuses[0].State.Terminated.ExitCode)
    1552. 

  1552. 		}
    1553. 

  1553. 		return true, nil
    1554. 

  1554. 	})
    1555. 

  1555. 	// We expect an error here since it's a cannot connect test.
    1556. 

  1556. 	// Dump debug information if the error was nil.
    1557. 

  1557. 	if err == nil {
    1558. 

  1558. 		pods, policies, logs := collectPodsAndNetworkPolicies(f, podClient)
    1559. 

  1559. 		framework.Failf("Pod %s should not be able to connect to service %s, but was able to connect.\nPod logs:\n%s\n\n Current NetworkPolicies:\n\t%v\n\n Pods:\n\t%v\n\n", podClient.Name, service.Name, logs, policies.Items, pods)
    1560. 

  1560. 

  1561. 		// Dump debug information for the test namespace.
    1562. 

  1562. 		framework.DumpDebugInfo(f.ClientSet, f.Namespace.Name)
    1563. 

  1563. 	}
    1564. 

  1564. }
    1565. 

  1565. 

  1566. func collectPodsAndNetworkPolicies(f *framework.Framework, podClient *v1.Pod) ([]string, *networkingv1.NetworkPolicyList, string) {
    1567. 

  1567. 	// Collect pod logs when we see a failure.
    1568. 

  1568. 	logs, logErr := e2epod.GetPodLogs(f.ClientSet, f.Namespace.Name, podClient.Name, "client")
    1569. 

  1569. 	if logErr != nil {
    1570. 

  1570. 		framework.Failf("Error getting container logs: %s", logErr)
    1571. 

  1571. 	}
    1572. 

  1572. 	// Collect current NetworkPolicies applied in the test namespace.
    1573. 

  1573. 	policies, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).List(context.TODO(), metav1.ListOptions{})
    1574. 

  1574. 	if err != nil {
    1575. 

  1575. 		framework.Logf("error getting current NetworkPolicies for %s namespace: %s", f.Namespace.Name, err)
    1576. 

  1576. 	}
    1577. 

  1577. 	// Collect the list of pods running in the test namespace.
    1578. 

  1578. 	podsInNS, err := e2epod.GetPodsInNamespace(f.ClientSet, f.Namespace.Name, map[string]string{})
    1579. 

  1579. 	if err != nil {
    1580. 

  1580. 		framework.Logf("error getting pods for %s namespace: %s", f.Namespace.Name, err)
    1581. 

  1581. 	}
    1582. 

  1582. 	pods := []string{}
    1583. 

  1583. 	for _, p := range podsInNS {
    1584. 

  1584. 		pods = append(pods, fmt.Sprintf("Pod: %s, Status: %s\n", p.Name, p.Status.String()))
    1585. 

  1585. 	}
    1586. 

  1586. 	return pods, policies, logs
    1587. 

  1587. }
    1588. 

  1588. 

  1589. // Create a server pod with a listening container for each port in ports[].
    1590. 

  1590. // Will also assign a pod label with key: "pod-name" and label set to the given podName for later use by the network
    1591. 

  1591. // policy.
    1592. 

  1592. func createServerPodAndService(f *framework.Framework, namespace *v1.Namespace, podName string, ports []int) (*v1.Pod, *v1.Service) {
    1593. 

  1593. 	// Because we have a variable amount of ports, we'll first loop through and generate our Containers for our pod,
    1594. 

  1594. 	// and ServicePorts.for our Service.
    1595. 

  1595. 	containers := []v1.Container{}
    1596. 

  1596. 	servicePorts := []v1.ServicePort{}
    1597. 

  1597. 	for _, port := range ports {
    1598. 

  1598. 		// Build the containers for the server pod.
    1599. 

  1599. 		containers = append(containers, v1.Container{
    1600. 

  1600. 			Name:  fmt.Sprintf("%s-container-%d", podName, port),
    1601. 

  1601. 			Image: imageutils.GetE2EImage(imageutils.Agnhost),
    1602. 

  1602. 			Args:  []string{"porter"},
    1603. 

  1603. 			Env: []v1.EnvVar{
    1604. 

  1604. 				{
    1605. 

  1605. 					Name:  fmt.Sprintf("SERVE_PORT_%d", port),
    1606. 

  1606. 					Value: "foo",
    1607. 

  1607. 				},
    1608. 

  1608. 			},
    1609. 

  1609. 			Ports: []v1.ContainerPort{
    1610. 

  1610. 				{
    1611. 

  1611. 					ContainerPort: int32(port),
    1612. 

  1612. 					Name:          fmt.Sprintf("serve-%d", port),
    1613. 

  1613. 				},
    1614. 

  1614. 			},
    1615. 

  1615. 			ReadinessProbe: &v1.Probe{
    1616. 

  1616. 				Handler: v1.Handler{
    1617. 

  1617. 					HTTPGet: &v1.HTTPGetAction{
    1618. 

  1618. 						Path: "/",
    1619. 

  1619. 						Port: intstr.IntOrString{
    1620. 

  1620. 							IntVal: int32(port),
    1621. 

  1621. 						},
    1622. 

  1622. 						Scheme: v1.URISchemeHTTP,
    1623. 

  1623. 					},
    1624. 

  1624. 				},
    1625. 

  1625. 			},
    1626. 

  1626. 		})
    1627. 

  1627. 

  1628. 		// Build the Service Ports for the service.
    1629. 

  1629. 		servicePorts = append(servicePorts, v1.ServicePort{
    1630. 

  1630. 			Name:       fmt.Sprintf("%s-%d", podName, port),
    1631. 

  1631. 			Port:       int32(port),
    1632. 

  1632. 			TargetPort: intstr.FromInt(port),
    1633. 

  1633. 		})
    1634. 

  1634. 	}
    1635. 

  1635. 

  1636. 	ginkgo.By(fmt.Sprintf("Creating a server pod %s in namespace %s", podName, namespace.Name))
    1637. 

  1637. 	pod, err := f.ClientSet.CoreV1().Pods(namespace.Name).Create(context.TODO(), &v1.Pod{
    1638. 

  1638. 		ObjectMeta: metav1.ObjectMeta{
    1639. 

  1639. 			GenerateName: podName + "-",
    1640. 

  1640. 			Labels: map[string]string{
    1641. 

  1641. 				"pod-name": podName,
    1642. 

  1642. 			},
    1643. 

  1643. 		},
    1644. 

  1644. 		Spec: v1.PodSpec{
    1645. 

  1645. 			Containers:    containers,
    1646. 

  1646. 			RestartPolicy: v1.RestartPolicyNever,
    1647. 

  1647. 		},
    1648. 

  1648. 	}, metav1.CreateOptions{})
    1649. 

  1649. 	framework.ExpectNoError(err)
    1650. 

  1650. 	framework.Logf("Created pod %v", pod.ObjectMeta.Name)
    1651. 

  1651. 

  1652. 	svcName := fmt.Sprintf("svc-%s", podName)
    1653. 

  1653. 	ginkgo.By(fmt.Sprintf("Creating a service %s for pod %s in namespace %s", svcName, podName, namespace.Name))
    1654. 

  1654. 	svc, err := f.ClientSet.CoreV1().Services(namespace.Name).Create(context.TODO(), &v1.Service{
    1655. 

  1655. 		ObjectMeta: metav1.ObjectMeta{
    1656. 

  1656. 			Name: svcName,
    1657. 

  1657. 		},
    1658. 

  1658. 		Spec: v1.ServiceSpec{
    1659. 

  1659. 			Ports: servicePorts,
    1660. 

  1660. 			Selector: map[string]string{
    1661. 

  1661. 				"pod-name": podName,
    1662. 

  1662. 			},
    1663. 

  1663. 		},
    1664. 

  1664. 	}, metav1.CreateOptions{})
    1665. 

  1665. 	framework.ExpectNoError(err)
    1666. 

  1666. 	framework.Logf("Created service %s", svc.Name)
    1667. 

  1667. 

  1668. 	return pod, svc
    1669. 

  1669. }
    1670. 

  1670. 

  1671. func cleanupServerPodAndService(f *framework.Framework, pod *v1.Pod, service *v1.Service) {
    1672. 

  1672. 	ginkgo.By("Cleaning up the server.")
    1673. 

  1673. 	if err := f.ClientSet.CoreV1().Pods(pod.Namespace).Delete(context.TODO(), pod.Name, nil); err != nil {
    1674. 

  1674. 		framework.Failf("unable to cleanup pod %v: %v", pod.Name, err)
    1675. 

  1675. 	}
    1676. 

  1676. 	ginkgo.By("Cleaning up the server's service.")
    1677. 

  1677. 	if err := f.ClientSet.CoreV1().Services(service.Namespace).Delete(context.TODO(), service.Name, nil); err != nil {
    1678. 

  1678. 		framework.Failf("unable to cleanup svc %v: %v", service.Name, err)
    1679. 

  1679. 	}
    1680. 

  1680. }
    1681. 

  1681. 

  1682. // Create a client pod which will attempt a netcat to the provided service, on the specified port.
    1683. 

  1683. // This client will attempt a one-shot connection, then die, without restarting the pod.
    1684. 

  1684. // Test can then be asserted based on whether the pod quit with an error or not.
    1685. 

  1685. func createNetworkClientPod(f *framework.Framework, namespace *v1.Namespace, podName string, targetService *v1.Service, targetPort int) *v1.Pod {
    1686. 

  1686. 	return createNetworkClientPodWithRestartPolicy(f, namespace, podName, targetService, targetPort, v1.RestartPolicyNever)
    1687. 

  1687. }
    1688. 

  1688. 

  1689. // Create a client pod which will attempt a netcat to the provided service, on the specified port.
    1690. 

  1690. // It is similar to createNetworkClientPod but supports specifying RestartPolicy.
    1691. 

  1691. func createNetworkClientPodWithRestartPolicy(f *framework.Framework, namespace *v1.Namespace, podName string, targetService *v1.Service, targetPort int, restartPolicy v1.RestartPolicy) *v1.Pod {
    1692. 

  1692. 	pod, err := f.ClientSet.CoreV1().Pods(namespace.Name).Create(context.TODO(), &v1.Pod{
    1693. 

  1693. 		ObjectMeta: metav1.ObjectMeta{
    1694. 

  1694. 			GenerateName: podName + "-",
    1695. 

  1695. 			Labels: map[string]string{
    1696. 

  1696. 				"pod-name": podName,
    1697. 

  1697. 			},
    1698. 

  1698. 		},
    1699. 

  1699. 		Spec: v1.PodSpec{
    1700. 

  1700. 			RestartPolicy: restartPolicy,
    1701. 

  1701. 			Containers: []v1.Container{
    1702. 

  1702. 				{
    1703. 

  1703. 					Name:  "client",
    1704. 

  1704. 					Image: imageutils.GetE2EImage(imageutils.BusyBox),
    1705. 

  1705. 					Args: []string{
    1706. 

  1706. 						"/bin/sh",
    1707. 

  1707. 						"-c",
    1708. 

  1708. 						fmt.Sprintf("for i in $(seq 1 5); do nc -vz -w 8 %s.%s %d && exit 0 || sleep 1; done; exit 1",
    1709. 

  1709. 							targetService.Name, targetService.Namespace, targetPort),
    1710. 

  1710. 					},
    1711. 

  1711. 				},
    1712. 

  1712. 			},
    1713. 

  1713. 		},
    1714. 

  1714. 	}, metav1.CreateOptions{})
    1715. 

  1715. 	framework.ExpectNoError(err)
    1716. 

  1716. 

  1717. 	return pod
    1718. 

  1718. }
    1719. 

  1719. 

  1720. // Patch pod with a map value
    1721. 

  1721. func updatePodLabel(f *framework.Framework, namespace *v1.Namespace, podName string, patchOperation string, patchPath string, patchValue map[string]string) *v1.Pod {
    1722. 

  1722. 	type patchMapValue struct {
    1723. 

  1723. 		Op    string            `json:"op"`
    1724. 

  1724. 		Path  string            `json:"path"`
    1725. 

  1725. 		Value map[string]string `json:"value,omitempty"`
    1726. 

  1726. 	}
    1727. 

  1727. 	payload := []patchMapValue{{
    1728. 

  1728. 		Op:    patchOperation,
    1729. 

  1729. 		Path:  patchPath,
    1730. 

  1730. 		Value: patchValue,
    1731. 

  1731. 	}}
    1732. 

  1732. 	payloadBytes, err := json.Marshal(payload)
    1733. 

  1733. 	framework.ExpectNoError(err)
    1734. 

  1734. 

  1735. 	pod, err := f.ClientSet.CoreV1().Pods(namespace.Name).Patch(context.TODO(), podName, types.JSONPatchType, payloadBytes, metav1.PatchOptions{})
    1736. 

  1736. 	framework.ExpectNoError(err)
    1737. 

  1737. 

  1738. 	return pod
    1739. 

  1739. }
    1740. 

  1740. 

  1741. func cleanupNetworkPolicy(f *framework.Framework, policy *networkingv1.NetworkPolicy) {
    1742. 

  1742. 	ginkgo.By("Cleaning up the policy.")
    1743. 

  1743. 	if err := f.ClientSet.NetworkingV1().NetworkPolicies(policy.Namespace).Delete(context.TODO(), policy.Name, nil); err != nil {
    1744. 

  1744. 		framework.Failf("unable to cleanup policy %v: %v", policy.Name, err)
    1745. 

  1745. 	}
    1746. 

  1746. }
    1747. 

  1747.