Skip to content

Commit 2429bee

Browse files
AcedusAcedus
committed
DNM: network-policies-test
Signed-off-by: Adi Aloni <[email protected]>
1 parent 8dfb5cd commit 2429bee

File tree

2 files changed

+125
-19
lines changed

2 files changed

+125
-19
lines changed

cluster-sync/sync.sh

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,8 @@ source ./cluster-up/hack/common.sh
2121
source ./cluster-up/cluster/${KUBEVIRT_PROVIDER}/provider.sh
2222

2323
for i in $(seq 1 ${KUBEVIRT_NUM_NODES}); do
24-
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo mkdir -p /var/hpvolumes"
25-
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo chcon -t container_file_t -R /var/hpvolumes"
24+
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo mkdir -p /var/hpvolumes"
25+
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo chcon -t container_file_t -R /var/hpvolumes"
2626
done
2727

2828
registry=${IMAGE_REGISTRY:-localhost:$(_port registry)}
@@ -52,24 +52,24 @@ EOF
5252

5353
retry_counter=0
5454
while [[ $retry_counter -lt 10 ]] && [ "$observed_version" != "$UPGRADE_FROM" ]; do
55-
observed_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}'`
56-
target_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}'`
57-
operator_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}'`
55+
observed_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}')
56+
target_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}')
57+
operator_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}')
5858
echo "observedVersion: $observed_version, operatorVersion: $operator_version, targetVersion: $target_version"
5959
retry_counter=$((retry_counter + 1))
60-
sleep 5
60+
sleep 5
6161
done
6262
if [ $retry_counter -eq 10 ]; then
63-
echo "Unable to deploy to version $UPGRADE_FROM"
64-
hpp_obj=$(_kubectl get Hostpathprovisioner -o yaml)
65-
echo $hpp_obj
66-
exit 1
63+
echo "Unable to deploy to version $UPGRADE_FROM"
64+
hpp_obj=$(_kubectl get Hostpathprovisioner -o yaml)
65+
echo $hpp_obj
66+
exit 1
6767
fi
6868

6969
fi
7070

7171
if [ ${HPP_NAMESPACE} == "hostpath-provisioner" ]; then
72-
_kubectl apply -f https://raw.githubusercontent.com/kubevirt/hostpath-provisioner-operator/main/deploy/namespace.yaml
72+
_kubectl apply -f https://raw.githubusercontent.com/kubevirt/hostpath-provisioner-operator/main/deploy/namespace.yaml
7373
fi
7474
_kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
7575
_kubectl wait --for=condition=available -n cert-manager --timeout=120s --all deployments
@@ -107,21 +107,22 @@ volumeBindingMode: Immediate
107107
EOF
108108
echo "Waiting for hostpath provisioner to be available"
109109
_kubectl wait hostpathprovisioners.hostpathprovisioner.kubevirt.io/hostpath-provisioner --for=condition=Available --timeout=480s
110+
#_kubectl apply -f "deploy/tests/network-policies.yaml" -n ${HPP_NAMESPACE}
110111

111112
retry_counter=0
112113
while [[ $retry_counter -lt 10 ]] && [ "$observed_version" == "$UPGRADE_FROM" ]; do
113-
observed_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}'`
114-
target_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}'`
115-
operator_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}'`
114+
observed_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}')
115+
target_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}')
116+
operator_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}')
116117
echo "observedVersion: $observed_version, operatorVersion: $operator_version, targetVersion: $target_version"
117118
retry_counter=$((retry_counter + 1))
118-
sleep 5
119+
sleep 5
119120
done
120121
if [ $retry_counter -eq 20 ]; then
121-
echo "Unable to deploy to latest version"
122-
hpp_obj=$(_kubectl get hostpathprovisioner -o yaml)
123-
echo $hpp_obj
124-
exit 1
122+
echo "Unable to deploy to latest version"
123+
hpp_obj=$(_kubectl get hostpathprovisioner -o yaml)
124+
echo $hpp_obj
125+
exit 1
125126
fi
126127

127128
function configure_prometheus {

deploy/tests/network-policies.yaml

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: deny-all-hpp
5+
spec:
6+
podSelector: {}
7+
policyTypes:
8+
- Ingress
9+
- Egress
10+
ingress: []
11+
egress: []
12+
---
13+
apiVersion: networking.k8s.io/v1
14+
kind: NetworkPolicy
15+
metadata:
16+
name: hpp-allow-operator-egress-to-dns
17+
spec:
18+
podSelector:
19+
matchLabels:
20+
name: hostpath-provisioner-operator
21+
policyTypes:
22+
- Egress
23+
egress:
24+
- to:
25+
- namespaceSelector:
26+
matchLabels:
27+
kubernetes.io/metadata.name: kube-system
28+
podSelector:
29+
matchLabels:
30+
k8s-app: "kube-dns"
31+
ports:
32+
- protocol: TCP
33+
- protocol: UDP
34+
---
35+
apiVersion: networking.k8s.io/v1
36+
kind: NetworkPolicy
37+
metadata:
38+
name: hpp-allow-operator-egress-to-api-server
39+
spec:
40+
podSelector:
41+
matchLabels:
42+
name: hostpath-provisioner-operator
43+
policyTypes:
44+
- Egress
45+
egress:
46+
- ports:
47+
- protocol: TCP
48+
to:
49+
- namespaceSelector:
50+
matchLabels:
51+
kubernetes.io/metadata.name: kube-system
52+
podSelector:
53+
matchLabels:
54+
component: "kube-apiserver"
55+
---
56+
apiVersion: networking.k8s.io/v1
57+
kind: NetworkPolicy
58+
metadata:
59+
name: hpp-allow-ingress-to-operator-webhook-server
60+
spec:
61+
podSelector:
62+
matchLabels:
63+
name: hostpath-provisioner-operator
64+
policyTypes:
65+
- Ingress
66+
ingress:
67+
- ports:
68+
- protocol: TCP
69+
port: 9443
70+
---
71+
apiVersion: networking.k8s.io/v1
72+
kind: NetworkPolicy
73+
metadata:
74+
name: hpp-allow-operands-egress-to-api-server
75+
spec:
76+
podSelector:
77+
matchLabels:
78+
k8s-app: hostpath-provisioner
79+
policyTypes:
80+
- Egress
81+
egress:
82+
- ports:
83+
- protocol: TCP
84+
to:
85+
- namespaceSelector:
86+
matchLabels:
87+
kubernetes.io/metadata.name: kube-system
88+
podSelector:
89+
matchLabels:
90+
component: "kube-apiserver"
91+
---
92+
apiVersion: networking.k8s.io/v1
93+
kind: NetworkPolicy
94+
metadata:
95+
name: hpp-allow-ingress-to-metrics
96+
spec:
97+
podSelector:
98+
matchLabels:
99+
prometheus.hostpathprovisioner.kubevirt.io: "true"
100+
policyTypes:
101+
- Ingress
102+
ingress:
103+
- ports:
104+
- port: 8080
105+
protocol: TCP

0 commit comments

Comments
 (0)