Skip to content

Commit e0ddc3b

Browse files
AcedusAcedus
committed
DNM: network-policies-test
Signed-off-by: Adi Aloni <[email protected]>
1 parent 8dfb5cd commit e0ddc3b

File tree

2 files changed

+135
-19
lines changed

2 files changed

+135
-19
lines changed

cluster-sync/sync.sh

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,8 @@ source ./cluster-up/hack/common.sh
2121
source ./cluster-up/cluster/${KUBEVIRT_PROVIDER}/provider.sh
2222

2323
for i in $(seq 1 ${KUBEVIRT_NUM_NODES}); do
24-
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo mkdir -p /var/hpvolumes"
25-
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo chcon -t container_file_t -R /var/hpvolumes"
24+
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo mkdir -p /var/hpvolumes"
25+
./cluster-up/ssh.sh "node$(printf "%02d" ${i})" "sudo chcon -t container_file_t -R /var/hpvolumes"
2626
done
2727

2828
registry=${IMAGE_REGISTRY:-localhost:$(_port registry)}
@@ -52,24 +52,24 @@ EOF
5252

5353
retry_counter=0
5454
while [[ $retry_counter -lt 10 ]] && [ "$observed_version" != "$UPGRADE_FROM" ]; do
55-
observed_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}'`
56-
target_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}'`
57-
operator_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}'`
55+
observed_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}')
56+
target_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}')
57+
operator_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}')
5858
echo "observedVersion: $observed_version, operatorVersion: $operator_version, targetVersion: $target_version"
5959
retry_counter=$((retry_counter + 1))
60-
sleep 5
60+
sleep 5
6161
done
6262
if [ $retry_counter -eq 10 ]; then
63-
echo "Unable to deploy to version $UPGRADE_FROM"
64-
hpp_obj=$(_kubectl get Hostpathprovisioner -o yaml)
65-
echo $hpp_obj
66-
exit 1
63+
echo "Unable to deploy to version $UPGRADE_FROM"
64+
hpp_obj=$(_kubectl get Hostpathprovisioner -o yaml)
65+
echo $hpp_obj
66+
exit 1
6767
fi
6868

6969
fi
7070

7171
if [ ${HPP_NAMESPACE} == "hostpath-provisioner" ]; then
72-
_kubectl apply -f https://raw.githubusercontent.com/kubevirt/hostpath-provisioner-operator/main/deploy/namespace.yaml
72+
_kubectl apply -f https://raw.githubusercontent.com/kubevirt/hostpath-provisioner-operator/main/deploy/namespace.yaml
7373
fi
7474
_kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
7575
_kubectl wait --for=condition=available -n cert-manager --timeout=120s --all deployments
@@ -107,21 +107,22 @@ volumeBindingMode: Immediate
107107
EOF
108108
echo "Waiting for hostpath provisioner to be available"
109109
_kubectl wait hostpathprovisioners.hostpathprovisioner.kubevirt.io/hostpath-provisioner --for=condition=Available --timeout=480s
110+
_kubectl apply -f "deploy/tests/network-policies.yaml" -n ${HPP_NAMESPACE}
110111

111112
retry_counter=0
112113
while [[ $retry_counter -lt 10 ]] && [ "$observed_version" == "$UPGRADE_FROM" ]; do
113-
observed_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}'`
114-
target_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}'`
115-
operator_version=`_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}'`
114+
observed_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.observedVersion}{"\n"}')
115+
target_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.targetVersion}{"\n"}')
116+
operator_version=$(_kubectl get Hostpathprovisioner -o=jsonpath='{.items[*].status.operatorVersion}{"\n"}')
116117
echo "observedVersion: $observed_version, operatorVersion: $operator_version, targetVersion: $target_version"
117118
retry_counter=$((retry_counter + 1))
118-
sleep 5
119+
sleep 5
119120
done
120121
if [ $retry_counter -eq 20 ]; then
121-
echo "Unable to deploy to latest version"
122-
hpp_obj=$(_kubectl get hostpathprovisioner -o yaml)
123-
echo $hpp_obj
124-
exit 1
122+
echo "Unable to deploy to latest version"
123+
hpp_obj=$(_kubectl get hostpathprovisioner -o yaml)
124+
echo $hpp_obj
125+
exit 1
125126
fi
126127

127128
function configure_prometheus {

deploy/tests/network-policies.yaml

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: deny-all-hpp
5+
spec:
6+
podSelector: {}
7+
policyTypes:
8+
- Ingress
9+
- Egress
10+
ingress: []
11+
egress: []
12+
---
13+
apiVersion: networking.k8s.io/v1
14+
kind: NetworkPolicy
15+
metadata:
16+
name: hpp-allow-operator-egress-to-dns
17+
spec:
18+
podSelector:
19+
matchLabels:
20+
name: hostpath-provisioner-operator
21+
policyTypes:
22+
- Egress
23+
egress:
24+
- to:
25+
- namespaceSelector:
26+
matchLabels:
27+
kubernetes.io/metadata.name: kube-system
28+
podSelector:
29+
matchLabels:
30+
k8s-app: "kube-dns"
31+
ports:
32+
- protocol: TCP
33+
- protocol: UDP
34+
---
35+
apiVersion: networking.k8s.io/v1
36+
kind: NetworkPolicy
37+
metadata:
38+
name: hpp-allow-operands-egress-to-dns
39+
spec:
40+
podSelector:
41+
matchLabels:
42+
k8s-app: hostpath-provisioner
43+
policyTypes:
44+
- Egress
45+
egress:
46+
- to:
47+
- namespaceSelector:
48+
matchLabels:
49+
kubernetes.io/metadata.name: kube-system
50+
podSelector:
51+
matchLabels:
52+
k8s-app: "kube-dns"
53+
ports:
54+
- protocol: TCP
55+
- protocol: UDP
56+
---
57+
apiVersion: networking.k8s.io/v1
58+
kind: NetworkPolicy
59+
metadata:
60+
name: hpp-allow-operator-egress-to-api-server
61+
spec:
62+
podSelector:
63+
matchLabels:
64+
name: hostpath-provisioner-operator
65+
policyTypes:
66+
- Egress
67+
egress:
68+
- ports:
69+
- protocol: TCP
70+
port: 6443
71+
---
72+
apiVersion: networking.k8s.io/v1
73+
kind: NetworkPolicy
74+
metadata:
75+
name: hpp-allow-operands-egress-to-api-server
76+
spec:
77+
podSelector:
78+
matchLabels:
79+
k8s-app: hostpath-provisioner
80+
policyTypes:
81+
- Egress
82+
egress:
83+
- ports:
84+
- protocol: TCP
85+
port: 6443
86+
---
87+
apiVersion: networking.k8s.io/v1
88+
kind: NetworkPolicy
89+
metadata:
90+
name: hpp-allow-ingress-to-operator-webhook-server
91+
spec:
92+
podSelector:
93+
matchLabels:
94+
name: hostpath-provisioner-operator
95+
policyTypes:
96+
- Ingress
97+
ingress:
98+
- ports:
99+
- protocol: TCP
100+
port: 9443
101+
---
102+
apiVersion: networking.k8s.io/v1
103+
kind: NetworkPolicy
104+
metadata:
105+
name: hpp-allow-ingress-to-metrics
106+
spec:
107+
podSelector:
108+
matchLabels:
109+
prometheus.hostpathprovisioner.kubevirt.io: "true"
110+
policyTypes:
111+
- Ingress
112+
ingress:
113+
- ports:
114+
- port: 8080
115+
protocol: TCP

0 commit comments

Comments
 (0)