diff --git a/pkg/internal/netpolerrors/netpol_errors.go b/pkg/internal/netpolerrors/netpol_errors.go index c5a53610..f4a409b9 100644 --- a/pkg/internal/netpolerrors/netpol_errors.go +++ b/pkg/internal/netpolerrors/netpol_errors.go @@ -146,10 +146,11 @@ func ConcatErrors(err1, err2 string) string { return err1 + colonSep + err2 } +const PriorityErrExplain = "Two policies are considered to be conflicting if they are assigned the same priority." + // SamePriorityErr returns the error message if a priority appears more than once in different admin-network-policies func SamePriorityErr(name1, name2 string) string { - return "Admin Network Policies: " + name1 + " and " + name2 + " have same priority;" + - "Two policies are considered to be conflicting if they are assigned the same priority." + return "Admin Network Policies: " + name1 + " and " + name2 + " have same priority;" + PriorityErrExplain } // PriorityValueErr returns error message of invalid priority value in an admin-network-policy diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go index 0a98e0fb..f006b81b 100644 --- a/pkg/netpol/connlist/connlist_test.go +++ b/pkg/netpol/connlist/connlist_test.go @@ -167,6 +167,162 @@ func TestConnlistAnalyzeFatalErrors(t *testing.T) { dirName: "semanticDiff-same-topologies-illegal-podlist", errorStrContains: netpolerrors.NotSupportedPodResourcesErrorStr("demo/cog-agents"), }, + { + name: "Input_dir_has_two_netpols_with_same_name_in_a_namespace_should_return_fatal_error_of_existing_object", + dirName: "np_bad_path_test_1", + errorStrContains: netpolerrors.NPWithSameNameError("default/backend-netpol"), + }, + // anp & banp bad path tests + { + name: "Input_dir_has_two_admin_netpols_with_same_priority_should_return_fatal_error", + dirName: "anp_bad_path_test_1", + errorStrContains: netpolerrors.PriorityErrExplain, + }, + { + name: "Input_dir_has_an_admin_netpol_with_invalid_priority_should_return_fatal_error", + dirName: "anp_bad_path_test_2", + errorStrContains: netpolerrors.PriorityValueErr("invalid-priority", 1001), + }, + { + name: "Input_dir_has_two_admin_netpols_with_same_name_should_return_fatal_error", + dirName: "anp_bad_path_test_3", + errorStrContains: netpolerrors.ANPsWithSameNameErr("same-name"), + }, + { + name: "Input_dir_has_an_admin_netpol_with_empty_subject_should_return_fatal_error", + dirName: "anp_bad_path_test_4", + errorStrContains: netpolerrors.OneFieldSetSubjectErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_invalid_subject_should_return_fatal_error", + dirName: "anp_bad_path_test_5", + errorStrContains: netpolerrors.OneFieldSetSubjectErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_empty_egress_rule_peer_should_return_fatal_error", + dirName: "anp_bad_path_test_6", + errorStrContains: netpolerrors.ANPEgressRulePeersErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_invalid_egress_rule_peer_should_return_fatal_error", + dirName: "anp_bad_path_test_7", + errorStrContains: netpolerrors.OneFieldSetRulePeerErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_invalid_egress_rule_port_should_return_fatal_error", + dirName: "anp_bad_path_test_8", + errorStrContains: netpolerrors.ANPPortsError, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_invalid_egress_rule_action_should_return_fatal_error", + dirName: "anp_bad_path_test_9", + errorStrContains: netpolerrors.UnknownRuleActionErr, + }, + { + name: "Input_dir_has_an_admin_netpol_missing_egress_rule_peer_should_return_fatal_error", + dirName: "anp_bad_path_test_10", + errorStrContains: netpolerrors.ANPEgressRulePeersErr, + }, + { + name: "Input_dir_has_an_admin_netpol_missing_egress_rule_action_should_return_fatal_error", + dirName: "anp_bad_path_test_12", + errorStrContains: netpolerrors.UnknownRuleActionErr, + }, + { + name: "Input_dir_has_an_admin_netpol_missing_ingress_rule_peer_should_return_fatal_error", + dirName: "anp_bad_path_test_14", + errorStrContains: netpolerrors.ANPIngressRulePeersErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_empty_ingress_rule_peer_should_return_fatal_error", + dirName: "anp_bad_path_test_15", + errorStrContains: netpolerrors.ANPIngressRulePeersErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_invalid_ingress_rule_peer_should_return_fatal_error", + dirName: "anp_bad_path_test_16", + errorStrContains: netpolerrors.OneFieldSetRulePeerErr, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_invalid_ingress_rule_port_should_return_fatal_error", + dirName: "anp_bad_path_test_17", + errorStrContains: netpolerrors.ANPPortsError, + }, + { + name: "Input_dir_has_an_admin_netpol_with_an_invalid_ingress_rule_action_should_return_fatal_error", + dirName: "anp_bad_path_test_18", + errorStrContains: netpolerrors.UnknownRuleActionErr, + }, + { + name: "Input_dir_has_more_than_one_baseline_admin_netpol_should_return_fatal_error", + dirName: "banp_bad_path_test_1", + errorStrContains: netpolerrors.BANPAlreadyExists, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_name_not_default_should_return_fatal_error", + dirName: "banp_bad_path_test_2", + errorStrContains: netpolerrors.BANPNameAssertion, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_empty_subject_should_return_fatal_error", + dirName: "banp_bad_path_test_3", + errorStrContains: netpolerrors.OneFieldSetSubjectErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_invalid_subject_should_return_fatal_error", + dirName: "banp_bad_path_test_4", + errorStrContains: netpolerrors.OneFieldSetSubjectErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_empty_egress_rule_peer_should_return_fatal_error", + dirName: "banp_bad_path_test_5", + errorStrContains: netpolerrors.ANPEgressRulePeersErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_missing_egress_rule_peer_should_return_fatal_error", + dirName: "banp_bad_path_test_6", + errorStrContains: netpolerrors.ANPEgressRulePeersErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_invalid_egress_rule_peer_should_return_fatal_error", + dirName: "banp_bad_path_test_7", + errorStrContains: netpolerrors.OneFieldSetRulePeerErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_invalid_egress_rule_action_should_return_fatal_error", + dirName: "banp_bad_path_test_8", + errorStrContains: netpolerrors.UnknownRuleActionErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_invalid_egress_rule_port_should_return_fatal_error", + dirName: "banp_bad_path_test_9", + errorStrContains: netpolerrors.ANPPortsError, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_missing_ingress_rule_peer_should_return_fatal_error", + dirName: "banp_bad_path_test_10", + errorStrContains: netpolerrors.ANPIngressRulePeersErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_empty_ingress_rule_peer_should_return_fatal_error", + dirName: "banp_bad_path_test_11", + errorStrContains: netpolerrors.ANPIngressRulePeersErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_invalid_ingress_rule_peer_should_return_fatal_error", + dirName: "banp_bad_path_test_12", + errorStrContains: netpolerrors.OneFieldSetRulePeerErr, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_invalid_ingress_rule_port_should_return_fatal_error", + dirName: "banp_bad_path_test_13", + errorStrContains: netpolerrors.ANPPortsError, + }, + { + name: "Input_dir_has_baseline_admin_netpol_with_an_invalid_ingress_rule_action_should_return_fatal_error", + dirName: "banp_bad_path_test_14", + errorStrContains: netpolerrors.UnknownRuleActionErr, + }, } for _, tt := range cases { tt := tt diff --git a/pkg/netpol/eval/internal/k8s/adminnetpol.go b/pkg/netpol/eval/internal/k8s/adminnetpol.go index e9a7d9c6..96f6a826 100644 --- a/pkg/netpol/eval/internal/k8s/adminnetpol.go +++ b/pkg/netpol/eval/internal/k8s/adminnetpol.go @@ -223,11 +223,11 @@ func onlyOnePortFieldsSet(anpPort apisv1a.AdminNetworkPolicyPort) bool { } // subjectSelectsPeer returns true iff the given subject of the (baseline)adminNetworkPolicy selects the given peer -func subjectSelectsPeer(anpSubject apisv1a.AdminNetworkPolicySubject, p Peer) (bool, error) { +func subjectSelectsPeer(anpSubject apisv1a.AdminNetworkPolicySubject, p Peer, errTitle string) (bool, error) { if (anpSubject.Namespaces == nil) == (anpSubject.Pods == nil) { // (Baseline)AdminNetworkPolicySubject should contain exactly one field // (https://github.com/kubernetes-sigs/network-policy-api/blob/v0.1.5/apis/v1alpha1/shared_types.go#L27)) - return false, errors.New(netpolerrors.OneFieldSetSubjectErr) + return false, errors.New(errTitle + netpolerrors.OneFieldSetSubjectErr) } if anpSubject.Namespaces != nil { return doesNamespacesFieldMatchPeer(anpSubject.Namespaces, p) @@ -378,7 +378,8 @@ func (anp *AdminNetworkPolicy) Selects(p Peer, isIngress bool) (bool, error) { return false, nil } // check if the subject selects the given peer - return subjectSelectsPeer(anp.Spec.Subject, p) + errTitle := fmt.Sprintf("%s %q: ", anpErrTitle, anp.Name) + return subjectSelectsPeer(anp.Spec.Subject, p, errTitle) } // adminPolicyAffectsDirection returns whether the anp affects the given direction or not. @@ -392,9 +393,11 @@ func (anp *AdminNetworkPolicy) adminPolicyAffectsDirection(isIngress bool) bool return len(anp.Spec.Egress) > 0 } +const anpErrTitle = "admin network policy" + // anpErr returns string format of an error in a rule in admin netpol func (anp *AdminNetworkPolicy) anpRuleErr(ruleName, description string) error { - return fmt.Errorf("admin network policy %q: %s %q: %s", anp.Name, ruleErrTitle, ruleName, description) + return fmt.Errorf("%s %q: %s %q: %s", anpErrTitle, anp.Name, ruleErrTitle, ruleName, description) } // GetIngressPolicyConns returns the connections from the ingress rules selecting the src in spec of the adminNetworkPolicy diff --git a/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go b/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go index f8bb577e..a4e99ed8 100644 --- a/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go +++ b/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go @@ -30,7 +30,7 @@ func (banp *BaselineAdminNetworkPolicy) Selects(p Peer, isIngress bool) (bool, e return false, nil } // check if the subject selects the given peer - return subjectSelectsPeer(banp.Spec.Subject, p) + return subjectSelectsPeer(banp.Spec.Subject, p, banpErrTitle) } // baselineAdminPolicyAffectsDirection returns whether the banp affects the given direction or not. @@ -44,9 +44,11 @@ func (banp *BaselineAdminNetworkPolicy) baselineAdminPolicyAffectsDirection(isIn return len(banp.Spec.Egress) > 0 } +const banpErrTitle = "default baseline admin network policy: " + // banpRuleErr returns string format of an err in a rule in baseline-admin netpol func banpRuleErr(ruleName, description string) error { - return fmt.Errorf("default baseline admin network policy: %s %q: %s", ruleErrTitle, ruleName, description) + return fmt.Errorf("%s%s %q: %s", banpErrTitle, ruleErrTitle, ruleName, description) } // GetEgressPolicyConns returns the connections from the egress rules selecting the dst in spec of the baselineAdminNetworkPolicy diff --git a/pkg/netpol/eval/resources.go b/pkg/netpol/eval/resources.go index e30f6f07..d2b46e95 100644 --- a/pkg/netpol/eval/resources.go +++ b/pkg/netpol/eval/resources.go @@ -185,6 +185,9 @@ func (pe *PolicyEngine) addObjectsByKind(objects []parser.K8sObject) error { // since the priority of policies is critical for computing the conns between peers func (pe *PolicyEngine) sortAdminNetpolsByPriority() error { var err error + if len(pe.sortedAdminNetpols) == 1 && !pe.sortedAdminNetpols[0].HasValidPriority() { + return errors.New(netpolerrors.PriorityValueErr(pe.sortedAdminNetpols[0].Name, pe.sortedAdminNetpols[0].Spec.Priority)) + } sort.Slice(pe.sortedAdminNetpols, func(i, j int) bool { // outcome is non-deterministic if there are two AdminNetworkPolicies at the same priority if pe.sortedAdminNetpols[i].Spec.Priority == pe.sortedAdminNetpols[j].Spec.Priority { diff --git a/tests/anp_bad_path_test_1/anps.yaml b/tests/anp_bad_path_test_1/anps.yaml new file mode 100644 index 00000000..3c17816c --- /dev/null +++ b/tests/anp_bad_path_test_1/anps.yaml @@ -0,0 +1,74 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: priority-50-example +spec: + priority: 50 + subject: + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + ingress: + - name: "deny-all-ingress-from-slytherin" + action: "Deny" + from: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin + egress: + - name: "deny-all-egress-to-slytherin" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin +--- +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: same-priority +spec: + priority: 50 # priority error : two ANPs with same priority + subject: + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + ingress: + - name: "pass-all-ingress-from-slytherin" + action: "Pass" + from: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin + egress: + - name: "pass-all-egress-to-slytherin" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin +--- diff --git a/tests/anp_bad_path_test_1/manifests.yaml b/tests/anp_bad_path_test_1/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_1/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_10/anp.yaml b/tests/anp_bad_path_test_10/anp.yaml new file mode 100644 index 00000000..b13a0f1c --- /dev/null +++ b/tests/anp_bad_path_test_10/anp.yaml @@ -0,0 +1,67 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-tcp +spec: + priority: 6 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + egress: + - name: "allow-to-ravenclaw-everything" # to is missing + action: "Allow" + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "pass-to-slytherin-at-port-80" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_10/manifests.yaml b/tests/anp_bad_path_test_10/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_10/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_12/anp.yaml b/tests/anp_bad_path_test_12/anp.yaml new file mode 100644 index 00000000..af2b5154 --- /dev/null +++ b/tests/anp_bad_path_test_12/anp.yaml @@ -0,0 +1,71 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-tcp +spec: + priority: 6 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + egress: + - name: "allow-to-ravenclaw-everything" # error : no action + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "pass-to-slytherin-at-port-80" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_12/manifests.yaml b/tests/anp_bad_path_test_12/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_12/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_14/anp.yaml b/tests/anp_bad_path_test_14/anp.yaml new file mode 100644 index 00000000..8a66ecaf --- /dev/null +++ b/tests/anp_bad_path_test_14/anp.yaml @@ -0,0 +1,61 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: ingress-udp +spec: + priority: 4 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ingress: + - name: "allow-from-ravenclaw-everything" # from is missing from the rule + action: "Allow" + - name: "deny-from-ravenclaw-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-from-ravenclaw-everything" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-slytherin-at-port-5353" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "pass-from-slytherin-at-port-5353" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "allow-from-gryffindor-at-port-53" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "deny-from-gryffindor-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor \ No newline at end of file diff --git a/tests/anp_bad_path_test_14/manifests.yaml b/tests/anp_bad_path_test_14/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_14/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_15/anp.yaml b/tests/anp_bad_path_test_15/anp.yaml new file mode 100644 index 00000000..05579e80 --- /dev/null +++ b/tests/anp_bad_path_test_15/anp.yaml @@ -0,0 +1,62 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: ingress-udp +spec: + priority: 4 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ingress: + - name: "allow-from-ravenclaw-everything" # from is empty + action: "Allow" + from: + - name: "deny-from-ravenclaw-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-from-ravenclaw-everything" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-slytherin-at-port-5353" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "pass-from-slytherin-at-port-5353" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "allow-from-gryffindor-at-port-53" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "deny-from-gryffindor-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor \ No newline at end of file diff --git a/tests/anp_bad_path_test_15/manifests.yaml b/tests/anp_bad_path_test_15/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_15/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_16/anp.yaml b/tests/anp_bad_path_test_16/anp.yaml new file mode 100644 index 00000000..0b57a7cf --- /dev/null +++ b/tests/anp_bad_path_test_16/anp.yaml @@ -0,0 +1,69 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: ingress-udp +spec: + priority: 4 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ingress: + - name: "allow-from-ravenclaw-everything" + action: "Allow" + from: # from contains two fields + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-ravenclaw-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-from-ravenclaw-everything" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-slytherin-at-port-5353" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "pass-from-slytherin-at-port-5353" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "allow-from-gryffindor-at-port-53" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "deny-from-gryffindor-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor \ No newline at end of file diff --git a/tests/anp_bad_path_test_16/manifests.yaml b/tests/anp_bad_path_test_16/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_16/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_17/anp.yaml b/tests/anp_bad_path_test_17/anp.yaml new file mode 100644 index 00000000..50362d40 --- /dev/null +++ b/tests/anp_bad_path_test_17/anp.yaml @@ -0,0 +1,68 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: ingress-udp +spec: + priority: 4 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ingress: + - name: "allow-from-ravenclaw-everything" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-ravenclaw-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-from-ravenclaw-everything" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-slytherin-at-port-5353" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: # ports contain more than one field + - portNumber: + protocol: UDP + port: 5353 + portRange: + start: 1 + end: 5353 + - name: "pass-from-slytherin-at-port-5353" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "allow-from-gryffindor-at-port-53" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "deny-from-gryffindor-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor \ No newline at end of file diff --git a/tests/anp_bad_path_test_17/manifests.yaml b/tests/anp_bad_path_test_17/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_17/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_18/anp.yaml b/tests/anp_bad_path_test_18/anp.yaml new file mode 100644 index 00000000..13be1c2a --- /dev/null +++ b/tests/anp_bad_path_test_18/anp.yaml @@ -0,0 +1,65 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: ingress-udp +spec: + priority: 4 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ingress: + - name: "allow-from-ravenclaw-everything" + action: "Ok" # error : unrecognized action + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-ravenclaw-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-from-ravenclaw-everything" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-slytherin-at-port-5353" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "pass-from-slytherin-at-port-5353" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "allow-from-gryffindor-at-port-53" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "deny-from-gryffindor-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor \ No newline at end of file diff --git a/tests/anp_bad_path_test_18/manifests.yaml b/tests/anp_bad_path_test_18/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_18/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_2/anps.yaml b/tests/anp_bad_path_test_2/anps.yaml new file mode 100644 index 00000000..97d9746f --- /dev/null +++ b/tests/anp_bad_path_test_2/anps.yaml @@ -0,0 +1,38 @@ + +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: invalid-priority +spec: + priority: 1001 # invalid priority + subject: + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + ingress: + - name: "pass-all-ingress-from-slytherin" + action: "Pass" + from: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin + egress: + - name: "pass-all-egress-to-slytherin" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin +--- diff --git a/tests/anp_bad_path_test_2/manifests.yaml b/tests/anp_bad_path_test_2/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_2/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_3/anps.yaml b/tests/anp_bad_path_test_3/anps.yaml new file mode 100644 index 00000000..2f3f0be9 --- /dev/null +++ b/tests/anp_bad_path_test_3/anps.yaml @@ -0,0 +1,74 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: same-name +spec: + priority: 50 + subject: + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + ingress: + - name: "deny-all-ingress-from-slytherin" + action: "Deny" + from: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin + egress: + - name: "deny-all-egress-to-slytherin" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin +--- +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: same-name # error two ANPs with same name +spec: + priority: 40 + subject: + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + ingress: + - name: "pass-all-ingress-from-slytherin" + action: "Pass" + from: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin + egress: + - name: "pass-all-egress-to-slytherin" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + conformance-house: slytherin + podSelector: + matchLabels: + conformance-house: slytherin +--- diff --git a/tests/anp_bad_path_test_3/manifests.yaml b/tests/anp_bad_path_test_3/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_3/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_4/anp.yaml b/tests/anp_bad_path_test_4/anp.yaml new file mode 100644 index 00000000..6c605e21 --- /dev/null +++ b/tests/anp_bad_path_test_4/anp.yaml @@ -0,0 +1,62 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: ingress-tcp +spec: + priority: 3 + subject: # subject error : empty subject + ingress: + - name: "allow-from-ravenclaw-everything" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-ravenclaw-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-from-ravenclaw-everything" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-from-slytherin-at-port-80" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "pass-from-slytherin-at-port-80" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-from-hufflepuff-at-port-80" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_4/manifests.yaml b/tests/anp_bad_path_test_4/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_4/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_5/anp.yaml b/tests/anp_bad_path_test_5/anp.yaml new file mode 100644 index 00000000..8305df69 --- /dev/null +++ b/tests/anp_bad_path_test_5/anp.yaml @@ -0,0 +1,79 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-udp +spec: + priority: 7 + subject: # subject error : contains two fields + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + egress: + - name: "allow-to-ravenclaw-everything" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-5353" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "pass-to-slytherin-at-port-5353" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: UDP + port: 5353 + - name: "allow-to-gryffindor-at-port-53" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "deny-to-gryffindor-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor \ No newline at end of file diff --git a/tests/anp_bad_path_test_5/manifests.yaml b/tests/anp_bad_path_test_5/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_5/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_6/anp.yaml b/tests/anp_bad_path_test_6/anp.yaml new file mode 100644 index 00000000..a76e5066 --- /dev/null +++ b/tests/anp_bad_path_test_6/anp.yaml @@ -0,0 +1,68 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-tcp +spec: + priority: 6 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + egress: + - name: "allow-to-ravenclaw-everything" + action: "Allow" + to: # error "to" is empty + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "pass-to-slytherin-at-port-80" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_6/manifests.yaml b/tests/anp_bad_path_test_6/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_6/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_7/anp.yaml b/tests/anp_bad_path_test_7/anp.yaml new file mode 100644 index 00000000..f01ada52 --- /dev/null +++ b/tests/anp_bad_path_test_7/anp.yaml @@ -0,0 +1,75 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-tcp +spec: + priority: 6 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + egress: + - name: "allow-to-ravenclaw-everything" + action: "Allow" + to: # error : a rule peer contains more than one field + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "pass-to-slytherin-at-port-80" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_7/manifests.yaml b/tests/anp_bad_path_test_7/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_7/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_8/anp.yaml b/tests/anp_bad_path_test_8/anp.yaml new file mode 100644 index 00000000..58034121 --- /dev/null +++ b/tests/anp_bad_path_test_8/anp.yaml @@ -0,0 +1,73 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-tcp +spec: + priority: 6 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + egress: + - name: "allow-to-ravenclaw-everything" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: # error a port item contains more than one field + - portNumber: + protocol: TCP + port: 80 + namedPort: "tcp" + - name: "pass-to-slytherin-at-port-80" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_8/manifests.yaml b/tests/anp_bad_path_test_8/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_8/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/anp_bad_path_test_9/anp.yaml b/tests/anp_bad_path_test_9/anp.yaml new file mode 100644 index 00000000..447c28e6 --- /dev/null +++ b/tests/anp_bad_path_test_9/anp.yaml @@ -0,0 +1,72 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: egress-tcp +spec: + priority: 6 + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + egress: + - name: "allow-to-ravenclaw-everything" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-ravenclaw-everything" + action: "Accept" # undefined action + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "pass-to-ravenclaw-everything" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "pass-to-slytherin-at-port-80" + action: "Pass" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/anp_bad_path_test_9/manifests.yaml b/tests/anp_bad_path_test_9/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/anp_bad_path_test_9/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_1/banps.yaml b/tests/banp_bad_path_test_1/banps.yaml new file mode 100644 index 00000000..70336f50 --- /dev/null +++ b/tests/banp_bad_path_test_1/banps.yaml @@ -0,0 +1,97 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff +--- +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy # error more than one BANP is defined +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "deny-to-gryffindor-everything" # swapped with allow-to-gryffindor-everything + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "allow-to-gryffindor-everything" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_1/manifests.yaml b/tests/banp_bad_path_test_1/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_1/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_10/banp_core_ingress_sctp_rules.yaml b/tests/banp_bad_path_test_10/banp_core_ingress_sctp_rules.yaml new file mode 100644 index 00000000..4385e1c1 --- /dev/null +++ b/tests/banp_bad_path_test_10/banp_core_ingress_sctp_rules.yaml @@ -0,0 +1,44 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + ingress: + - name: "allow-from-gryffindor-everything" # from is missing + action: "Allow" + - name: "deny-from-gryffindor-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-slytherin-at-port-9003" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-from-hufflepuff-at-port-9003" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_10/manifests.yaml b/tests/banp_bad_path_test_10/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_10/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_11/banp_core_ingress_sctp_rules.yaml b/tests/banp_bad_path_test_11/banp_core_ingress_sctp_rules.yaml new file mode 100644 index 00000000..8e4abd84 --- /dev/null +++ b/tests/banp_bad_path_test_11/banp_core_ingress_sctp_rules.yaml @@ -0,0 +1,45 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + ingress: + - name: "allow-from-gryffindor-everything" + action: "Allow" + from: # empty from + - name: "deny-from-gryffindor-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-slytherin-at-port-9003" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-from-hufflepuff-at-port-9003" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_11/manifests.yaml b/tests/banp_bad_path_test_11/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_11/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_12/banp_core_ingress_sctp_rules.yaml b/tests/banp_bad_path_test_12/banp_core_ingress_sctp_rules.yaml new file mode 100644 index 00000000..aaa014b1 --- /dev/null +++ b/tests/banp_bad_path_test_12/banp_core_ingress_sctp_rules.yaml @@ -0,0 +1,52 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + ingress: + - name: "allow-from-gryffindor-everything" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-gryffindor-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-slytherin-at-port-9003" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-from-hufflepuff-at-port-9003" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_12/manifests.yaml b/tests/banp_bad_path_test_12/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_12/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_13/banp_core_ingress_sctp_rules.yaml b/tests/banp_bad_path_test_13/banp_core_ingress_sctp_rules.yaml new file mode 100644 index 00000000..b4489d00 --- /dev/null +++ b/tests/banp_bad_path_test_13/banp_core_ingress_sctp_rules.yaml @@ -0,0 +1,51 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + ingress: + - name: "allow-from-gryffindor-everything" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-gryffindor-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-slytherin-at-port-9003" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + portRange: + start: 9003 + end: 9005 + - name: "allow-from-hufflepuff-at-port-9003" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_13/manifests.yaml b/tests/banp_bad_path_test_13/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_13/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_14/banp_core_ingress_sctp_rules.yaml b/tests/banp_bad_path_test_14/banp_core_ingress_sctp_rules.yaml new file mode 100644 index 00000000..6cbace6b --- /dev/null +++ b/tests/banp_bad_path_test_14/banp_core_ingress_sctp_rules.yaml @@ -0,0 +1,48 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + ingress: + - name: "allow-from-gryffindor-everything" + action: "Pass" # pass instead of allow + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-gryffindor-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-slytherin-at-port-9003" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-from-hufflepuff-at-port-9003" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_14/manifests.yaml b/tests/banp_bad_path_test_14/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_14/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_2/banps.yaml b/tests/banp_bad_path_test_2/banps.yaml new file mode 100644 index 00000000..6acbc5af --- /dev/null +++ b/tests/banp_bad_path_test_2/banps.yaml @@ -0,0 +1,49 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: banp-name # error BANP name is not legal should be default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff +--- diff --git a/tests/banp_bad_path_test_2/manifests.yaml b/tests/banp_bad_path_test_2/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_2/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_3/banp_core_egress_tcp_rules.yaml b/tests/banp_bad_path_test_3/banp_core_egress_tcp_rules.yaml new file mode 100644 index 00000000..3efac2c7 --- /dev/null +++ b/tests/banp_bad_path_test_3/banp_core_egress_tcp_rules.yaml @@ -0,0 +1,45 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: # subject error : empty + egress: + - name: "allow-to-ravenclaw-everything" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-ravenclaw-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + - name: "deny-to-slytherin-at-port-80" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: TCP + port: 80 + - name: "allow-to-hufflepuff-at-port-8080" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: TCP + port: 8080 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_3/manifests.yaml b/tests/banp_bad_path_test_3/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_3/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_4/banp_core_ingress_sctp_rules.yaml b/tests/banp_bad_path_test_4/banp_core_ingress_sctp_rules.yaml new file mode 100644 index 00000000..0c4f6b54 --- /dev/null +++ b/tests/banp_bad_path_test_4/banp_core_ingress_sctp_rules.yaml @@ -0,0 +1,55 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: # subject error : contains two fields + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + pods: + namespaceSelector: + matchLabels: + conformance-house: gryffindor + podSelector: + matchLabels: + conformance-house: gryffindor + ingress: + - name: "allow-from-gryffindor-everything" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-gryffindor-everything" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-from-slytherin-at-port-9003" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-from-hufflepuff-at-port-9003" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-from-hufflepuff-everything-else" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_4/manifests.yaml b/tests/banp_bad_path_test_4/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_4/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_5/banp_core_egress_sctp_rules.yaml b/tests/banp_bad_path_test_5/banp_core_egress_sctp_rules.yaml new file mode 100644 index 00000000..7cb6eb5a --- /dev/null +++ b/tests/banp_bad_path_test_5/banp_core_egress_sctp_rules.yaml @@ -0,0 +1,45 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" # to is empty + action: "Allow" + to: + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_5/manifests.yaml b/tests/banp_bad_path_test_5/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_5/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_6/banp_core_egress_sctp_rules.yaml b/tests/banp_bad_path_test_6/banp_core_egress_sctp_rules.yaml new file mode 100644 index 00000000..b861c58c --- /dev/null +++ b/tests/banp_bad_path_test_6/banp_core_egress_sctp_rules.yaml @@ -0,0 +1,44 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" # to is missing + action: "Allow" + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_6/manifests.yaml b/tests/banp_bad_path_test_6/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_6/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_7/banp_core_egress_sctp_rules.yaml b/tests/banp_bad_path_test_7/banp_core_egress_sctp_rules.yaml new file mode 100644 index 00000000..ce2477d5 --- /dev/null +++ b/tests/banp_bad_path_test_7/banp_core_egress_sctp_rules.yaml @@ -0,0 +1,52 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" + action: "Allow" + to: # to has 2 fields + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + pods: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_7/manifests.yaml b/tests/banp_bad_path_test_7/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_7/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_8/banp_core_egress_sctp_rules.yaml b/tests/banp_bad_path_test_8/banp_core_egress_sctp_rules.yaml new file mode 100644 index 00000000..28ce9377 --- /dev/null +++ b/tests/banp_bad_path_test_8/banp_core_egress_sctp_rules.yaml @@ -0,0 +1,48 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" + action: "Pass" # unrecognized action + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_8/manifests.yaml b/tests/banp_bad_path_test_8/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_8/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/banp_bad_path_test_9/banp_core_egress_sctp_rules.yaml b/tests/banp_bad_path_test_9/banp_core_egress_sctp_rules.yaml new file mode 100644 index 00000000..2e8be447 --- /dev/null +++ b/tests/banp_bad_path_test_9/banp_core_egress_sctp_rules.yaml @@ -0,0 +1,53 @@ +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-ravenclaw + egress: + - name: "allow-to-gryffindor-everything" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + ports: + - portNumber: # port contains two fields + protocol: UDP + port: 53 + namedPort: dns + - name: "deny-to-gryffindor-everything" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-gryffindor + - name: "deny-to-slytherin-at-port-9003" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-slytherin + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "allow-to-hufflepuff-at-port-9003" + action: "Allow" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff + ports: + - portNumber: + protocol: SCTP + port: 9003 + - name: "deny-to-hufflepuff-everything-else" + action: "Deny" + to: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: network-policy-conformance-hufflepuff \ No newline at end of file diff --git a/tests/banp_bad_path_test_9/manifests.yaml b/tests/banp_bad_path_test_9/manifests.yaml new file mode 100644 index 00000000..7ae0d05f --- /dev/null +++ b/tests/banp_bad_path_test_9/manifests.yaml @@ -0,0 +1,205 @@ +#copied from: https://github.com/kundan2707/network-policy-api/blob/f6c1cf24c0488f12c21920d2d9286fe0a380dd76/conformance/base/manifests.yaml#L8 +# This file contains the base resources that most conformance tests will rely +# on. This includes 4 namespaces along with Server and Client Deployments in +# each of them that can be used as backends and probes for testing traffic. +# Create 4 namespaces +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-gryffindor + labels: + conformance-house: gryffindor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-slytherin + labels: + conformance-house: slytherin +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-hufflepuff + labels: + conformance-house: hufflepuff +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network-policy-conformance-ravenclaw + labels: + conformance-house: ravenclaw +# Create 4 deployments; 2 pods each under these namespaces +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: harry-potter + namespace: network-policy-conformance-gryffindor +spec: + selector: + matchLabels: + conformance-house: gryffindor + replicas: 2 + template: + metadata: + labels: + conformance-house: gryffindor + spec: + containers: + - name: harry-potter-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: harry-potter-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: harry-potter-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: harry-potter-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: harry-potter-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: harry-potter-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: harry-potter-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: draco-malfoy + namespace: network-policy-conformance-slytherin +spec: + selector: + matchLabels: + conformance-house: slytherin + replicas: 2 + template: + metadata: + labels: + conformance-house: slytherin + spec: + containers: + - name: draco-malfoy-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: draco-malfoy-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: draco-malfoy-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: draco-malfoy-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: draco-malfoy-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: draco-malfoy-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: draco-malfoy-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cedric-diggory + namespace: network-policy-conformance-hufflepuff +spec: + selector: + matchLabels: + conformance-house: hufflepuff + replicas: 2 + template: + metadata: + labels: + conformance-house: hufflepuff + spec: + containers: + - name: cedric-diggory-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: cedric-diggory-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: cedric-diggory-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: cedric-diggory-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: cedric-diggory-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: cedric-diggory-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: cedric-diggory-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: luna-lovegood + namespace: network-policy-conformance-ravenclaw +spec: + selector: + matchLabels: + conformance-house: ravenclaw + replicas: 2 + template: + metadata: + labels: + conformance-house: ravenclaw + spec: + containers: + - name: luna-lovegood-client + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + - name: luna-lovegood-80 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 80"] + - name: luna-lovegood-8080 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --tcp --http=false --port 8080"] + - name: luna-lovegood-5353 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 5353"] + - name: luna-lovegood-53 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost serve-hostname --udp --http=false --port 53"] + - name: luna-lovegood-9003 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9003 + value: "foo" + - name: luna-lovegood-9005 + image: registry.k8s.io/e2e-test-images/agnhost:2.43 + command: ["/bin/bash", "-c", "/agnhost porter"] + env: + - name: SERVE_SCTP_PORT_9005 + value: "foo" \ No newline at end of file diff --git a/tests/np_bad_path_test_1/backend.yaml b/tests/np_bad_path_test_1/backend.yaml new file mode 100644 index 00000000..3537d90d --- /dev/null +++ b/tests/np_bad_path_test_1/backend.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend +spec: + selector: + matchLabels: + app: backendservice + template: + metadata: + labels: + app: backendservice + spec: + containers: + - name: server + image: backendservice + ports: + - containerPort: 9090 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 9090 + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 9090 + env: + - name: PORT + value: "9090" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: backendservice +spec: + type: ClusterIP + selector: + app: backendservice + ports: + - name: http + port: 9090 + targetPort: 9090 + diff --git a/tests/np_bad_path_test_1/netpols.yaml b/tests/np_bad_path_test_1/netpols.yaml new file mode 100644 index 00000000..474f68b2 --- /dev/null +++ b/tests/np_bad_path_test_1/netpols.yaml @@ -0,0 +1,51 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + name: backend-netpol +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + - ports: + - port: 9090 + protocol: TCP + podSelector: + matchLabels: + app: backendservice + policyTypes: + - Ingress + - Egress +status: {} + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + name: backend-netpol +spec: + egress: + - ports: + - port: 9090 + protocol: TCP + to: + - podSelector: + matchLabels: + app: backendservice + - ports: + - port: 53 + protocol: UDP + ingress: + - ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: frontend + policyTypes: + - Ingress + - Egress +status: {}