From 5dc54def33d179b6c0b72a5c538409256b8ba303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Dulko?= Date: Tue, 21 Jul 2020 13:55:06 +0200 Subject: [PATCH] Adapt NP tests to new CRD format This commit adapts network policy tests to new KuryrNetworkPolicy CRD format. This includes splitting TestNetworkPolicy class into two versions and a bit of refactoring to allow that. Change-Id: Id303620090df194297e16384d3522c3e3bb2ca58 --- kuryr_tempest_plugin/config.py | 3 + kuryr_tempest_plugin/tests/scenario/base.py | 8 - .../tests/scenario/base_network_policy.py | 376 ++++++++++++++++ .../tests/scenario/test_network_policy.py | 411 ++---------------- 4 files changed, 420 insertions(+), 378 deletions(-) create mode 100644 kuryr_tempest_plugin/tests/scenario/base_network_policy.py diff --git a/kuryr_tempest_plugin/config.py b/kuryr_tempest_plugin/config.py index 48b5b25e..5f64c0e9 100644 --- a/kuryr_tempest_plugin/config.py +++ b/kuryr_tempest_plugin/config.py @@ -75,6 +75,9 @@ kuryr_k8s_opts = [ "CRDs should be validated"), cfg.BoolOpt("kuryrnetworks", default=False, help="Whether or not " "kuryrnetworks CRDs are used"), + cfg.BoolOpt("new_kuryrnetworkpolicy_crd", default=False, + help="Whether or not KuryrNetworkPolicy CRDs are used instead " + "of KuryrNetPolicy"), cfg.BoolOpt("configmap_modifiable", default=False, help="Whether config " "map can be changed"), cfg.StrOpt("controller_label", default="name=kuryr-controller", diff --git a/kuryr_tempest_plugin/tests/scenario/base.py b/kuryr_tempest_plugin/tests/scenario/base.py index ccc4d8f6..fc6ce8a7 100644 --- a/kuryr_tempest_plugin/tests/scenario/base.py +++ b/kuryr_tempest_plugin/tests/scenario/base.py @@ -44,7 +44,6 @@ KURYR_CRD_VERSION = 'v1' KURYR_NET_CRD_PLURAL = 'kuryrnets' KURYR_NETWORK_CRD_PLURAL = 'kuryrnetworks' KURYR_PORT_CRD_PLURAL = 'kuryrports' -KURYR_NET_POLICY_CRD_PLURAL = 'kuryrnetpolicies' K8S_ANNOTATION_PREFIX = 'openstack.org/kuryr' K8S_ANNOTATION_LBAAS_STATE = K8S_ANNOTATION_PREFIX + '-lbaas-state' K8S_ANNOTATION_LBAAS_RT_STATE = K8S_ANNOTATION_PREFIX + '-lbaas-route-state' @@ -679,13 +678,6 @@ class BaseKuryrScenarioTest(manager.NetworkScenarioTest): namespace=namespace, plural=KURYR_NETWORK_CRD_PLURAL, name=namespace) - @classmethod - def get_kuryr_netpolicy_crds(cls, name, namespace='default', **kwargs): - return cls.k8s_client.CustomObjectsApi().get_namespaced_custom_object( - group=KURYR_CRD_GROUP, version=KURYR_CRD_VERSION, - namespace=namespace, plural=KURYR_NET_POLICY_CRD_PLURAL, - name=name, **kwargs) - def get_pod_list(self, namespace='default', label_selector=''): return self.k8s_client.CoreV1Api().list_namespaced_pod( namespace=namespace, label_selector=label_selector).items diff --git a/kuryr_tempest_plugin/tests/scenario/base_network_policy.py b/kuryr_tempest_plugin/tests/scenario/base_network_policy.py new file mode 100644 index 00000000..d8bfa3fa --- /dev/null +++ b/kuryr_tempest_plugin/tests/scenario/base_network_policy.py @@ -0,0 +1,376 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import kubernetes +import time + +import netaddr +from oslo_log import log as logging +from tempest import config +from tempest.lib import decorators +from tempest.lib import exceptions as lib_exc + +from kuryr_tempest_plugin.tests.scenario import base +from kuryr_tempest_plugin.tests.scenario import consts + +LOG = logging.getLogger(__name__) +CONF = config.CONF + +TIMEOUT_PERIOD = 120 + + +class TestNetworkPolicyScenario(base.BaseKuryrScenarioTest): + + @classmethod + def skip_checks(cls): + super(TestNetworkPolicyScenario, cls).skip_checks() + if not CONF.kuryr_kubernetes.network_policy_enabled: + raise cls.skipException('Network Policy driver and handler must ' + 'be enabled to run this tests') + + @decorators.idempotent_id('a9db5bc5-e921-4719-8201-5431537c86f8') + @decorators.unstable_test(bug="1860554") + def test_ipblock_network_policy_sg_rules(self): + ingress_ipblock = "5.5.5.0/24" + egress_ipblock = "4.4.4.0/24" + namespace_name, namespace = self.create_namespace() + self.addCleanup(self.delete_namespace, namespace_name) + np = self.create_network_policy(namespace=namespace_name, + ingress_ipblock_cidr=ingress_ipblock, + egress_ipblock_cidr=egress_ipblock, + ingress_port=2500) + LOG.debug("Creating network policy %s", np) + self.addCleanup(self.delete_network_policy, np.metadata.name, + namespace_name) + network_policy_name = np.metadata.name + sg_id = None + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + sg_id, _ = self.get_np_crd_info(network_policy_name, + namespace=namespace_name) + if sg_id: + break + except kubernetes.client.rest.ApiException: + continue + self.assertIsNotNone(sg_id) + sec_group_rules = self.list_security_group_rules(sg_id) + ingress_block_found, egress_block_found = False, False + for rule in sec_group_rules: + if (rule['direction'] == 'ingress' and + rule['remote_ip_prefix'] == ingress_ipblock): + ingress_block_found = True + if (rule['direction'] == 'egress' and + rule['remote_ip_prefix'] == egress_ipblock): + egress_block_found = True + self.assertTrue(ingress_block_found) + self.assertTrue(egress_block_found) + + @decorators.idempotent_id('a9db5bc5-e921-4819-8301-5431437c76f8') + def test_ipblock_network_policy_allow_except(self): + namespace_name, namespace = self.create_namespace() + self.addCleanup(self.delete_namespace, namespace_name) + if CONF.kuryr_kubernetes.kuryrnetworks: + cidr = self.get_kuryr_network_crds( + namespace_name)['status']['subnetCIDR'] + else: + crd_name = 'ns-' + namespace_name + cidr = self.get_kuryr_net_crds( + crd_name)['spec']['subnetCIDR'] + + ipn = netaddr.IPNetwork(cidr) + max_prefixlen = "/32" + curl_tmpl = "curl {}{}" + if ipn.version == 6: + max_prefixlen = "/128" + curl_tmpl = "curl [{}]{}" + + allow_all_cidr = cidr + pod_ip_list = [] + pod_name_list = [] + cmd_list = [] + + for i in range(4): + pod_name, pod = self.create_pod(namespace=namespace_name) + self.addCleanup(self.delete_pod, pod_name, pod, + namespace=namespace_name) + pod_name_list.append(pod_name) + pod_ip = self.get_pod_ip(pod_name, namespace=namespace_name) + pod_ip_list.append(pod_ip) + cmd = ["/bin/sh", "-c", curl_tmpl.format(pod_ip_list[i], ':8080')] + cmd_list.append(cmd) + + # Check connectivity from pod4 to other pods before creating NP + for i in range(3): + self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[3], cmd_list[i], namespace=namespace_name)) + # Check connectivity from pod1 to pod4 before creating NP + self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[0], cmd_list[3], namespace=namespace_name)) + + # Create NP allowing all besides first pod on ingress + # and second pod on egress + np = self.create_network_policy( + namespace=namespace_name, ingress_ipblock_cidr=allow_all_cidr, + ingress_ipblock_except=[pod_ip_list[0] + max_prefixlen], + egress_ipblock_cidr=allow_all_cidr, + egress_ipblock_except=[pod_ip_list[1] + max_prefixlen]) + + LOG.debug("Creating network policy %s", np) + network_policy_name = np.metadata.name + + sg_id = None + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + sg_id, _ = self.get_np_crd_info(network_policy_name, + namespace=namespace_name) + if sg_id: + break + except kubernetes.client.rest.ApiException: + continue + if not sg_id: + msg = ('Timed out waiting for knp %s creation' % + network_policy_name) + raise lib_exc.TimeoutException(msg) + + # Wait for network policy to be created + time.sleep(consts.TIME_TO_APPLY_SGS) + + # Check that http connection from pod1 to pod4 is blocked + # after creating NP + self.assertNotIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[0], cmd_list[3], namespace=namespace_name)) + + # Check that http connection from pod4 to pod2 is blocked + # after creating NP + self.assertNotIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[3], cmd_list[1], namespace=namespace_name)) + + # Check that http connection from pod4 to pod1 is not blocked + self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[3], cmd_list[0], namespace=namespace_name)) + + # Check that there is still http connection to pod3 + # from pod4 as it's not blocked by IPblock rules + self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[3], cmd_list[2], namespace=namespace_name)) + + # Delete network policy and check that there is still http connection + # between pods + self.delete_network_policy(np.metadata.name, namespace_name) + + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + self.get_np_crd_info(network_policy_name, + namespace=namespace_name) + except kubernetes.client.rest.ApiException as e: + if e.status == 404: + break + else: + continue + else: + msg = ('Timed out waiting for knp %s deletion' % + network_policy_name) + raise lib_exc.TimeoutException(msg) + + for i in range(3): + self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[3], cmd_list[i], namespace=namespace_name)) + for i in range(1, 4): + self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( + pod_name_list[0], cmd_list[i], namespace=namespace_name)) + + @decorators.idempotent_id('24577a9b-1d29-409b-8b60-da3b49d776b1') + def test_create_delete_network_policy(self): + np = self.create_network_policy() + LOG.debug("Creating network policy %s" % np) + network_policy_name = np.metadata.name + network_policies = self.list_network_policies() + sg_id = None + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + sg_id, _ = self.get_np_crd_info(network_policy_name) + if sg_id: + break + except kubernetes.client.rest.ApiException: + continue + self.assertIsNotNone(sg_id) + sgs = self.list_security_groups(fields='id') + sg_ids = [sg['id'] for sg in sgs] + self.assertIn(network_policy_name, network_policies) + self.assertIn(sg_id, sg_ids) + self.delete_network_policy(network_policy_name) + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + time.sleep(1) + if network_policy_name in self.list_network_policies(): + continue + try: + self.get_np_crd_info(network_policy_name) + except kubernetes.client.rest.ApiException: + break + sgs_after = self.list_security_groups(fields='id') + sg_ids_after = [sg['id'] for sg in sgs_after] + self.assertNotIn(sg_id, sg_ids_after) + + @decorators.idempotent_id('44daf8fe-6a4b-4ca9-8685-97fb1f573e5e') + def test_update_network_policy(self): + """Update a Network Policy with a new pod selector + + This method creates a Network Policy with a specific pod selector + and updates it with a new pod selector. The CRD should always have + the same pod selector as the Policy. + """ + + match_labels = {'app': 'demo'} + np = self.create_network_policy(match_labels=match_labels) + self.addCleanup(self.delete_network_policy, np.metadata.name) + network_policy_name = np.metadata.name + crd_pod_selector = None + + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + _, crd_pod_selector = self.get_np_crd_info(network_policy_name) + if crd_pod_selector: + break + except kubernetes.client.rest.ApiException: + continue + + self.assertIsNotNone(crd_pod_selector) + self.assertEqual(crd_pod_selector.get('matchLabels'), match_labels) + + label_key = 'context' + match_labels = {label_key: 'demo'} + np = self.read_network_policy(np) + np.spec.pod_selector.match_labels = match_labels + np = self.update_network_policy(np) + + labels = {} + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + _, crd_pod_selector = self.get_np_crd_info(network_policy_name) + labels = crd_pod_selector.get('matchLabels') + if labels.get(label_key): + break + except kubernetes.client.rest.ApiException: + continue + + if not labels.get(label_key): + raise lib_exc.TimeoutException() + + self.assertEqual(labels, match_labels) + + @decorators.idempotent_id('24577a9b-1d29-409b-8b60-da3c49d777c2') + def test_delete_namespace_with_network_policy(self): + ns_name, ns = self.create_namespace() + match_labels = {'role': 'db'} + np = self.create_network_policy(match_labels=match_labels, + namespace=ns_name) + LOG.debug("Creating network policy %s" % np) + network_policy_name = np.metadata.name + network_policies = self.list_network_policies(namespace=ns_name) + sg_id = None + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + sg_id, _ = self.get_np_crd_info(network_policy_name, + namespace=ns_name) + if sg_id: + break + except kubernetes.client.rest.ApiException: + continue + sgs = self.list_security_groups(fields='id') + sg_ids = [sg['id'] for sg in sgs] + self.assertIn(network_policy_name, network_policies) + self.assertIn(sg_id, sg_ids) + + # delete namespace + self.delete_namespace(ns_name) + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + time.sleep(1) + if network_policy_name in self.list_network_policies( + namespace=ns_name): + continue + try: + self.get_np_crd_info(network_policy_name, namespace=ns_name) + except kubernetes.client.rest.ApiException: + break + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + sgs_after = self.list_security_groups(fields='id') + sg_ids_after = [sg['id'] for sg in sgs_after] + if sg_id not in sg_ids_after: + break + time.sleep(1) + if time.time() - start >= TIMEOUT_PERIOD: + raise lib_exc.TimeoutException('Sec group ID still exists') + + @decorators.idempotent_id('24577a9b-1d46-419b-8b60-da3c49d777c3') + def test_create_delete_network_policy_non_default_ns(self): + ns_name, ns = self.create_namespace() + self.addCleanup(self.delete_namespace, ns_name) + match_labels = {'role': 'db'} + np = self.create_network_policy(match_labels=match_labels, + namespace=ns_name) + LOG.debug("Creating network policy %s" % np) + network_policy_name = np.metadata.name + network_policies = self.list_network_policies(namespace=ns_name) + sg_id = None + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + try: + time.sleep(1) + sg_id, _ = self.get_np_crd_info(network_policy_name, + namespace=ns_name) + if sg_id: + break + except kubernetes.client.rest.ApiException: + continue + sgs = self.list_security_groups(fields='id') + sg_ids = [sg['id'] for sg in sgs] + self.assertIn(network_policy_name, network_policies) + self.assertIn(sg_id, sg_ids) + self.delete_network_policy(network_policy_name, namespace=ns_name) + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + time.sleep(1) + if network_policy_name in self.list_network_policies( + namespace=ns_name): + continue + try: + self.get_np_crd_info(network_policy_name, namespace=ns_name) + except kubernetes.client.rest.ApiException: + break + start = time.time() + while time.time() - start < TIMEOUT_PERIOD: + sgs_after = self.list_security_groups(fields='id') + sg_ids_after = [sg['id'] for sg in sgs_after] + if sg_id not in sg_ids_after: + break + time.sleep(1) + if time.time() - start >= TIMEOUT_PERIOD: + raise lib_exc.TimeoutException('Sec group ID still exists') diff --git a/kuryr_tempest_plugin/tests/scenario/test_network_policy.py b/kuryr_tempest_plugin/tests/scenario/test_network_policy.py index 8b564995..d01860b3 100644 --- a/kuryr_tempest_plugin/tests/scenario/test_network_policy.py +++ b/kuryr_tempest_plugin/tests/scenario/test_network_policy.py @@ -13,390 +13,32 @@ # limitations under the License. import json -import kubernetes -import time -import netaddr +import kubernetes + from oslo_log import log as logging from tempest import config from tempest.lib import decorators -from tempest.lib import exceptions as lib_exc from kuryr_tempest_plugin.tests.scenario import base -from kuryr_tempest_plugin.tests.scenario import consts +from kuryr_tempest_plugin.tests.scenario import base_network_policy as base_np LOG = logging.getLogger(__name__) CONF = config.CONF TIMEOUT_PERIOD = 120 +KURYR_NET_POLICY_CRD_PLURAL = 'kuryrnetpolicies' +KURYR_NETWORK_POLICY_CRD_PLURAL = 'kuryrnetworkpolicies' -class TestNetworkPolicyScenario(base.BaseKuryrScenarioTest): +class OldNetworkPolicyScenario(base_np.TestNetworkPolicyScenario): @classmethod def skip_checks(cls): - super(TestNetworkPolicyScenario, cls).skip_checks() - if not CONF.kuryr_kubernetes.network_policy_enabled: - raise cls.skipException('Network Policy driver and handler must ' - 'be enabled to run this tests') - - @decorators.idempotent_id('a9db5bc5-e921-4719-8201-5431537c86f8') - @decorators.unstable_test(bug="1860554") - def test_ipblock_network_policy_sg_rules(self): - ingress_ipblock = "5.5.5.0/24" - egress_ipblock = "4.4.4.0/24" - namespace_name, namespace = self.create_namespace() - self.addCleanup(self.delete_namespace, namespace_name) - np = self.create_network_policy(namespace=namespace_name, - ingress_ipblock_cidr=ingress_ipblock, - egress_ipblock_cidr=egress_ipblock, - ingress_port=2500) - LOG.debug("Creating network policy %s", np) - self.addCleanup(self.delete_network_policy, np.metadata.name, - namespace_name) - network_policy_name = np.metadata.name - kuryr_netpolicy_crd_name = 'np-' + network_policy_name - kuryrnetpolicies = None - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - kuryrnetpolicies = self.get_kuryr_netpolicy_crds( - name=kuryr_netpolicy_crd_name, - namespace=namespace_name) - break - except kubernetes.client.rest.ApiException: - time.sleep(1) - continue - self.assertIsNotNone(kuryrnetpolicies) - sg_id = kuryrnetpolicies['spec']['securityGroupId'] - sec_group_rules = self.list_security_group_rules(sg_id) - ingress_block_found, egress_block_found = False, False - for rule in sec_group_rules: - if (rule['direction'] == 'ingress' and - rule['remote_ip_prefix'] == ingress_ipblock): - ingress_block_found = True - if (rule['direction'] == 'egress' and - rule['remote_ip_prefix'] == egress_ipblock): - egress_block_found = True - self.assertTrue(ingress_block_found) - self.assertTrue(egress_block_found) - - @decorators.idempotent_id('a9db5bc5-e921-4819-8301-5431437c76f8') - def test_ipblock_network_policy_allow_except(self): - namespace_name, namespace = self.create_namespace() - self.addCleanup(self.delete_namespace, namespace_name) - if CONF.kuryr_kubernetes.kuryrnetworks: - cidr = self.get_kuryr_network_crds( - namespace_name)['status']['subnetCIDR'] - else: - crd_name = 'ns-' + namespace_name - cidr = self.get_kuryr_net_crds( - crd_name)['spec']['subnetCIDR'] - - ipn = netaddr.IPNetwork(cidr) - max_prefixlen = "/32" - curl_tmpl = "curl {}{}" - if ipn.version == 6: - max_prefixlen = "/128" - curl_tmpl = "curl [{}]{}" - - allow_all_cidr = cidr - pod_ip_list = [] - pod_name_list = [] - cmd_list = [] - - for i in range(4): - pod_name, pod = self.create_pod(namespace=namespace_name) - self.addCleanup(self.delete_pod, pod_name, pod, - namespace=namespace_name) - pod_name_list.append(pod_name) - pod_ip = self.get_pod_ip(pod_name, namespace=namespace_name) - pod_ip_list.append(pod_ip) - cmd = ["/bin/sh", "-c", curl_tmpl.format(pod_ip_list[i], ':8080')] - cmd_list.append(cmd) - - # Check connectivity from pod4 to other pods before creating NP - for i in range(3): - self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[3], cmd_list[i], namespace=namespace_name)) - # Check connectivity from pod1 to pod4 before creating NP - self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[0], cmd_list[3], namespace=namespace_name)) - - # Create NP allowing all besides first pod on ingress - # and second pod on egress - np = self.create_network_policy( - namespace=namespace_name, ingress_ipblock_cidr=allow_all_cidr, - ingress_ipblock_except=[pod_ip_list[0] + max_prefixlen], - egress_ipblock_cidr=allow_all_cidr, - egress_ipblock_except=[pod_ip_list[1] + max_prefixlen]) - - LOG.debug("Creating network policy %s", np) - network_policy_name = np.metadata.name - netpolicy_crd_name = 'np-' + network_policy_name - - knp = None - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - knp = self.get_kuryr_netpolicy_crds( - name=netpolicy_crd_name, namespace=namespace_name) - break - except kubernetes.client.rest.ApiException: - time.sleep(1) - continue - if not knp: - msg = ('Timed out waiting for knp %s creation' % - netpolicy_crd_name) - raise lib_exc.TimeoutException(msg) - - # Wait for network policy to be created - time.sleep(consts.TIME_TO_APPLY_SGS) - - # Check that http connection from pod1 to pod4 is blocked - # after creating NP - self.assertNotIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[0], cmd_list[3], namespace=namespace_name)) - - # Check that http connection from pod4 to pod2 is blocked - # after creating NP - self.assertNotIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[3], cmd_list[1], namespace=namespace_name)) - - # Check that http connection from pod4 to pod1 is not blocked - self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[3], cmd_list[0], namespace=namespace_name)) - - # Check that there is still http connection to pod3 - # from pod4 as it's not blocked by IPblock rules - self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[3], cmd_list[2], namespace=namespace_name)) - - # Delete network policy and check that there is still http connection - # between pods - knp_exist = True - self.delete_network_policy(np.metadata.name, namespace_name) - - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - time.sleep(1) - self.get_kuryr_netpolicy_crds( - name=netpolicy_crd_name, namespace=namespace_name) - except kubernetes.client.rest.ApiException as e: - if e.status == 404: - knp_exist = False - break - else: - continue - if knp_exist: - msg = ('Timed out waiting for knp %s deletion' % - netpolicy_crd_name) - raise lib_exc.TimeoutException(msg) - - for i in range(3): - self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[3], cmd_list[i], namespace=namespace_name)) - for i in range(1, 4): - self.assertIn(consts.POD_OUTPUT, self.exec_command_in_pod( - pod_name_list[0], cmd_list[i], namespace=namespace_name)) - - @decorators.idempotent_id('24577a9b-1d29-409b-8b60-da3b49d776b1') - def test_create_delete_network_policy(self): - np = self.create_network_policy() - LOG.debug("Creating network policy %s" % np) - network_policy_name = np.metadata.name - kuryr_netpolicy_crd_name = 'np-' + network_policy_name - network_policies = self.list_network_policies() - kuryrnetpolicies = '' - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - kuryrnetpolicies = self.get_kuryr_netpolicy_crds( - name=kuryr_netpolicy_crd_name) - break - except kubernetes.client.rest.ApiException: - time.sleep(1) - continue - sg_id = kuryrnetpolicies['spec']['securityGroupId'] - sgs = self.list_security_groups(fields='id') - sg_ids = [sg['id'] for sg in sgs] - self.assertIn(network_policy_name, network_policies) - self.assertEqual(kuryr_netpolicy_crd_name, - str(kuryrnetpolicies['metadata']['name'])) - self.assertIn(sg_id, sg_ids) - self.delete_network_policy(network_policy_name) - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - time.sleep(1) - if network_policy_name in self.list_network_policies(): - continue - try: - self.get_kuryr_netpolicy_crds(name=kuryr_netpolicy_crd_name) - except kubernetes.client.rest.ApiException: - break - sgs_after = self.list_security_groups(fields='id') - sg_ids_after = [sg['id'] for sg in sgs_after] - self.assertNotIn(sg_id, sg_ids_after) - - @decorators.idempotent_id('44daf8fe-6a4b-4ca9-8685-97fb1f573e5e') - def test_update_network_policy(self): - """Update a Network Policy with a new pod selector - - This method creates a Network Policy with a specific pod selector - and updates it with a new pod selector. The CRD should always have - the same pod selector as the Policy. - """ - - match_labels = {'app': 'demo'} - np = self.create_network_policy(match_labels=match_labels) - self.addCleanup(self.delete_network_policy, - np.metadata.name) - kuryr_netpolicy_crd_name = 'np-' + np.metadata.name - kuryrnetpolicies = '' - - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - kuryrnetpolicies = self.get_kuryr_netpolicy_crds( - name=kuryr_netpolicy_crd_name) - break - except kubernetes.client.rest.ApiException: - time.sleep(1) - continue - - if not kuryrnetpolicies: - raise lib_exc.TimeoutException() - - crd_pod_selector = kuryrnetpolicies['spec']['podSelector'] - self.assertEqual(crd_pod_selector.get('matchLabels'), - match_labels) - - label_key = 'context' - match_labels = {label_key: 'demo'} - np = self.read_network_policy(np) - np.spec.pod_selector.match_labels = match_labels - np = self.update_network_policy(np) - - labels = {} - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - time.sleep(1) - updated_knp = self.get_kuryr_netpolicy_crds( - name=kuryr_netpolicy_crd_name) - crd_pod_selector = updated_knp['spec']['podSelector'] - labels = crd_pod_selector.get('matchLabels') - if labels.get(label_key): - break - except kubernetes.client.rest.ApiException: - continue - - if not labels.get(label_key): - raise lib_exc.TimeoutException() - - self.assertEqual(labels, match_labels) - - @decorators.idempotent_id('24577a9b-1d29-409b-8b60-da3c49d777c2') - def test_delete_namespace_with_network_policy(self): - ns_name, ns = self.create_namespace() - match_labels = {'role': 'db'} - np = self.create_network_policy(match_labels=match_labels, - namespace=ns_name) - LOG.debug("Creating network policy %s" % np) - network_policy_name = np.metadata.name - kuryr_netpolicy_crd_name = 'np-' + network_policy_name - network_policies = self.list_network_policies(namespace=ns_name) - kuryrnetpolicies = '' - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - kuryrnetpolicies = self.get_kuryr_netpolicy_crds( - name=kuryr_netpolicy_crd_name, namespace=ns_name) - break - except kubernetes.client.rest.ApiException: - time.sleep(1) - continue - sg_id = kuryrnetpolicies['spec']['securityGroupId'] - sgs = self.list_security_groups(fields='id') - sg_ids = [sg['id'] for sg in sgs] - self.assertIn(network_policy_name, network_policies) - self.assertEqual(kuryr_netpolicy_crd_name, - str(kuryrnetpolicies['metadata']['name'])) - self.assertIn(sg_id, sg_ids) - - # delete namespace - self.delete_namespace(ns_name) - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - time.sleep(1) - if network_policy_name in self.list_network_policies( - namespace=ns_name): - continue - try: - self.get_kuryr_netpolicy_crds(name=kuryr_netpolicy_crd_name, - namespace=ns_name) - except kubernetes.client.rest.ApiException: - break - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - sgs_after = self.list_security_groups(fields='id') - sg_ids_after = [sg['id'] for sg in sgs_after] - if sg_id not in sg_ids_after: - break - time.sleep(1) - if time.time() - start >= TIMEOUT_PERIOD: - raise lib_exc.TimeoutException('Sec group ID still exists') - - @decorators.idempotent_id('24577a9b-1d46-419b-8b60-da3c49d777c3') - def test_create_delete_network_policy_non_default_ns(self): - ns_name, ns = self.create_namespace() - self.addCleanup(self.delete_namespace, ns_name) - match_labels = {'role': 'db'} - np = self.create_network_policy(match_labels=match_labels, - namespace=ns_name) - LOG.debug("Creating network policy %s" % np) - network_policy_name = np.metadata.name - kuryr_netpolicy_crd_name = 'np-' + network_policy_name - network_policies = self.list_network_policies(namespace=ns_name) - kuryrnetpolicies = '' - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - try: - kuryrnetpolicies = self.get_kuryr_netpolicy_crds( - name=kuryr_netpolicy_crd_name, namespace=ns_name) - break - except kubernetes.client.rest.ApiException: - time.sleep(1) - continue - sg_id = kuryrnetpolicies['spec']['securityGroupId'] - sgs = self.list_security_groups(fields='id') - sg_ids = [sg['id'] for sg in sgs] - self.assertIn(network_policy_name, network_policies) - self.assertEqual(kuryr_netpolicy_crd_name, - str(kuryrnetpolicies['metadata']['name'])) - self.assertIn(sg_id, sg_ids) - self.delete_network_policy(network_policy_name, namespace=ns_name) - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - time.sleep(1) - if network_policy_name in self.list_network_policies( - namespace=ns_name): - continue - try: - self.get_kuryr_netpolicy_crds(name=kuryr_netpolicy_crd_name, - namespace=ns_name) - except kubernetes.client.rest.ApiException: - break - start = time.time() - while time.time() - start < TIMEOUT_PERIOD: - sgs_after = self.list_security_groups(fields='id') - sg_ids_after = [sg['id'] for sg in sgs_after] - if sg_id not in sg_ids_after: - break - time.sleep(1) - if time.time() - start >= TIMEOUT_PERIOD: - raise lib_exc.TimeoutException('Sec group ID still exists') + super(OldNetworkPolicyScenario, cls).skip_checks() + if CONF.kuryr_kubernetes.new_kuryrnetworkpolicy_crd: + raise cls.skipException( + 'Old KuryrNetPolicy NP CRDs must be used to run these tests') @decorators.idempotent_id('09a24a0f-322a-40ea-bb89-5b2246c8725d') def test_create_knp_crd_without_ingress_rules(self): @@ -486,8 +128,7 @@ class TestNetworkPolicyScenario(base.BaseKuryrScenarioTest): err_msg_cause = error_causes[0].get('message', "") err_field_cause = error_causes[0].get('field', "[]") if err_field_cause != "[]": - self.assertTrue(field in - err_field_cause) + self.assertTrue(field in err_field_cause) else: self.assertTrue(error_msg in err_msg_cause) else: @@ -496,3 +137,33 @@ class TestNetworkPolicyScenario(base.BaseKuryrScenarioTest): group, version, namespace, plural, crd_manifest['metadata']['name'], body) raise Exception('{} for Kuryr Net Policy CRD'.format(error_msg)) + + def get_np_crd_info(self, name, namespace='default', **kwargs): + name = 'np-' + name + crd = self.k8s_client.CustomObjectsApi().get_namespaced_custom_object( + group=base.KURYR_CRD_GROUP, version=base.KURYR_CRD_VERSION, + namespace=namespace, plural=KURYR_NET_POLICY_CRD_PLURAL, + name=name, **kwargs) + + return (crd['spec'].get('securityGroupId'), + crd['spec'].get('podSelector')) + + +class NetworkPolicyScenario(base_np.TestNetworkPolicyScenario): + + @classmethod + def skip_checks(cls): + super(NetworkPolicyScenario, cls).skip_checks() + if not CONF.kuryr_kubernetes.new_kuryrnetworkpolicy_crd: + raise cls.skipException( + 'New KuryrNetworkPolicy NP CRDs must be used to run these ' + 'tests') + + def get_np_crd_info(self, name, namespace='default', **kwargs): + crd = self.k8s_client.CustomObjectsApi().get_namespaced_custom_object( + group=base.KURYR_CRD_GROUP, version=base.KURYR_CRD_VERSION, + namespace=namespace, plural=KURYR_NETWORK_POLICY_CRD_PLURAL, + name=name, **kwargs) + + return (crd['status'].get('securityGroupId'), + crd['status'].get('podSelector'))