From 25e4e5662ea769c91e708d53980c9ed2dcc15357 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Thu, 31 Jan 2019 14:25:43 -0600 Subject: [PATCH] Update network-policy ldap deployment and test This updates the script for deploying ldap in the network policy job to accept ingress traffic from prometheus pods. This also updates the network policy test to account for return values with more than one result when checking for a pod to use, as well as selecting pods by application and component labels instead of simply grepping for a name (as this could cause issues with grepping for 'fluentd', when that could return both fluentd and fluentd-exporter pods, for example) Change-Id: I12a4029f574ea7d5b250709adef21b07d8cf0220 --- tools/deployment/network-policy/040-ldap.sh | 3 +++ .../network-policy/901-test-networkpolicy.sh | 23 +++++++++---------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/tools/deployment/network-policy/040-ldap.sh b/tools/deployment/network-policy/040-ldap.sh index 259222d5f..684d9527a 100755 --- a/tools/deployment/network-policy/040-ldap.sh +++ b/tools/deployment/network-policy/040-ldap.sh @@ -40,6 +40,9 @@ network_policy: - podSelector: matchLabels: application: kibana + - podSelector: + matchLabels: + application: prometheus ports: - protocol: TCP port: 389 diff --git a/tools/deployment/network-policy/901-test-networkpolicy.sh b/tools/deployment/network-policy/901-test-networkpolicy.sh index 98567c5cf..5490c70a5 100755 --- a/tools/deployment/network-policy/901-test-networkpolicy.sh +++ b/tools/deployment/network-policy/901-test-networkpolicy.sh @@ -16,14 +16,15 @@ set -xe -# test_netpol(namespace, component, target_host, expected_result{fail,success}) +# test_netpol(namespace, application label, component label, target_host, expected_result{fail,success}) function test_netpol { NS=$1 - COMPONENT=$2 - HOST=$3 - STATUS=$4 - echo Testing connection from $COMPONENT to host $HOST with namespace $NS - POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}') + APPLICATION=$2 + COMPONENT=$3 + HOST=$4 + STATUS=$5 + echo Testing connection from component:$COMPONENT, application:$APPLICATION to host $HOST with namespace $NS + POD=$(kubectl -n $NS get pod -l application=$APPLICATION,component=$COMPONENT | grep Running | cut -f 1 -d " " | head -n 1) PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21)) if [ "x${STATUS}" == "xfail" ]; then if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then @@ -36,13 +37,11 @@ function test_netpol { fi } # Doing negative tests -test_netpol osh-infra mariadb-server elasticsearch.osh-infra.svc.cluster.local fail -test_netpol osh-infra mariadb-server nagios.osh-infra.svc.cluster.local fail -test_netpol osh-infra mariadb-server prometheus.osh-infra.svc.cluster.local fail +test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local fail +test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail +test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail # Doing positive tests -test_netpol osh-infra grafana mariadb.osh-infra.svc.cluster.local:3306 success +test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success echo Test successfully - -