-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: update helm chart for testing netpol enforcement
- Loading branch information
1 parent
5b647d5
commit 6f93278
Showing
9 changed files
with
72 additions
and
92 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| apiVersion: v2 | ||
| name: test-netpol-enforcement | ||
| version: 0.1.0 | ||
| appVersion: 1.16.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # This network policy targets the protected-webserver pod with regards to | ||
| # ingress, thereby disallowing all inbound network connections unless allowed by | ||
| # a rule. We provide one such rule, allowing access to the protected-webserer | ||
| # from pods with a certain label. | ||
| # | ||
| # Two different pods will attempt to connect to the protected-webserver, one | ||
| # with the label and one without, and we expect different results based on this | ||
| # network policy. | ||
| # | ||
| kind: NetworkPolicy | ||
| apiVersion: networking.k8s.io/v1 | ||
| metadata: | ||
| name: allow-ingress-from-labelled-pods | ||
| spec: | ||
| podSelector: | ||
| matchLabels: | ||
| app.kubernetes.io/name: protected-webserver | ||
| ingress: | ||
| - from: | ||
| - podSelector: | ||
| matchLabels: | ||
| access-to-protected-webserver: "true" |
File renamed without changes.
42 changes: 42 additions & 0 deletions
42
test-netpol-enforcement/templates/tests/test-netpol-enforcement.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: "test-allowed-access" | ||
| labels: | ||
| access-to-protected-webserver: "true" | ||
| annotations: | ||
| helm.sh/hook: test-success | ||
| spec: | ||
| restartPolicy: Never | ||
| containers: | ||
| - name: busybox | ||
| image: busybox | ||
| command: | ||
| - sh | ||
| - -c | ||
| - | | ||
| if ! wget -T5 test-calico:80; then | ||
| echo "FAIL: was not allowed, but should be allowed" | ||
| exit 1 | ||
| fi | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: "test-not-allowed-access" | ||
| annotations: | ||
| helm.sh/hook: test-success | ||
| spec: | ||
| restartPolicy: Never | ||
| containers: | ||
| - name: busybox | ||
| image: busybox | ||
| command: | ||
| - sh | ||
| - -c | ||
| - | | ||
| if wget -T5 test-calico:80; then | ||
| echo "FAIL: was allowed, and shouldn't be allowed" | ||
| exit 1 | ||
| fi |