feat: added netpol tests for dns-manipulation intent

Signed-off-by: Ved Ratan <[email protected]>
5GSEC · Jul 21, 2024 · 9d46e56 · 9d46e56
1 parent 83fd09f
commit 9d46e56
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 11 deletions.
diff --git a/.github/kind-config.yaml b/.github/kind-config.yaml
@@ -0,0 +1,9 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+- role: worker
+- role: worker
+networking:
+  disableDefaultCNI: true
+  podSubnet: 192.168.0.0/16
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -190,6 +190,21 @@ jobs:
           uses: helm/kind-action@v1
           with:
             cluster_name: testing
+            config: ../kind-config.yaml
+
+        - name: Install Calico Operator
+          run: | 
+            kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/tigera-operator.yaml
+
+
+        - name: Install Calico CNI
+          run: | 
+            kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/custom-resources.yaml        
+
+
+        - name: Wait for the Calico to be ready
+          run: |
+            kubectl wait --for=condition=ready --timeout=6m -n calico-system pod -l k8s-app=calico-node 
 
         - name: Build nimbus image and load in the kind cluster
           run: |

diff --git a/tests/e2e/dns-manipulation/create/chainsaw-test.yaml b/tests/e2e/dns-manipulation/create/chainsaw-test.yaml
@@ -9,6 +9,24 @@ spec:
   description: >
    This test validates that creating a `dns-manipulation` SecurityIntent with SecurityIntentBinding generates the expected Network Policy and KubeArmor policy and verifies its effect on a sample test workload.
   steps:
+
+    - name: "create nginx pod"
+      try:
+        - script:
+            content: kubectl run nginx --image=nginx --labels="app=nginx"
+
+    - name: "verify creation of nginx pod"
+      try:
+      - script:
+          content: kubectl get pods -l app=nginx -o name
+          check:
+            (contains($stdout, 'pod/nginx')): true
+
+    - name: "install nslookup utility"
+      try:
+      - script:
+          content: kubectl exec nginx -- bash  -c "apt-get update && apt-get install dnsutils -y"
+
     - name: "Create a SecurityIntent"
       try:
         - apply:
@@ -61,17 +79,6 @@ spec:
           check: 
             (contains($stdout, 'KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation')): true
 
-    - name: "create nginx pod"
-      try:
-        - script:
-            content: kubectl run nginx --image=nginx --labels="app=nginx"
-
-    - name: "verify creation of nginx pod"
-      try:
-      - script:
-          content: kubectl get pods -l app=nginx -o name
-          check:
-            (contains($stdout, 'pod/nginx')): true
 
     - name: "Verify the failure of alter of resolv.conf in nginx pod"
       try:
@@ -80,6 +87,13 @@ spec:
           check:
             ($error != null): true
             (contains($stderr, 'Permission denied')): true
+
+    - name: "Verify that failure of nslookup to example.com through public DNS due to netpol"
+      try:
+      - script:
+          content: kubectl exec nginx -- bash  -c "nslookup example.com  8.8.8.8"
+          check:
+          ($error != null): true