From 9d46e56d5ffc532f4c1e6ad724395401c585d7bb Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Sun, 21 Jul 2024 22:40:32 +0530 Subject: [PATCH] feat: added netpol tests for dns-manipulation intent Signed-off-by: Ved Ratan --- .github/kind-config.yaml | 9 +++++ .github/workflows/pr-checks.yaml | 15 ++++++++ .../create/chainsaw-test.yaml | 36 +++++++++++++------ 3 files changed, 49 insertions(+), 11 deletions(-) create mode 100644 .github/kind-config.yaml diff --git a/.github/kind-config.yaml b/.github/kind-config.yaml new file mode 100644 index 00000000..77b7ac3e --- /dev/null +++ b/.github/kind-config.yaml @@ -0,0 +1,9 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane +- role: worker +- role: worker +networking: + disableDefaultCNI: true + podSubnet: 192.168.0.0/16 \ No newline at end of file diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index 3b55495a..6dd6094e 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -190,6 +190,21 @@ jobs: uses: helm/kind-action@v1 with: cluster_name: testing + config: ../kind-config.yaml + + - name: Install Calico Operator + run: | + kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/tigera-operator.yaml + + + - name: Install Calico CNI + run: | + kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/custom-resources.yaml + + + - name: Wait for the Calico to be ready + run: | + kubectl wait --for=condition=ready --timeout=6m -n calico-system pod -l k8s-app=calico-node - name: Build nimbus image and load in the kind cluster run: | diff --git a/tests/e2e/dns-manipulation/create/chainsaw-test.yaml b/tests/e2e/dns-manipulation/create/chainsaw-test.yaml index 9ac81387..2539ddc7 100644 --- a/tests/e2e/dns-manipulation/create/chainsaw-test.yaml +++ b/tests/e2e/dns-manipulation/create/chainsaw-test.yaml @@ -9,6 +9,24 @@ spec: description: > This test validates that creating a `dns-manipulation` SecurityIntent with SecurityIntentBinding generates the expected Network Policy and KubeArmor policy and verifies its effect on a sample test workload. steps: + + - name: "create nginx pod" + try: + - script: + content: kubectl run nginx --image=nginx --labels="app=nginx" + + - name: "verify creation of nginx pod" + try: + - script: + content: kubectl get pods -l app=nginx -o name + check: + (contains($stdout, 'pod/nginx')): true + + - name: "install nslookup utility" + try: + - script: + content: kubectl exec nginx -- bash -c "apt-get update && apt-get install dnsutils -y" + - name: "Create a SecurityIntent" try: - apply: @@ -61,17 +79,6 @@ spec: check: (contains($stdout, 'KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation')): true - - name: "create nginx pod" - try: - - script: - content: kubectl run nginx --image=nginx --labels="app=nginx" - - - name: "verify creation of nginx pod" - try: - - script: - content: kubectl get pods -l app=nginx -o name - check: - (contains($stdout, 'pod/nginx')): true - name: "Verify the failure of alter of resolv.conf in nginx pod" try: @@ -80,6 +87,13 @@ spec: check: ($error != null): true (contains($stderr, 'Permission denied')): true + + - name: "Verify that failure of nslookup to example.com through public DNS due to netpol" + try: + - script: + content: kubectl exec nginx -- bash -c "nslookup example.com 8.8.8.8" + check: + ($error != null): true