@@ -35,6 +35,8 @@ import (
3535 exutil "github.com/openshift/origin/test/extended/util"
3636)
3737
38+ const openDefaultPortsAnnotation = "k8s.ovn.org/open-default-ports"
39+
3840var _ = Describe ("[sig-network][OCPFeatureGate:NetworkSegmentation][Feature:UserDefinedPrimaryNetworks]" , func () {
3941 // TODO: so far, only the isolation tests actually require this PSA ... Feels wrong to run everything priviliged.
4042 // I've tried to have multiple kubeframeworks (from multiple OCs) running (with different project names) but
@@ -682,6 +684,120 @@ var _ = Describe("[sig-network][OCPFeatureGate:NetworkSegmentation][Feature:User
682684 expectedMessage := fmt .Sprintf ("primary network already exist in namespace %q: %q" , f .Namespace .Name , primaryNadName )
683685 Expect (actualConditions [0 ].Message ).To (Equal (expectedMessage ))
684686 })
687+
688+ Context ("UDN Pod" , func () {
689+ const (
690+ testUdnName = "test-net"
691+ testPodName = "test-pod-udn"
692+ )
693+
694+ var udnPod * v1.Pod
695+
696+ BeforeEach (func () {
697+ By ("create tests UserDefinedNetwork" )
698+ cleanup , err := createManifest (f .Namespace .Name , newPrimaryUserDefinedNetworkManifest (oc , testUdnName ))
699+ DeferCleanup (cleanup )
700+ Expect (err ).NotTo (HaveOccurred ())
701+ Expect (waitForUserDefinedNetworkReady (f .Namespace .Name , testUdnName , 5 * time .Second )).To (Succeed ())
702+ By ("create UDN pod" )
703+ cfg := podConfig (testPodName , withCommand (func () []string {
704+ return httpServerContainerCmd (port )
705+ }))
706+ cfg .namespace = f .Namespace .Name
707+ udnPod = runUDNPod (cs , f .Namespace .Name , * cfg , nil )
708+ })
709+
710+ It ("should react to k8s.ovn.org/open-default-ports annotations changes" , func () {
711+ By ("Creating second namespace for default network pod" )
712+ defaultNetNamespace := f .Namespace .Name + "-default"
713+ _ , err := cs .CoreV1 ().Namespaces ().Create (context .Background (), & v1.Namespace {
714+ ObjectMeta : metav1.ObjectMeta {
715+ Name : defaultNetNamespace ,
716+ },
717+ }, metav1.CreateOptions {})
718+ Expect (err ).NotTo (HaveOccurred ())
719+ defer func () {
720+ Expect (cs .CoreV1 ().Namespaces ().Delete (context .Background (), defaultNetNamespace , metav1.DeleteOptions {})).To (Succeed ())
721+ }()
722+
723+ By ("creating default network client pod" )
724+ defaultClientPod := frameworkpod .CreateExecPodOrFail (
725+ context .Background (),
726+ f .ClientSet ,
727+ defaultNetNamespace ,
728+ "default-net-client-pod" ,
729+ func (pod * v1.Pod ) {
730+ pod .Spec .Containers [0 ].Args = []string {"netexec" }
731+ setRuntimeDefaultPSA (pod )
732+ },
733+ )
734+
735+ udnIPv4 , udnIPv6 , err := podIPsForDefaultNetwork (
736+ cs ,
737+ f .Namespace .Name ,
738+ udnPod .GetName (),
739+ )
740+ Expect (err ).NotTo (HaveOccurred ())
741+
742+ By (fmt .Sprintf ("verify default network client pod can't access UDN pod on port %d" , port ))
743+ for _ , destIP := range []string {udnIPv4 , udnIPv6 } {
744+ if destIP == "" {
745+ continue
746+ }
747+ By ("checking the default network pod can't reach UDN pod on IP " + destIP )
748+ Consistently (func () bool {
749+ return connectToServer (podConfiguration {namespace : defaultClientPod .Namespace , name : defaultClientPod .Name }, destIP , port ) != nil
750+ }, 5 * time .Second ).Should (BeTrue ())
751+ }
752+
753+ By ("Open UDN pod port" )
754+ udnPod .Annotations [openDefaultPortsAnnotation ] = fmt .Sprintf (
755+ `- protocol: tcp
756+ port: %d` , port )
757+ udnPod , err = cs .CoreV1 ().Pods (udnPod .Namespace ).Update (context .Background (), udnPod , metav1.UpdateOptions {})
758+ Expect (err ).NotTo (HaveOccurred ())
759+
760+ By (fmt .Sprintf ("verify default network client pod can access UDN pod on open port %d" , port ))
761+ for _ , destIP := range []string {udnIPv4 , udnIPv6 } {
762+ if destIP == "" {
763+ continue
764+ }
765+ By ("checking the default network pod can reach UDN pod on IP " + destIP )
766+ Eventually (func () bool {
767+ return connectToServer (podConfiguration {namespace : defaultClientPod .Namespace , name : defaultClientPod .Name }, destIP , port ) == nil
768+ }, 5 * time .Second ).Should (BeTrue ())
769+ }
770+
771+ By ("Update UDN pod port with the wrong syntax" )
772+ // this should clean up open ports and throw an event
773+ udnPod .Annotations [openDefaultPortsAnnotation ] = fmt .Sprintf (
774+ `- protocol: ppp
775+ port: %d` , port )
776+ udnPod , err = cs .CoreV1 ().Pods (udnPod .Namespace ).Update (context .Background (), udnPod , metav1.UpdateOptions {})
777+ Expect (err ).NotTo (HaveOccurred ())
778+
779+ By (fmt .Sprintf ("verify default network client pod can't access UDN pod on port %d" , port ))
780+ for _ , destIP := range []string {udnIPv4 , udnIPv6 } {
781+ if destIP == "" {
782+ continue
783+ }
784+ By ("checking the default network pod can't reach UDN pod on IP " + destIP )
785+ Eventually (func () bool {
786+ return connectToServer (podConfiguration {namespace : defaultClientPod .Namespace , name : defaultClientPod .Name }, destIP , port ) != nil
787+ }, 5 * time .Second ).Should (BeTrue ())
788+ }
789+ By ("Verify syntax error is reported via event" )
790+ events , err := cs .CoreV1 ().Events (udnPod .Namespace ).List (context .Background (), metav1.ListOptions {})
791+ found := false
792+ for _ , event := range events .Items {
793+ if event .Reason == "ErrorUpdatingResource" && strings .Contains (event .Message , "invalid protocol ppp" ) {
794+ found = true
795+ break
796+ }
797+ }
798+ Expect (found ).To (BeTrue (), "should have found an event for invalid protocol" )
799+ })
800+ })
685801 })
686802})
687803
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments