Skip to content

Commit 6ece136

Browse files
xiumozhanrene-dekker
xiumozhan
and
rene-dekker
authored
[EV-6029][CI-1843] allow traffic from idc to voltron in the management cluster (#4350) (#4357)
* fix(networkpolicy): Add a missing allow rule from IDC to Voltron when MCM is enabled. * Refactor allow-tigera policy handling to support management clusters and improve test flexibility. --------- Co-authored-by: Rene Dekker <rene@tigera.io>
1 parent b723da0 commit 6ece136

12 files changed

+292
-57
lines changed

pkg/render/compliance_test.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
1+
// Copyright (c) 2019-2026 Tigera, Inc. All rights reserved.
22

33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -1040,10 +1040,12 @@ var _ = Describe("compliance rendering tests", func() {
10401040
if policyName.Name == "allow-tigera.compliance-access" {
10411041
return testutils.SelectPolicyByClusterTypeAndProvider(
10421042
scenario,
1043-
expectedCompliancePolicyForUnmanaged,
1044-
expectedCompliancePolicyForUnmanagedOpenshift,
1045-
expectedCompliancePolicyForManaged,
1046-
expectedCompliancePolicyForManagedOpenshift,
1043+
map[string]*v3.NetworkPolicy{
1044+
"unmanaged": expectedCompliancePolicyForUnmanaged,
1045+
"unmanaged-openshift": expectedCompliancePolicyForUnmanagedOpenshift,
1046+
"managed": expectedCompliancePolicyForManaged,
1047+
"managed-openshift": expectedCompliancePolicyForManagedOpenshift,
1048+
},
10471049
)
10481050
} else if !scenario.ManagedCluster && policyName.Name == "allow-tigera.compliance-server" {
10491051
return testutils.SelectPolicyByProvider(scenario, expectedComplianceServerPolicy, expectedComplianceServerPolicyForOpenshift)

pkg/render/intrusion_detection.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1032,6 +1032,13 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerAllowTigeraPol
10321032
Protocol: &networkpolicy.TCPProtocol,
10331033
Destination: helper.LinseedEntityRule(),
10341034
})
1035+
if c.cfg.ManagementCluster {
1036+
egressRules = append(egressRules, v3.Rule{
1037+
Action: v3.Allow,
1038+
Protocol: &networkpolicy.TCPProtocol,
1039+
Destination: helper.ManagerEntityRule(),
1040+
})
1041+
}
10351042
}
10361043
egressRules = append(egressRules, []v3.Rule{
10371044
{

pkg/render/intrusion_detection_test.go

Lines changed: 25 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -69,10 +69,18 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
6969
cli client.Client
7070
)
7171

72-
expectedIDPolicyForUnmanaged := testutils.GetExpectedPolicyFromFile("testutils/expected_policies/intrusion-detection-controller_unmanaged.json")
72+
expectedIDPolicyForStandalone := testutils.GetExpectedPolicyFromFile("testutils/expected_policies/intrusion-detection-controller_standalone.json")
7373
expectedIDPolicyForManaged := testutils.GetExpectedPolicyFromFile("testutils/expected_policies/intrusion-detection-controller_managed.json")
74-
expectedIDPolicyForUnmanagedOCP := testutils.GetExpectedPolicyFromFile("testutils/expected_policies/intrusion-detection-controller_unmanaged_ocp.json")
74+
expectedIDPolicyForStandaloneOCP := testutils.GetExpectedPolicyFromFile("testutils/expected_policies/intrusion-detection-controller_standalone_ocp.json")
7575
expectedIDPolicyForManagedOCP := testutils.GetExpectedPolicyFromFile("testutils/expected_policies/intrusion-detection-controller_managed_ocp.json")
76+
expectedIDPolicyForManagement := testutils.GetExpectedPolicyFromFileWithReplacements("testutils/expected_policies/intrusion-detection-controller_management.json", map[string]string{
77+
"MANAGER_NAMESPACE": render.ManagerNamespace,
78+
"MANAGER_NAME": render.ManagerServiceName,
79+
})
80+
expectedIDPolicyForManagementOCP := testutils.GetExpectedPolicyFromFileWithReplacements("testutils/expected_policies/intrusion-detection-controller_management_ocp.json", map[string]string{
81+
"MANAGER_NAMESPACE": render.ManagerNamespace,
82+
"MANAGER_NAME": render.ManagerServiceName,
83+
})
7684

7785
BeforeEach(func() {
7886
scheme := runtime.NewScheme()
@@ -477,10 +485,14 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
477485
getExpectedPolicy := func(policyName types.NamespacedName, scenario testutils.AllowTigeraScenario) *v3.NetworkPolicy {
478486
if policyName.Name == "allow-tigera.intrusion-detection-controller" {
479487
return testutils.SelectPolicyByClusterTypeAndProvider(scenario,
480-
expectedIDPolicyForUnmanaged,
481-
expectedIDPolicyForUnmanagedOCP,
482-
expectedIDPolicyForManaged,
483-
expectedIDPolicyForManagedOCP,
488+
map[string]*v3.NetworkPolicy{
489+
"standalone": expectedIDPolicyForStandalone,
490+
"standalone-openshift": expectedIDPolicyForStandaloneOCP,
491+
"managed": expectedIDPolicyForManaged,
492+
"managed-openshift": expectedIDPolicyForManagedOCP,
493+
"management": expectedIDPolicyForManagement,
494+
"management-openshift": expectedIDPolicyForManagementOCP,
495+
},
484496
)
485497
}
486498

@@ -491,6 +503,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
491503
func(scenario testutils.AllowTigeraScenario) {
492504
cfg.OpenShift = scenario.OpenShift
493505
cfg.ManagedCluster = scenario.ManagedCluster
506+
cfg.ManagementCluster = scenario.ManagementCluster
494507
component := render.IntrusionDetection(cfg)
495508
resources, _ := component.Objects()
496509

@@ -500,10 +513,12 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
500513
Expect(policy).To(Equal(expectedPolicy))
501514
}
502515
},
503-
Entry("for management/standalone, kube-dns", testutils.AllowTigeraScenario{ManagedCluster: false, OpenShift: false}),
504-
Entry("for management/standalone, openshift-dns", testutils.AllowTigeraScenario{ManagedCluster: false, OpenShift: true}),
505-
Entry("for managed, kube-dns", testutils.AllowTigeraScenario{ManagedCluster: true, OpenShift: false}),
506-
Entry("for managed, openshift-dns", testutils.AllowTigeraScenario{ManagedCluster: true, OpenShift: true}),
516+
Entry("for standalone, kube-dns", testutils.AllowTigeraScenario{ManagedCluster: false, OpenShift: false, ManagementCluster: false}),
517+
Entry("for standalone, openshift-dns", testutils.AllowTigeraScenario{ManagedCluster: false, OpenShift: true, ManagementCluster: false}),
518+
Entry("for managed, kube-dns", testutils.AllowTigeraScenario{ManagedCluster: true, OpenShift: false, ManagementCluster: false}),
519+
Entry("for managed, openshift-dns", testutils.AllowTigeraScenario{ManagedCluster: true, OpenShift: true, ManagementCluster: false}),
520+
Entry("for management, kube-dns", testutils.AllowTigeraScenario{ManagedCluster: false, OpenShift: false, ManagementCluster: true}),
521+
Entry("for management, openshift-dns", testutils.AllowTigeraScenario{ManagedCluster: false, OpenShift: true, ManagementCluster: true}),
507522
)
508523
})
509524

pkg/render/intrusiondetection/dpi/dpi_test.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved.
1+
// Copyright (c) 2021-2026 Tigera, Inc. All rights reserved.
22

33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -585,10 +585,12 @@ var _ = Describe("DPI rendering tests", func() {
585585
getExpectedPolicy := func(scenario testutils.AllowTigeraScenario) *v3.NetworkPolicy {
586586
return testutils.SelectPolicyByClusterTypeAndProvider(
587587
scenario,
588-
expectedUnmanagedPolicy,
589-
expectedUnmanagedPolicyForOpenshift,
590-
expectedManagedPolicy,
591-
expectedManagedPolicyForOpenshift,
588+
map[string]*v3.NetworkPolicy{
589+
"unmanaged": expectedUnmanagedPolicy,
590+
"unmanaged-openshift": expectedUnmanagedPolicyForOpenshift,
591+
"managed": expectedManagedPolicy,
592+
"managed-openshift": expectedManagedPolicyForOpenshift,
593+
},
592594
)
593595
}
594596

pkg/render/kubecontrollers/kube-controllers_test.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
1+
// Copyright (c) 2019-2026 Tigera, Inc. All rights reserved.
22

33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -1033,10 +1033,12 @@ var _ = Describe("kube-controllers rendering tests", func() {
10331033
policy := testutils.GetAllowTigeraPolicyFromResources(policyName, resources)
10341034
expectedPolicy := testutils.SelectPolicyByClusterTypeAndProvider(
10351035
scenario,
1036-
expectedPolicyForUnmanaged,
1037-
expectedPolicyForUnmanagedOCP,
1038-
expectedPolicyForManaged,
1039-
expectedPolicyForManagedOCP,
1036+
map[string]*v3.NetworkPolicy{
1037+
"unmanaged": expectedPolicyForUnmanaged,
1038+
"unmanaged-openshift": expectedPolicyForUnmanagedOCP,
1039+
"managed": expectedPolicyForManaged,
1040+
"managed-openshift": expectedPolicyForManagedOCP,
1041+
},
10401042
)
10411043
Expect(policy).To(Equal(expectedPolicy))
10421044
},

pkg/render/packet_capture_api_test.go

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved.
1+
// Copyright (c) 2021-2026 Tigera, Inc. All rights reserved.
22

33
// Licensed under the Apache License, Version 2.0 (the "License");
44
// you may not use this file except in compliance with the License.
@@ -47,6 +47,8 @@ import (
4747
"github.com/tigera/operator/pkg/tls"
4848
"github.com/tigera/operator/pkg/tls/certificatemanagement"
4949
"github.com/tigera/operator/test"
50+
51+
v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
5052
)
5153

5254
var _ = Describe("Rendering tests for PacketCapture API component", func() {
@@ -439,10 +441,12 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() {
439441
policy := testutils.GetAllowTigeraPolicyFromResources(policyName, resources)
440442
expectedPolicy := testutils.SelectPolicyByClusterTypeAndProvider(
441443
scenario,
442-
pcPolicyForUnmanaged,
443-
pcPolicyForUnmanagedOCP,
444-
pcPolicyForManaged,
445-
pcPolicyForManagedOCP,
444+
map[string]*v3.NetworkPolicy{
445+
"unmanaged": pcPolicyForUnmanaged,
446+
"unmanaged-openshift": pcPolicyForUnmanagedOCP,
447+
"managed": pcPolicyForManaged,
448+
"managed-openshift": pcPolicyForManagedOCP,
449+
},
446450
)
447451
Expect(policy).To(Equal(expectedPolicy))
448452
},

pkg/render/policyrecommendation_test.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -430,10 +430,10 @@ var _ = Describe("Policy recommendation rendering tests", func() {
430430
getExpectedPolicy := func(scenario testutils.AllowTigeraScenario) *v3.NetworkPolicy {
431431
return testutils.SelectPolicyByClusterTypeAndProvider(
432432
scenario,
433-
expectedUnmanagedPolicy,
434-
expectedUnmanagedPolicyForOpenshift,
435-
nil,
436-
nil,
433+
map[string]*v3.NetworkPolicy{
434+
"unmanaged": expectedUnmanagedPolicy,
435+
"unmanaged-openshift": expectedUnmanagedPolicyForOpenshift,
436+
},
437437
)
438438
}
439439

pkg/render/testutils/expected_policies/intrusion-detection-controller_management.json

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
{
2+
"apiVersion": "projectcalico.org/v3",
3+
"kind": "NetworkPolicy",
4+
"metadata": {
5+
"name": "allow-tigera.intrusion-detection-controller",
6+
"namespace": "tigera-intrusion-detection"
7+
},
8+
"spec": {
9+
"order": 1,
10+
"tier": "allow-tigera",
11+
"selector": "k8s-app == 'intrusion-detection-controller'",
12+
"types": [
13+
"Ingress",
14+
"Egress"
15+
],
16+
"ingress": [
17+
{
18+
"action": "Deny"
19+
}
20+
],
21+
"egress": [
22+
{
23+
"action": "Deny",
24+
"protocol": "TCP",
25+
"destination": {
26+
"nets": [
27+
"169.254.0.0/16"
28+
]
29+
}
30+
},
31+
{
32+
"action": "Deny",
33+
"protocol": "TCP",
34+
"destination": {
35+
"nets": [
36+
"fe80::/10"
37+
]
38+
}
39+
},
40+
{
41+
"action": "Allow",
42+
"protocol": "UDP",
43+
"destination": {
44+
"namespaceSelector": "projectcalico.org/name == 'kube-system'",
45+
"selector": "k8s-app == 'kube-dns'",
46+
"ports": [
47+
53
48+
]
49+
}
50+
},
51+
{
52+
"action": "Allow",
53+
"protocol": "TCP",
54+
"destination": {
55+
"selector": "k8s-app == 'tigera-linseed'",
56+
"namespaceSelector": "projectcalico.org/name == 'tigera-elasticsearch'",
57+
"ports": [
58+
8444
59+
]
60+
}
61+
},
62+
{
63+
"action": "Allow",
64+
"protocol": "TCP",
65+
"destination": {
66+
"namespaceSelector": "projectcalico.org/name == '<MANAGER_NAMESPACE>'",
67+
"selector": "k8s-app == '<MANAGER_NAME>'",
68+
"ports": [
69+
9443
70+
]
71+
}
72+
},
73+
{
74+
"action": "Allow",
75+
"protocol": "TCP",
76+
"destination": {
77+
"namespaceSelector": "projectcalico.org/name == 'default'",
78+
"selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')",
79+
"ports": [
80+
443,
81+
6443,
82+
12388
83+
]
84+
}
85+
},
86+
{
87+
"action": "Pass"
88+
}
89+
]
90+
}
91+
}

pkg/render/testutils/expected_policies/intrusion-detection-controller_management_ocp.json

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,102 @@
1+
{
2+
"apiVersion": "projectcalico.org/v3",
3+
"kind": "NetworkPolicy",
4+
"metadata": {
5+
"name": "allow-tigera.intrusion-detection-controller",
6+
"namespace": "tigera-intrusion-detection"
7+
},
8+
"spec": {
9+
"order": 1,
10+
"tier": "allow-tigera",
11+
"selector": "k8s-app == 'intrusion-detection-controller'",
12+
"types": [
13+
"Ingress",
14+
"Egress"
15+
],
16+
"ingress": [
17+
{
18+
"action": "Deny"
19+
}
20+
],
21+
"egress": [
22+
{
23+
"action": "Deny",
24+
"protocol": "TCP",
25+
"destination": {
26+
"nets": [
27+
"169.254.0.0/16"
28+
]
29+
}
30+
},
31+
{
32+
"action": "Deny",
33+
"protocol": "TCP",
34+
"destination": {
35+
"nets": [
36+
"fe80::/10"
37+
]
38+
}
39+
},
40+
{
41+
"action": "Allow",
42+
"protocol": "UDP",
43+
"destination": {
44+
"namespaceSelector": "projectcalico.org/name == 'openshift-dns'",
45+
"selector": "dns.operator.openshift.io/daemonset-dns == 'default'",
46+
"ports": [
47+
5353
48+
]
49+
}
50+
},
51+
{
52+
"action": "Allow",
53+
"protocol": "TCP",
54+
"destination": {
55+
"namespaceSelector": "projectcalico.org/name == 'openshift-dns'",
56+
"selector": "dns.operator.openshift.io/daemonset-dns == 'default'",
57+
"ports": [
58+
5353
59+
]
60+
}
61+
},
62+
{
63+
"action": "Allow",
64+
"protocol": "TCP",
65+
"destination": {
66+
"selector": "k8s-app == 'tigera-linseed'",
67+
"namespaceSelector": "projectcalico.org/name == 'tigera-elasticsearch'",
68+
"ports": [
69+
8444
70+
]
71+
}
72+
},
73+
{
74+
"action": "Allow",
75+
"protocol": "TCP",
76+
"destination": {
77+
"namespaceSelector": "projectcalico.org/name == '<MANAGER_NAMESPACE>'",
78+
"selector": "k8s-app == '<MANAGER_NAME>'",
79+
"ports": [
80+
9443
81+
]
82+
}
83+
},
84+
{
85+
"action": "Allow",
86+
"protocol": "TCP",
87+
"destination": {
88+
"namespaceSelector": "projectcalico.org/name == 'default'",
89+
"selector": "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')",
90+
"ports": [
91+
443,
92+
6443,
93+
12388
94+
]
95+
}
96+
},
97+
{
98+
"action": "Pass"
99+
}
100+
]
101+
}
102+
}

pkg/render/testutils/expected_policies/intrusion-detection-controller_unmanaged.json renamed to pkg/render/testutils/expected_policies/intrusion-detection-controller_standalone.json

File renamed without changes.

0 commit comments

Comments
 (0)