Skip to content

Commit 4164b5c

Browse files
agadelshinagadelshin
committed
Add egress check to deny-all policy
1 parent 875f80e commit 4164b5c

File tree

1 file changed

+26
-4
lines changed

1 file changed

+26
-4
lines changed

test/e2e/network/network_policy.go

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,24 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() {
9999
})
100100

101101
ginkgo.It("should support a 'default-deny-all' policy [Feature:NetworkPolicy]", func() {
102+
nsA := f.Namespace
103+
nsBName := f.BaseName + "-b"
104+
nsB, err := f.CreateNamespace(nsBName, map[string]string{
105+
"ns-name": nsBName,
106+
})
107+
108+
ginkgo.By("Creating a simple server in another namespace that serves on port 80 and 81.")
109+
_, serviceB := createServerPodAndService(f, nsB, "pod-b", []int{80, 81})
110+
111+
ginkgo.By("Waiting for pod ready", func() {
112+
err := e2epod.WaitTimeoutForPodReadyInNamespace(f.ClientSet, podServer.Name, f.Namespace.Name, framework.PodStartTimeout)
113+
framework.ExpectNoError(err)
114+
})
115+
116+
ginkgo.By("Creating client-a, which should be able to contact the server in another namespace.", func() {
117+
testCanConnect(f, nsA, "client-a", serviceB, 80)
118+
})
119+
102120
policy := &networkingv1.NetworkPolicy{
103121
ObjectMeta: metav1.ObjectMeta{
104122
Name: "default-deny-all",
@@ -111,13 +129,17 @@ var _ = SIGDescribe("NetworkPolicy [LinuxOnly]", func() {
111129
},
112130
}
113131

114-
policy, err := f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
132+
policy, err = f.ClientSet.NetworkingV1().NetworkPolicies(f.Namespace.Name).Create(context.TODO(), policy, metav1.CreateOptions{})
115133
framework.ExpectNoError(err)
116134
defer cleanupNetworkPolicy(f, policy)
117135

118-
// Create a pod with name 'client-cannot-connect', which will attempt to communicate with the server,
119-
// but should not be able to now that isolation is on.
120-
testCannotConnect(f, f.Namespace, "client-cannot-connect", service, 80)
136+
ginkgo.By("Creating client-to-a, which should not be able to contact the server in the same namespace, Ingress check.", func() {
137+
testCannotConnect(f, nsA, "client-to-a", service, 80)
138+
})
139+
140+
ginkgo.By("Creating client-to-b, which should not be able to contact the server in another namespace, Egress check.", func() {
141+
testCannotConnect(f, nsA, "client-to-b", serviceB, 80)
142+
})
121143
})
122144

123145
ginkgo.It("should enforce policy to allow traffic from pods within server namespace based on PodSelector [Feature:NetworkPolicy]", func() {

0 commit comments

Comments
 (0)