Skip to content

Commit 5b47c7b

Browse files
authored
Merge branch 'k8snetworkplumbingwg:master' into master
2 parents 4f5f503 + 8b60d24 commit 5b47c7b

File tree

6 files changed

+79
-1
lines changed

6 files changed

+79
-1
lines changed
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: operator-webhook-allow-traffic-api-server
5+
namespace: {{.Namespace}}
6+
spec:
7+
podSelector:
8+
matchLabels:
9+
app: operator-webhook
10+
ingress:
11+
- ports:
12+
- protocol: TCP
13+
port: 6443
14+
egress:
15+
- ports:
16+
- protocol: TCP
17+
port: 6443
18+
policyTypes:
19+
- Ingress
20+
- Egress
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: network-resources-injector-allow-traffic-api-server
5+
namespace: {{.Namespace}}
6+
spec:
7+
podSelector:
8+
matchLabels:
9+
app: network-resources-injector
10+
ingress:
11+
- ports:
12+
- protocol: TCP
13+
port: 6443
14+
egress:
15+
- ports:
16+
- protocol: TCP
17+
port: 6443
18+
policyTypes:
19+
- Ingress
20+
- Egress

controllers/sriovoperatorconfig_controller_test.go

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ import (
2626
admv1 "k8s.io/api/admissionregistration/v1"
2727
appsv1 "k8s.io/api/apps/v1"
2828
corev1 "k8s.io/api/core/v1"
29+
networkv1 "k8s.io/api/networking/v1"
2930
rbacv1 "k8s.io/api/rbac/v1"
3031
"k8s.io/apimachinery/pkg/api/errors"
3132
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -193,6 +194,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
193194
err = util.WaitForNamespacedObjectDeleted(daemonSet, k8sClient, testNamespace, "network-resources-injector", util.RetryInterval, util.APITimeout)
194195
Expect(err).NotTo(HaveOccurred())
195196

197+
networkPolicy := &networkv1.NetworkPolicy{}
198+
err = util.WaitForNamespacedObjectDeleted(networkPolicy, k8sClient, testNamespace, "network-resources-injector-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
199+
Expect(err).NotTo(HaveOccurred())
200+
196201
mutateCfg := &admv1.MutatingWebhookConfiguration{}
197202
err = util.WaitForNamespacedObjectDeleted(mutateCfg, k8sClient, testNamespace, "network-resources-injector-config", util.RetryInterval, util.APITimeout)
198203
Expect(err).NotTo(HaveOccurred())
@@ -209,6 +214,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
209214
err = util.WaitForNamespacedObject(daemonSet, k8sClient, testNamespace, "network-resources-injector", util.RetryInterval, util.APITimeout)
210215
Expect(err).NotTo(HaveOccurred())
211216

217+
networkPolicy = &networkv1.NetworkPolicy{}
218+
err = util.WaitForNamespacedObject(networkPolicy, k8sClient, testNamespace, "network-resources-injector-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
219+
Expect(err).NotTo(HaveOccurred())
220+
212221
mutateCfg = &admv1.MutatingWebhookConfiguration{}
213222
err = util.WaitForNamespacedObject(mutateCfg, k8sClient, testNamespace, "network-resources-injector-config", util.RetryInterval, util.APITimeout)
214223
Expect(err).NotTo(HaveOccurred())
@@ -228,6 +237,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
228237
err = util.WaitForNamespacedObjectDeleted(daemonSet, k8sClient, testNamespace, "operator-webhook", util.RetryInterval, util.APITimeout)
229238
Expect(err).NotTo(HaveOccurred())
230239

240+
networkPolicy := &networkv1.NetworkPolicy{}
241+
err = util.WaitForNamespacedObjectDeleted(networkPolicy, k8sClient, testNamespace, "operator-webhook-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
242+
Expect(err).NotTo(HaveOccurred())
243+
231244
mutateCfg := &admv1.MutatingWebhookConfiguration{}
232245
err = util.WaitForNamespacedObjectDeleted(mutateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
233246
Expect(err).NotTo(HaveOccurred())
@@ -236,7 +249,7 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
236249
err = util.WaitForNamespacedObjectDeleted(validateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
237250
Expect(err).NotTo(HaveOccurred())
238251

239-
By("set disable to enableOperatorWebhook")
252+
By("set enable to enableOperatorWebhook")
240253
Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: testNamespace, Name: "default"}, config)).NotTo(HaveOccurred())
241254

242255
config.Spec.EnableOperatorWebhook = true
@@ -247,6 +260,10 @@ var _ = Describe("SriovOperatorConfig controller", Ordered, func() {
247260
err = util.WaitForNamespacedObject(daemonSet, k8sClient, testNamespace, "operator-webhook", util.RetryInterval, util.APITimeout)
248261
Expect(err).NotTo(HaveOccurred())
249262

263+
networkPolicy = &networkv1.NetworkPolicy{}
264+
err = util.WaitForNamespacedObject(networkPolicy, k8sClient, testNamespace, "operator-webhook-allow-traffic-api-server", util.RetryInterval, util.APITimeout)
265+
Expect(err).NotTo(HaveOccurred())
266+
250267
mutateCfg = &admv1.MutatingWebhookConfiguration{}
251268
err = util.WaitForNamespacedObject(mutateCfg, k8sClient, testNamespace, "sriov-operator-webhook-config", util.RetryInterval, util.APITimeout)
252269
Expect(err).NotTo(HaveOccurred())

deploy/role.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,15 @@ rules:
5050
- create
5151
- update
5252
- delete
53+
- apiGroups:
54+
- networking.k8s.io
55+
resources:
56+
- networkpolicies
57+
verbs:
58+
- get
59+
- create
60+
- update
61+
- delete
5362
- apiGroups:
5463
- apps
5564
resourceNames:

deployment/sriov-network-operator-chart/templates/role.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,15 @@ rules:
2828
- statefulsets
2929
verbs:
3030
- '*'
31+
- apiGroups:
32+
- networking.k8s.io
33+
resources:
34+
- networkpolicies
35+
verbs:
36+
- get
37+
- create
38+
- update
39+
- delete
3140
- apiGroups:
3241
- monitoring.coreos.com
3342
resources:

test/conformance/tests/test_sriov_operator.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ import (
3333
admission "k8s.io/api/admissionregistration/v1"
3434
appsv1 "k8s.io/api/apps/v1"
3535
corev1 "k8s.io/api/core/v1"
36+
networkv1 "k8s.io/api/networking/v1"
3637
rbacv1 "k8s.io/api/rbac/v1"
3738
k8serrors "k8s.io/apimachinery/pkg/api/errors"
3839
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1150,6 +1151,7 @@ var _ = Describe("[sriov] operator", Ordered, func() {
11501151
assertObjectIsNotFound("network-resources-injector-role-binding", &rbacv1.ClusterRoleBinding{})
11511152
assertObjectIsNotFound("network-resources-injector-config", &admission.MutatingWebhookConfiguration{})
11521153
assertObjectIsNotFound("nri-control-switches", &corev1.ConfigMap{})
1154+
assertObjectIsNotFound("network-resources-injector-allow-traffic-api-server", &networkv1.NetworkPolicy{})
11531155
})
11541156

11551157
It("SR-IOV Operator Config, disable Operator Webhook", func() {
@@ -1170,6 +1172,7 @@ var _ = Describe("[sriov] operator", Ordered, func() {
11701172
assertObjectIsNotFound("operator-webhook", &rbacv1.ClusterRole{})
11711173
assertObjectIsNotFound("operator-webhook-role-binding", &rbacv1.ClusterRoleBinding{})
11721174
assertObjectIsNotFound("sriov-operator-webhook-config", &admission.MutatingWebhookConfiguration{})
1175+
assertObjectIsNotFound("operator-webhook-allow-traffic-api-server", &networkv1.NetworkPolicy{})
11731176
})
11741177

11751178
It("SR-IOV Operator Config, disable Resource Injector and Operator Webhook", func() {

0 commit comments

Comments
 (0)