Skip to content

Commit 448c8d7

Browse files
committed
Handling mutliple namespaces
A networkpolicy can refer to multiple NADs, which can be in different namespaces. Avoid filtering peerPods using the exact networkname and use the policy's `policy-for` annotation. Create an end2end test case that involves pods from multiple namespaces. Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
1 parent 5d6e5c1 commit 448c8d7

File tree

4 files changed

+388
-40
lines changed

4 files changed

+388
-40
lines changed
Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
#!/usr/bin/env bats
2+
3+
# Note:
4+
# This test case creates two namespaces, each with a different NetworkAttachmentDefinition
5+
# and two pods per namespace. It tests that MultiNetworkPolicy works correctly across
6+
# different namespaces with different network configurations.
7+
8+
setup() {
9+
cd $BATS_TEST_DIRNAME
10+
load "common"
11+
pod_a1_net1=$(get_net1_ip "test-namespace-a" "pod-1")
12+
pod_a2_net1=$(get_net1_ip "test-namespace-a" "pod-2")
13+
14+
pod_b1_net1=$(get_net1_ip "test-namespace-b" "pod-1")
15+
pod_b2_net1=$(get_net1_ip "test-namespace-b" "pod-2")
16+
17+
pod_c1_net1=$(get_net1_ip "test-namespace-c" "pod-1")
18+
pod_c2_net1=$(get_net1_ip "test-namespace-c" "pod-2")
19+
20+
}
21+
22+
@test "setup multi-namespace test environments" {
23+
# create test manifests
24+
kubectl create -f multi-namespace-multinet.yml
25+
26+
# verify all pods in namespace A are available
27+
run kubectl -n test-namespace-a wait --all --for=condition=ready pod --timeout=${kubewait_timeout}
28+
[ "$status" -eq "0" ]
29+
30+
# verify all pods in namespace B are available
31+
run kubectl -n test-namespace-b wait --all --for=condition=ready pod --timeout=${kubewait_timeout}
32+
[ "$status" -eq "0" ]
33+
34+
# verify all pods in namespace C are available
35+
run kubectl -n test-namespace-c wait --all --for=condition=ready pod --timeout=${kubewait_timeout}
36+
[ "$status" -eq "0" ]
37+
38+
sleep 3
39+
}
40+
41+
@test "Allowed connectivity" {
42+
run kubectl -n test-namespace-b exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
43+
[ "$status" -eq "0" ]
44+
45+
run kubectl -n test-namespace-a exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
46+
[ "$status" -eq "0" ]
47+
}
48+
49+
@test "Denied connectivity" {
50+
# a1 -> {a2,b1,c1,c2}
51+
run kubectl -n test-namespace-a exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_a2_net1} 5555"
52+
[ "$status" -eq "1" ]
53+
54+
run kubectl -n test-namespace-a exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_b1_net1} 5555"
55+
[ "$status" -eq "1" ]
56+
57+
run kubectl -n test-namespace-a exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_c1_net1} 5555"
58+
[ "$status" -eq "1" ]
59+
60+
run kubectl -n test-namespace-a exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_c2_net1} 5555"
61+
[ "$status" -eq "1" ]
62+
63+
# {a2,b2,c1,c2} -> a1
64+
run kubectl -n test-namespace-a exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
65+
[ "$status" -eq "1" ]
66+
67+
run kubectl -n test-namespace-b exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
68+
[ "$status" -eq "1" ]
69+
70+
run kubectl -n test-namespace-c exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
71+
[ "$status" -eq "1" ]
72+
73+
run kubectl -n test-namespace-c exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_a1_net1} 5555"
74+
[ "$status" -eq "1" ]
75+
}
76+
77+
@test "Allowed by policy absence" {
78+
# a2 -> {b1,b2,c1,c2}
79+
run kubectl -n test-namespace-a exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_b1_net1} 5555"
80+
[ "$status" -eq "0" ]
81+
82+
run kubectl -n test-namespace-a exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
83+
[ "$status" -eq "0" ]
84+
85+
run kubectl -n test-namespace-a exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_c1_net1} 5555"
86+
[ "$status" -eq "0" ]
87+
88+
run kubectl -n test-namespace-a exec pod-2 -- sh -c "echo x | nc -w 1 ${pod_c2_net1} 5555"
89+
[ "$status" -eq "0" ]
90+
91+
# b1 -> {a2,b2,c1,c2}
92+
run kubectl -n test-namespace-b exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_a2_net1} 5555"
93+
[ "$status" -eq "0" ]
94+
95+
run kubectl -n test-namespace-b exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_b2_net1} 5555"
96+
[ "$status" -eq "0" ]
97+
98+
run kubectl -n test-namespace-b exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_c1_net1} 5555"
99+
[ "$status" -eq "0" ]
100+
101+
run kubectl -n test-namespace-b exec pod-1 -- sh -c "echo x | nc -w 1 ${pod_c2_net1} 5555"
102+
[ "$status" -eq "0" ]
103+
}
104+
105+
@test "cleanup environments" {
106+
# remove test manifests
107+
kubectl delete -f multi-namespace-multinet.yml
108+
run kubectl -n test-namespace-a wait --all --for=delete pod --timeout=${kubewait_timeout}
109+
[ "$status" -eq "0" ]
110+
run kubectl -n test-namespace-b wait --all --for=delete pod --timeout=${kubewait_timeout}
111+
[ "$status" -eq "0" ]
112+
run kubectl -n test-namespace-c wait --all --for=delete pod --timeout=${kubewait_timeout}
113+
[ "$status" -eq "0" ]
114+
}
Lines changed: 235 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,235 @@
1+
# ┌───────────┐ ┌───────────┐ ┌───────────┐
2+
# │namespace-a│ │namespace-b│ │namespace-c│
3+
# │ │ │ │ │ │
4+
# │ ┌───────┐ │ │ ┌───────┐ │ │ ┌───────┐ │
5+
# │ │ pod-1 │◀─────│ pod-1 │ │ │ │ pod-1 │ │
6+
# │ └───────┘────┐│ └───────┘ │ │ └───────┘ │
7+
# │ ┌───────┐ │ ││ ┌───────┐ │ │ ┌───────┐ │
8+
# │ │ pod-2 │ │ └─▶ pod-2 │ │ │ │ pod-2 │ │
9+
# │ └───────┘ │ │ └───────┘ │ │ └───────┘ │
10+
# └───────────┘ └───────────┘ └───────────┘
11+
---
12+
apiVersion: v1
13+
kind: Namespace
14+
metadata:
15+
name: test-namespace-a
16+
labels:
17+
name: test-namespace-a
18+
---
19+
apiVersion: v1
20+
kind: Namespace
21+
metadata:
22+
name: test-namespace-b
23+
labels:
24+
name: test-namespace-b
25+
---
26+
apiVersion: v1
27+
kind: Namespace
28+
metadata:
29+
name: test-namespace-c
30+
labels:
31+
name: test-namespace-c
32+
---
33+
apiVersion: "k8s.cni.cncf.io/v1"
34+
kind: NetworkAttachmentDefinition
35+
metadata:
36+
namespace: test-namespace-a
37+
name: macvlan1-namespace-a
38+
spec:
39+
config: '{
40+
"cniVersion": "0.3.1",
41+
"name": "macvlan1-namespace-a",
42+
"plugins": [
43+
{
44+
"type": "macvlan",
45+
"mode": "bridge",
46+
"ipam":{
47+
"type":"host-local",
48+
"subnet":"2.2.10.0/24",
49+
"rangeStart":"2.2.10.10",
50+
"rangeEnd":"2.2.10.19"
51+
}
52+
}]
53+
}'
54+
---
55+
apiVersion: "k8s.cni.cncf.io/v1"
56+
kind: NetworkAttachmentDefinition
57+
metadata:
58+
namespace: test-namespace-b
59+
name: macvlan1-namespace-b
60+
spec:
61+
config: '{
62+
"cniVersion": "0.3.1",
63+
"name": "macvlan1-namespace-b",
64+
"plugins": [
65+
{
66+
"type": "macvlan",
67+
"mode": "bridge",
68+
"ipam":{
69+
"type":"host-local",
70+
"subnet":"2.2.10.0/24",
71+
"rangeStart":"2.2.10.20",
72+
"rangeEnd":"2.2.10.29"
73+
}
74+
}]
75+
}'
76+
---
77+
apiVersion: "k8s.cni.cncf.io/v1"
78+
kind: NetworkAttachmentDefinition
79+
metadata:
80+
namespace: test-namespace-c
81+
name: macvlan1-namespace-c
82+
spec:
83+
config: '{
84+
"cniVersion": "0.3.1",
85+
"name": "macvlan1-namespace-c",
86+
"plugins": [
87+
{
88+
"type": "macvlan",
89+
"mode": "bridge",
90+
"ipam":{
91+
"type":"host-local",
92+
"subnet":"2.2.10.0/24",
93+
"rangeStart":"2.2.10.30",
94+
"rangeEnd":"2.2.10.39"
95+
}
96+
}]
97+
}'
98+
---
99+
100+
101+
# Pods in namespace A
102+
apiVersion: v1
103+
kind: Pod
104+
metadata:
105+
name: pod-1
106+
namespace: test-namespace-a
107+
annotations:
108+
k8s.v1.cni.cncf.io/networks: macvlan1-namespace-a
109+
labels:
110+
name: pod-1
111+
spec:
112+
containers:
113+
- name: macvlan-worker1
114+
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
115+
command: ["nc", "-klp", "5555"]
116+
securityContext:
117+
privileged: true
118+
---
119+
apiVersion: v1
120+
kind: Pod
121+
metadata:
122+
name: pod-2
123+
namespace: test-namespace-a
124+
annotations:
125+
k8s.v1.cni.cncf.io/networks: macvlan1-namespace-a
126+
labels:
127+
name: pod-2
128+
spec:
129+
containers:
130+
- name: macvlan-worker1
131+
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
132+
command: ["nc", "-klp", "5555"]
133+
securityContext:
134+
privileged: true
135+
---
136+
# Pods in namespace B
137+
apiVersion: v1
138+
kind: Pod
139+
metadata:
140+
name: pod-1
141+
namespace: test-namespace-b
142+
annotations:
143+
k8s.v1.cni.cncf.io/networks: macvlan1-namespace-b
144+
labels:
145+
name: pod-1
146+
spec:
147+
containers:
148+
- name: macvlan-worker1
149+
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
150+
command: ["nc", "-klp", "5555"]
151+
securityContext:
152+
privileged: true
153+
---
154+
apiVersion: v1
155+
kind: Pod
156+
metadata:
157+
name: pod-2
158+
namespace: test-namespace-b
159+
annotations:
160+
k8s.v1.cni.cncf.io/networks: macvlan1-namespace-b
161+
labels:
162+
name: pod-2
163+
spec:
164+
containers:
165+
- name: macvlan-worker1
166+
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
167+
command: ["nc", "-klp", "5555"]
168+
securityContext:
169+
privileged: true
170+
---
171+
# Pods in namespace C
172+
apiVersion: v1
173+
kind: Pod
174+
metadata:
175+
name: pod-1
176+
namespace: test-namespace-c
177+
annotations:
178+
k8s.v1.cni.cncf.io/networks: macvlan1-namespace-c
179+
labels:
180+
name: pod-1
181+
spec:
182+
containers:
183+
- name: macvlan-worker1
184+
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
185+
command: ["nc", "-klp", "5555"]
186+
securityContext:
187+
privileged: true
188+
---
189+
apiVersion: v1
190+
kind: Pod
191+
metadata:
192+
name: pod-2
193+
namespace: test-namespace-c
194+
annotations:
195+
k8s.v1.cni.cncf.io/networks: macvlan1-namespace-c
196+
labels:
197+
name: pod-2
198+
spec:
199+
containers:
200+
- name: macvlan-worker1
201+
image: ghcr.io/k8snetworkplumbingwg/multi-networkpolicy-iptables:e2e-test
202+
command: ["nc", "-klp", "5555"]
203+
securityContext:
204+
privileged: true
205+
---
206+
apiVersion: k8s.cni.cncf.io/v1beta1
207+
kind: MultiNetworkPolicy
208+
metadata:
209+
name: test-multinetwork-policy-namespace-a
210+
namespace: test-namespace-a
211+
annotations:
212+
k8s.v1.cni.cncf.io/policy-for: test-namespace-a/macvlan1-namespace-a,test-namespace-b/macvlan1-namespace-b,test-namespace-c/macvlan1-namespace-c
213+
spec:
214+
podSelector:
215+
matchLabels:
216+
name: pod-1
217+
ingress:
218+
- from:
219+
- podSelector:
220+
matchLabels:
221+
name: pod-1
222+
namespaceSelector:
223+
matchLabels:
224+
name: test-namespace-b
225+
egress:
226+
- to:
227+
- podSelector:
228+
matchLabels:
229+
name: pod-2
230+
namespaceSelector:
231+
matchLabels:
232+
name: test-namespace-b
233+
policyTypes:
234+
- Ingress
235+
- Egress

0 commit comments

Comments
 (0)