Update network-policy ldap deployment and test

This updates the script for deploying ldap in the network policy
job to accept ingress traffic from prometheus pods.

This also updates the network policy test to account for return
values with more than one result when checking for a pod to use,
as well as selecting pods by application and component labels
instead of simply grepping for a name (as this could cause issues
with grepping for 'fluentd', when that could return both fluentd
and fluentd-exporter pods, for example)

Change-Id: I12a4029f574ea7d5b250709adef21b07d8cf0220
This commit is contained in:
Steve Wilkerson 2019-01-31 14:25:43 -06:00
parent 6ef3f58fb8
commit 25e4e5662e
2 changed files with 14 additions and 12 deletions

View File

@ -40,6 +40,9 @@ network_policy:
- podSelector: - podSelector:
matchLabels: matchLabels:
application: kibana application: kibana
- podSelector:
matchLabels:
application: prometheus
ports: ports:
- protocol: TCP - protocol: TCP
port: 389 port: 389

View File

@ -16,14 +16,15 @@
set -xe set -xe
# test_netpol(namespace, component, target_host, expected_result{fail,success}) # test_netpol(namespace, application label, component label, target_host, expected_result{fail,success})
function test_netpol { function test_netpol {
NS=$1 NS=$1
COMPONENT=$2 APPLICATION=$2
HOST=$3 COMPONENT=$3
STATUS=$4 HOST=$4
echo Testing connection from $COMPONENT to host $HOST with namespace $NS STATUS=$5
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}') echo Testing connection from component:$COMPONENT, application:$APPLICATION to host $HOST with namespace $NS
POD=$(kubectl -n $NS get pod -l application=$APPLICATION,component=$COMPONENT | grep Running | cut -f 1 -d " " | head -n 1)
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21)) PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
if [ "x${STATUS}" == "xfail" ]; then if [ "x${STATUS}" == "xfail" ]; then
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
@ -36,13 +37,11 @@ function test_netpol {
fi fi
} }
# Doing negative tests # Doing negative tests
test_netpol osh-infra mariadb-server elasticsearch.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb-server nagios.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
test_netpol osh-infra mariadb-server prometheus.osh-infra.svc.cluster.local fail test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
# Doing positive tests # Doing positive tests
test_netpol osh-infra grafana mariadb.osh-infra.svc.cluster.local:3306 success test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
echo Test successfully echo Test successfully