Update network-policy ldap deployment and test
This updates the script for deploying ldap in the network policy job to accept ingress traffic from prometheus pods. This also updates the network policy test to account for return values with more than one result when checking for a pod to use, as well as selecting pods by application and component labels instead of simply grepping for a name (as this could cause issues with grepping for 'fluentd', when that could return both fluentd and fluentd-exporter pods, for example) Change-Id: I12a4029f574ea7d5b250709adef21b07d8cf0220
This commit is contained in:
parent
6ef3f58fb8
commit
25e4e5662e
@ -40,6 +40,9 @@ network_policy:
|
|||||||
- podSelector:
|
- podSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
application: kibana
|
application: kibana
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
application: prometheus
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 389
|
port: 389
|
||||||
|
@ -16,14 +16,15 @@
|
|||||||
|
|
||||||
set -xe
|
set -xe
|
||||||
|
|
||||||
# test_netpol(namespace, component, target_host, expected_result{fail,success})
|
# test_netpol(namespace, application label, component label, target_host, expected_result{fail,success})
|
||||||
function test_netpol {
|
function test_netpol {
|
||||||
NS=$1
|
NS=$1
|
||||||
COMPONENT=$2
|
APPLICATION=$2
|
||||||
HOST=$3
|
COMPONENT=$3
|
||||||
STATUS=$4
|
HOST=$4
|
||||||
echo Testing connection from $COMPONENT to host $HOST with namespace $NS
|
STATUS=$5
|
||||||
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
|
echo Testing connection from component:$COMPONENT, application:$APPLICATION to host $HOST with namespace $NS
|
||||||
|
POD=$(kubectl -n $NS get pod -l application=$APPLICATION,component=$COMPONENT | grep Running | cut -f 1 -d " " | head -n 1)
|
||||||
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
|
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
|
||||||
if [ "x${STATUS}" == "xfail" ]; then
|
if [ "x${STATUS}" == "xfail" ]; then
|
||||||
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
|
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
|
||||||
@ -36,13 +37,11 @@ function test_netpol {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
# Doing negative tests
|
# Doing negative tests
|
||||||
test_netpol osh-infra mariadb-server elasticsearch.osh-infra.svc.cluster.local fail
|
test_netpol osh-infra mariadb server elasticsearch.osh-infra.svc.cluster.local fail
|
||||||
test_netpol osh-infra mariadb-server nagios.osh-infra.svc.cluster.local fail
|
test_netpol osh-infra mariadb server nagios.osh-infra.svc.cluster.local fail
|
||||||
test_netpol osh-infra mariadb-server prometheus.osh-infra.svc.cluster.local fail
|
test_netpol osh-infra mariadb server prometheus.osh-infra.svc.cluster.local fail
|
||||||
|
|
||||||
# Doing positive tests
|
# Doing positive tests
|
||||||
test_netpol osh-infra grafana mariadb.osh-infra.svc.cluster.local:3306 success
|
test_netpol osh-infra grafana dashboard mariadb.osh-infra.svc.cluster.local:3306 success
|
||||||
|
|
||||||
echo Test successfully
|
echo Test successfully
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user