openstack/openstack-helm
Code Issues Proposed changes
3811eedefe
openstack-helm/tools/deployment/common/test-networkpolicy.sh
Tin Lam 29f32a07ac Enable network policy enforcement 
This patch set updates the gate to by default uses network policy
for all components and enforces them in Openstack-helm.

Change-Id: I70c90b5808075797f02670f21481a4f968205325
Depends-On: I78e87ef3276e948ae4dd2eb462b4b8012251c8c8
Co-Authored-By: Mike Pham <tp6510@att.com>
Signed-off-by: Tin Lam <tin@irrational.io>
2018-10-23 14:58:13 +00:00

51 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
# test_netpol(namespace, component, target_host, expected_result{fail,success})
function test_netpol {
NS=$1
COMPONENT=$2
HOST=$3
STATUS=$4
echo Testing connection from $COMPONENT to host $HOST with namespace $NS
POD=$(kubectl -n $NS get pod | grep $COMPONENT | grep Running | awk '{print $1}')
PID=$(sudo docker inspect --format '{{ .State.Pid }}' $(kubectl get pods --namespace $NS $POD -o jsonpath='{.status.containerStatuses[0].containerID}' | cut -c 10-21))
if [ "x${STATUS}" == "xfail" ]; then
if ! sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST ; then
echo "Connection timed out; as expected by policy."
else
exit 1
fi
else
sudo nsenter -t $PID -n wget --spider --timeout=5 --tries=1 $HOST
fi
}
# Doing negative tests
test_netpol openstack keystone-api heat-api.openstack.svc.cluster.local fail
test_netpol openstack keystone-api glance-api.openstack.svc.cluster.local fail
test_netpol openstack mariadb-server rabbitmq.openstack.svc.cluster.local:5672 fail
test_netpol openstack rabbitmq-rabbitmq memcached.openstack.svc.cluster.local:11211 fail
test_netpol openstack memcached mariadb.openstack.svc.cluster.local:3306 fail
# Doing positive tests
test_netpol openstack keystone-api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack keystone-api rabbitmq.openstack.svc.cluster.local:5672 success
test_netpol openstack heat-api mariadb.openstack.svc.cluster.local:3306 success
test_netpol openstack glance-api mariadb.openstack.svc.cluster.local:3306 success
echo Test successfully
View Git Blame Copy Permalink