search

kubernetes-sigs / network-policy-api

This repo addresses further work involving Kubernetes network security beyond the initial NetworkPolicy resource
Apache License 2.0
51 stars 29 forks source link

Remove k8s.io/kubernetes from project dependency #129

Closed Dyanngg closed 12 months ago

Dyanngg commented 1 year ago

Currently the network-policy-api uses k8s.io/kubernetes module as a dependency, which is being clearly stated as unsupported in https://github.com/kubernetes/kubernetes/issues/79384.

Upon review, it seems that the only module which uses k8s.io/kubernetes is conformance, and all references could be refactored so that the project no longer directly imports k8s:

  1. all k8s.io/kubernetes/test/e2e/framework.ExpectNoError => github.com/stretchr/testify/require.NoErrorf, which is also common in other conformance suites like Gateway API.
  2. Use client-go to issue exec commands to Pods instead of k8s.io/kubernetes/test/e2e/framework/kubectl.RunKubectl
  3. Remove references to upstream k8s e2e config flags, which is not used in the project anyways.

This PR also partially addresses #108 as it cleans up the pokeServer utility function a bit. Conformance test passes before and after this change, on a local testbed with Antrea deployed:

--- PASS: TestConformance (316.97s)
    --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP (13.24s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP/Should_support_an_'allow-egress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (0.22s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP/Should_support_an_'allow-egress'_policy_for_SCTP_protocol_at_the_specified_port (3.19s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP/Should_support_an_'deny-egress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (6.21s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP/Should_support_a_'deny-egress'_policy_for_SCTP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP/Should_support_an_'pass-egress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (0.20s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressSCTP/Should_support_a_'pass-egress'_policy_for_SCTP_protocol_at_the_specified_port (0.21s)
    --- PASS: TestConformance/AdminNetworkPolicyEgressTCP (13.25s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressTCP/Should_support_an_'allow-egress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (0.18s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressTCP/Should_support_an_'allow-egress'_policy_for_TCP_protocol_at_the_specified_port (3.22s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressTCP/Should_support_an_'deny-egress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (6.23s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressTCP/Should_support_a_'deny-egress'_policy_for_TCP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressTCP/Should_support_an_'pass-egress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (0.21s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressTCP/Should_support_a_'pass-egress'_policy_for_TCP_protocol_at_the_specified_port (0.19s)
    --- PASS: TestConformance/AdminNetworkPolicyEgressUDP (13.24s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressUDP/Should_support_an_'allow-egress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (0.20s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressUDP/Should_support_an_'allow-egress'_policy_for_UDP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressUDP/Should_support_an_'deny-egress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (6.21s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressUDP/Should_support_a_'deny-egress'_policy_for_UDP_protocol_at_the_specified_port (3.22s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressUDP/Should_support_an_'pass-egress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (0.20s)
        --- PASS: TestConformance/AdminNetworkPolicyEgressUDP/Should_support_a_'pass-egress'_policy_for_UDP_protocol_at_the_specified_port (0.19s)
    --- PASS: TestConformance/AdminNetworkPolicyGress (59.33s)
        --- PASS: TestConformance/AdminNetworkPolicyGress/Should_support_an_'allow-gress'_policy_across_different_protocols (0.58s)
        --- PASS: TestConformance/AdminNetworkPolicyGress/Should_support_an_'allow-gress'_policy_across_different_protocols_at_the_specified_ports (19.17s)
        --- PASS: TestConformance/AdminNetworkPolicyGress/Should_support_an_'deny-gress'_policy_across_different_protocols (18.60s)
        --- PASS: TestConformance/AdminNetworkPolicyGress/Should_support_a_'deny-gress'_policy_across_different_protocols_at_the_specified_ports (19.20s)
        --- PASS: TestConformance/AdminNetworkPolicyGress/Should_support_an_'pass-gress'_policy_across_different_protocols (0.61s)
        --- PASS: TestConformance/AdminNetworkPolicyGress/Should_support_a_'pass-gress'_policy_across_different_protocols_at_the_specified_ports (1.14s)
    --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP (13.29s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP/Should_support_an_'allow-ingress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (0.21s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP/Should_support_an_'allow-ingress'_policy_for_SCTP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP/Should_support_an_'deny-ingress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (6.22s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP/Should_support_a_'deny-ingress'_policy_for_SCTP_protocol_at_the_specified_port (3.21s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP/Should_support_an_'pass-ingress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (0.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressSCTP/Should_support_a_'pass-ingress'_policy_for_SCTP_protocol_at_the_specified_port (0.24s)
    --- PASS: TestConformance/AdminNetworkPolicyIngressTCP (13.23s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressTCP/Should_support_an_'allow-ingress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (0.18s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressTCP/Should_support_an_'allow-ingress'_policy_for_TCP_protocol_at_the_specified_port (3.19s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressTCP/Should_support_an_'deny-ingress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (6.21s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressTCP/Should_support_a_'deny-ingress'_policy_for_TCP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressTCP/Should_support_an_'pass-ingress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (0.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressTCP/Should_support_a_'pass-ingress'_policy_for_TCP_protocol_at_the_specified_port (0.23s)
    --- PASS: TestConformance/AdminNetworkPolicyIngressUDP (13.24s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressUDP/Should_support_an_'allow-ingress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (0.19s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressUDP/Should_support_an_'allow-ingress'_policy_for_UDP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressUDP/Should_support_an_'deny-ingress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (6.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressUDP/Should_support_a_'deny-ingress'_policy_for_UDP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressUDP/Should_support_an_'pass-ingress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (0.22s)
        --- PASS: TestConformance/AdminNetworkPolicyIngressUDP/Should_support_a_'pass-ingress'_policy_for_UDP_protocol_at_the_specified_port (0.21s)
    --- PASS: TestConformance/AdminNetworkPolicyIntegration (25.30s)
        --- PASS: TestConformance/AdminNetworkPolicyIntegration/Should_Deny_traffic_from_slytherin_to_gryffindor_respecting_ANP (6.19s)
        --- PASS: TestConformance/AdminNetworkPolicyIntegration/Should_Deny_traffic_to_slytherin_from_gryffindor_respecting_ANP (6.21s)
        --- PASS: TestConformance/AdminNetworkPolicyIntegration/Should_support_a_'pass-ingress'_policy_for_ANP_and_respect_the_match_for_network_policy (0.21s)
        --- PASS: TestConformance/AdminNetworkPolicyIntegration/Should_support_a_'pass-egress'_policy_for_ANP_and_respect_the_match_for_network_policy (0.20s)
        --- PASS: TestConformance/AdminNetworkPolicyIntegration/Should_support_a_'pass-ingress'_policy_for_ANP_and_respect_the_match_for_baseline_admin_network_policy (6.21s)
        --- PASS: TestConformance/AdminNetworkPolicyIntegration/Should_support_a_'pass-egress'_policy_for_ANP_and_respect_the_match_for_baseline_admin_network_policy (6.19s)
    --- PASS: TestConformance/AdminNetworkPolicyPriorityField (12.85s)
        --- PASS: TestConformance/AdminNetworkPolicyPriorityField/Should_Deny_traffic_from_slytherin_to_gryffindor_respecting_ANP (6.20s)
        --- PASS: TestConformance/AdminNetworkPolicyPriorityField/Should_Deny_traffic_to_slytherin_from_gryffindor_respecting_ANP (6.19s)
        --- PASS: TestConformance/AdminNetworkPolicyPriorityField/Should_respect_ANP_priority_field;_thus_passing_both_ingress_and_egress_traffic_over_to_BANP (0.41s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressSCTP (12.82s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressSCTP/Should_support_an_'allow-egress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (0.20s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressSCTP/Should_support_an_'allow-egress'_policy_for_SCTP_protocol_at_the_specified_port (3.19s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressSCTP/Should_support_an_'deny-egress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (6.20s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressSCTP/Should_support_a_'deny-egress'_policy_for_SCTP_protocol_at_the_specified_port (3.21s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressTCP (12.81s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressTCP/Should_support_an_'allow-egress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (0.19s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressTCP/Should_support_an_'allow-egress'_policy_for_TCP_protocol_at_the_specified_port (3.19s)
Remove k8s.io/kubernetes from project dependency
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressTCP/Should_support_an_'deny-egress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (6.21s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressTCP/Should_support_a_'deny-egress'_policy_for_TCP_protocol_at_the_specified_port (3.19s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressUDP (12.85s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressUDP/Should_support_an_'allow-egress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (0.18s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressUDP/Should_support_an_'allow-egress'_policy_for_UDP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressUDP/Should_support_an_'deny-egress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (6.24s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyEgressUDP/Should_support_a_'deny-egress'_policy_for_UDP_protocol_at_the_specified_port (3.21s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyGress (57.55s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyGress/Should_support_an_'allow-gress'_policy_across_different_protocols (0.59s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyGress/Should_support_an_'allow-gress'_policy_across_different_protocols_at_the_specified_ports (19.15s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyGress/Should_support_an_'deny-gress'_policy_across_different_protocols (18.63s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyGress/Should_support_a_'deny-gress'_policy_across_different_protocols_at_the_specified_ports (19.17s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressSCTP (12.87s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressSCTP/Should_support_an_'allow-ingress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (0.21s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressSCTP/Should_support_an_'allow-ingress'_policy_for_SCTP_protocol_at_the_specified_port (3.19s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressSCTP/Should_support_an_'deny-ingress'_policy_for_SCTP_protocol;_ensure_rule_ordering_is_respected (6.24s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressSCTP/Should_support_a_'deny-ingress'_policy_for_SCTP_protocol_at_the_specified_port (3.21s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressTCP (12.85s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressTCP/Should_support_an_'allow-ingress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (0.18s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressTCP/Should_support_an_'allow-ingress'_policy_for_TCP_protocol_at_the_specified_port (3.18s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressTCP/Should_support_an_'deny-ingress'_policy_for_TCP_protocol;_ensure_rule_ordering_is_respected (6.25s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressTCP/Should_support_a_'deny-ingress'_policy_for_TCP_protocol_at_the_specified_port (3.21s)
    --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressUDP (12.85s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressUDP/Should_support_an_'allow-ingress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (0.21s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressUDP/Should_support_an_'allow-ingress'_policy_for_UDP_protocol_at_the_specified_port (3.20s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressUDP/Should_support_an_'deny-ingress'_policy_for_UDP_protocol;_ensure_rule_ordering_is_respected (6.22s)
        --- PASS: TestConformance/BaselineAdminNetworkPolicyIngressUDP/Should_support_a_'deny-ingress'_policy_for_UDP_protocol_at_the_specified_port (3.20s)
PASS
ok      sigs.k8s.io/network-policy-api/conformance  317.883s
netlify[bot] commented 1 year ago

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
Latest commit 1e3b31780db4cb030cf695a38eb81642c4ffd383
Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/64bb04f675bd4100082cd4cb
Deploy Preview https://deploy-preview-129--kubernetes-sigs-network-policy-api.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

k8s-ci-robot commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Dyanngg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/network-policy-api/blob/master/OWNERS)~~ [Dyanngg] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
tssurya commented 12 months ago

err I just realized I don't have an easy way to test this unless this lands and @astoycos includes this in his tagging and I re-pull, so going to approve this for now and then test it.

tssurya commented 12 months ago

/lgtm