search

openshift / svt

Apache License 2.0
124 stars 105 forks source link

add network policy for all applications templates #710

Closed qiliRedHat closed 2 years ago

qiliRedHat commented 2 years ago

https://issues.redhat.com/browse/OCPQE-8916

In 4.10 network policy is supported in reliability test https://issues.redhat.com/browse/OCPQE-8911 , but only added network policy to 'nodejs-postgresql-persistent', that means to test network policy, the application template can be only 'nodejs-postgresql-persistent'. This PR will add network policy for more applications.

Instead of adding network policy for all applications. Add a general network policy that works for all application templates. So that there is only one network policy file to be maintain.

qiliRedHat commented 2 years ago

Test:

  1. Add network policy logging to all namespaces to verify network policy is in use. 
    % for ns in $(oc get ns | grep test| awk '{ print $1}'); do oc annotate ns ${ns} k8s.ovn.org/acl-logging='{ "deny": "alert", "allow": "alert" }';done
  2. Verify successfully on multiple namespaces: 
    % for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node --no-headers=true | awk '{ print $1 }') ; do
oc exec -it $pod -c ovn-controller -n openshift-ovn-kubernetes -- tail -1 /var/log/ovn/acl-audit-log.log 
done
2022-04-11T09:21:13.264Z|41063|acl_log(ovn_pinctrl0)|INFO|name="testuser-10-1_allow-same-namespace_0", verdict=allow, severity=alert: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:01,dl_dst=0a:58:0a:81:02:c1,nw_src=10.129.2.197,nw_dst=10.129.2.193,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=50146,tp_dst=5432,tcp_flags=ack
2022-04-11T09:21:22.928Z|37739|acl_log(ovn_pinctrl1)|INFO|name="testuser-11-1_allow-same-namespace_0", verdict=allow, severity=alert: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:83:00:01,dl_dst=0a:58:0a:83:00:9c,nw_src=10.131.0.182,nw_dst=10.131.0.156,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=38178,tp_dst=5432,tcp_flags=ack
2022-04-11T08:28:49.975Z|14455|acl_log(ovn_pinctrl0)|INFO|name="testuser-6-1_allow-same-namespace_0", verdict=allow, severity=alert: tcp,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:01,dl_dst=0a:58:0a:80:02:41,nw_src=10.129.2.222,nw_dst=10.128.2.65,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=47266,tp_dst=5432,tcp_flags=ack
  3. Test passed 
    2022-04-11 17:36:45,767 - INFO - Reliability test results:
[Function]               |     Total|    Passed|    Failed|
-----------------------------------------------------------
[delete_all_projects]    |        10|        10|         0|
[new_project]            |        20|        20|         0|
[apply]                  |        20|        20|         0|
[check_all_projects]     |        10|        10|         0|
[new_app]                |        20|        20|         0|
[load_app]               |       200|       200|         0|
[build]                  |        10|        10|         0|
[scale_up]               |        20|        20|         0|
[scale_down]             |        10|        10|         0|
[check_pods]             |        20|        20|         0|
[delete_project]         |        10|        10|         0|
-----------------------------------------------------------
qiliRedHat commented 2 years ago

@mffiedler @paigerube14 PTAL