Skip to content

Instantly share code, notes, and snippets.

@bzub

bzub/00-results-output.txt

Last active July 29, 2017 09:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bzub/7d7f3f1704b2b7e04819c4b5232de8fb to your computer and use it in GitHub Desktop.
Save bzub/7d7f3f1704b2b7e04819c4b5232de8fb to your computer and use it in GitHub Desktop.
Download ZIP
networkpolicy test script for github.com/cloudnativelabs/kube-router/issues/85
Raw
00-results-output.txt
###
### Stage 00-new-cluster complete. Logging to /tmp/np-test-logs/00-new-cluster.\{iptables,ipset\}
###
networkpolicy "test-network-policy" created
###
### Stage 01-np-created complete. Logging to /tmp/np-test-logs/01-np-created.\{iptables,ipset\}
###
deployment "test-np-server" created
service "test-np-server" exposed
###
### Stage 02-server-pod-unlabled-created complete. Logging to /tmp/np-test-logs/02-server-pod-unlabled-created.\{iptables,ipset\}
###
deployment "test-np-unlabeled" created
###
### Stage 03-other-unlabeled-created complete. Logging to /tmp/np-test-logs/03-other-unlabeled-created.\{iptables,ipset\}
###
# Stage 03-other-unlabeled-created: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
pod "test-np-server-2709856125-nrskw" labeled
###
### Stage 04-server-pod-labeled-protected complete. Logging to /tmp/np-test-logs/04-server-pod-labeled-protected.\{iptables,ipset\}
###
# Stage 04-server-pod-labeled-protected: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
deployment "test-np-client" created
###
### Stage 05-client-pod-labeled-allowed-created complete. Logging to /tmp/np-test-logs/05-client-pod-labeled-allowed-created.\{iptables,ipset\}
###
# Stage 05-client-pod-labeled-allowed-created: Testing for allowed HTTP connection.
error: pod name must be specified
ERROR: HTTP connection failed from test-np-client. This was not expected.
# Stage 05-client-pod-labeled-allowed-created: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
pod "test-np-server-2709856125-nrskw" labeled
###
### Stage 06-server-pod-label-removed complete. Logging to /tmp/np-test-logs/06-server-pod-label-removed.\{iptables,ipset\}
###
# Stage 06-server-pod-label-removed: Testing for allowed HTTP connection.
error: pod name must be specified
ERROR: HTTP connection failed from test-np-client. This was not expected.
# Stage 06-server-pod-label-removed: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
pod "test-np-server-2709856125-nrskw" labeled
###
### Stage 07-server-pod-labeled-protected complete. Logging to /tmp/np-test-logs/07-server-pod-labeled-protected.\{iptables,ipset\}
###
# Stage 07-server-pod-labeled-protected: Testing for allowed HTTP connection.
error: pod name must be specified
ERROR: HTTP connection failed from test-np-client. This was not expected.
# Stage 07-server-pod-labeled-protected: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
###
### Stage 08-client-pod-label-removed complete. Logging to /tmp/np-test-logs/08-client-pod-label-removed.\{iptables,ipset\}
###
# Stage 08-client-pod-label-removed: for blocked HTTP connection.
error: pod name must be specified
INFO: HTTP connection failed test-np-client. This was expected.
# Stage 08-client-pod-label-removed: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
deployment "test-np-client" deleted
Error from server (NotFound): services "test-np-client" not found
###
### Stage 09-client-pod-deleted complete. Logging to /tmp/np-test-logs/09-client-pod-deleted.\{iptables,ipset\}
###
# Stage 09-client-pod-deleted: for blocked HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
ERROR: HTTP connection succeeded from test-np-unlabeled. This was not expected.
pod "test-np-unlabeled-2719174803-cshhx" labeled
###
### Stage 10-other-pod-labeled-allowed complete. Logging to /tmp/np-test-logs/10-other-pod-labeled-allowed.\{iptables,ipset\}
###
# Stage 10-other-pod-labeled-allowed: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
networkpolicy "test-network-policy" deleted
###
### Stage 11-np-deleted complete. Logging to /tmp/np-test-logs/11-np-deleted.\{iptables,ipset\}
###
# Stage 11-np-deleted: Testing for allowed HTTP connection.
Connecting to test-np-server (10.3.0.181:80)
INFO: HTTP connection succeeded from test-np-unlabeled. This was expected.
Raw
np-test.sh
#!/usr/bin/env sh
# [ -n "${DRY_RUN}" ] && export DRY_RUN="--dry-run"
[ -z "${LOGS_DIR}" ] && LOGS_DIR="/tmp/np-test-logs"
if [ -d "${LOGS_DIR}" ]; then
echo "Error: ${LOGS_DIR} already exists."
echo
echo "Please move/delete ${LOGS_DIR} or provide a LOGS_DIR for ${0} to create."
echo "Example: LOGS_DIR=/tmp/mylogs ${0}"
exit 1
fi
[ -z "${NP_MANIFEST_PATH}" ] && NP_MANIFEST_PATH="/tmp/np-test.yaml"
if [ -f "${NP_MANIFEST_PATH}" ]; then
echo "Error: Couldn't find a networkpolicy manifest file at ${NP_MANIFEST_PATH}"
echo
echo "Please put the manifest from the GitHub issue at ${NP_MANIFEST_PATH}"
echo "or provide an alternative path to this manifest file with NP_MANIFEST_PATH."
echo "Example: NP_MANIFEST_PATH=/tmp/my-np.yaml ${0}"
exit 1
fi
SERVER_DEPLOYMENT="test-np-server"
CLIENT_DEPLOYMENT="test-np-client"
OTHER_DEPLOYMENT="test-np-unlabeled"
PROTECT_LABEL="np-test=protected"
ALLOW_LABEL="np-test=allowed"
NP_DISABLE_LABEL="np-test-"
KR_POD="$(basename "$(kubectl -n kube-system get pods -l k8s-app=kube-router --output name)")"
KR_EXEC="kubectl -n kube-system exec ${KR_POD}"
export IPTABLES_SAVE="${KR_EXEC} iptables-save"
export IPSET_SAVE="${KR_EXEC} ipset save"
export DEFAULT="kubectl -n default"
export DELAY="sleep 15s"
log_snapshot()
{
echo "###"
echo "### Stage ${1}: Logging to ${LOGS_DIR}/${1}.\{iptables,ipset\}"
echo "###"
${DELAY}
${IPTABLES_SAVE} > "${LOGS_DIR}/${1}.iptables"
${IPSET_SAVE} > "${LOGS_DIR}/${1}.ipset"
}
# Usage: test_http DEPLOYMENT
test_http()
{
CLIENT_POD="$(basename "$(${DEFAULT} get pods -l "run=${1}" --output name)")"
${DEFAULT} exec "${CLIENT_POD}" -- wget --spider --timeout=1 "${SERVER_DEPLOYMENT}" \
&& return 0 \
|| return 1
}
# Usage: test_allowed_http STAGE DEPLOYMENT
test_allowed_http()
{
echo "# Stage ${1}: Testing for allowed HTTP connection."
if test_http "${2}"; then
echo "INFO: HTTP connection succeeded from ${2}. This was expected."
return 0
else
echo "ERROR: HTTP connection failed from ${2}. This was not expected."
return 1
fi
}
# Usage: test_blocked_http STAGE DEPLOYMENT
test_blocked_http()
{
echo "# Stage ${1}: for blocked HTTP connection."
if test_http "${2}"; then
echo "ERROR: HTTP connection succeeded from ${2}. This was not expected."
return 1
else
echo "INFO: HTTP connection failed ${2}. This was expected."
return 0
fi
}
mkdir -p "${LOGS_DIR}"
STAGE="00-new-cluster"
log_snapshot "${STAGE}"
STAGE="01-np-created"
${DEFAULT} create -f "${NP_MANIFEST_PATH}"
log_snapshot "${STAGE}"
STAGE="02-server-pod-unlabled-created"
${DEFAULT} run "${SERVER_DEPLOYMENT}" --command --image alpine --replicas 1 --port 80 -- sh -c 'echo OK > index.html; httpd -fv'
${DEFAULT} expose deployment "${SERVER_DEPLOYMENT}" --port=80
log_snapshot "${STAGE}"
STAGE="03-other-unlabeled-created"
${DEFAULT} run "${OTHER_DEPLOYMENT}" --command --image alpine --replicas 1 -- sleep 300d
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="04-server-pod-labeled-protected"
${DEFAULT} label pod -l "run=${SERVER_DEPLOYMENT}" "${PROTECT_LABEL}"
log_snapshot "${STAGE}"
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="05-client-pod-labeled-allowed-created"
${DEFAULT} run "${CLIENT_DEPLOYMENT}" --command \
--image alpine --replicas 1 --labels="${ALLOW_LABEL}" \
-- sleep 300d
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="06-server-pod-label-removed"
${DEFAULT} label pod -l "run=${SERVER_DEPLOYMENT}" "${NP_DISABLE_LABEL}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="07-server-pod-labeled-protected"
${DEFAULT} label pod -l "run=${SERVER_DEPLOYMENT}" "${PROTECT_LABEL}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="08-client-pod-label-removed"
${DEFAULT} label pod -l "run=${CLIENT_DEPLOYMENT}" "${NP_DISABLE_LABEL}"
log_snapshot "${STAGE}"
test_blocked_http "${STAGE}" "${CLIENT_DEPLOYMENT}" #|| exit 1
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="09-client-pod-deleted"
${DEFAULT} delete deployment "${CLIENT_DEPLOYMENT}"
${DEFAULT} delete service "${CLIENT_DEPLOYMENT}"
log_snapshot "${STAGE}"
test_blocked_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="10-other-pod-labeled-allowed"
${DEFAULT} label pod -l "run=${OTHER_DEPLOYMENT}" "${ALLOW_LABEL}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
STAGE="11-np-deleted"
${DEFAULT} delete -f "${NP_MANIFEST_PATH}"
log_snapshot "${STAGE}"
test_allowed_http "${STAGE}" "${OTHER_DEPLOYMENT}" #|| exit 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment