diff --git a/test/e2e/framework.go b/test/e2e/framework.go index a321d135b..d52220c81 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -642,8 +642,7 @@ func applyYAML(filename string, ns string) error { return nil } -//Temporarily disable traffic check -/* +// Temporarily disable traffic check func runCommand(cmd string) (string, error) { err := wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, defaultTimeout, false, func(ctx context.Context) (bool, error) { var stdout, stderr bytes.Buffer @@ -665,7 +664,6 @@ func runCommand(cmd string) (string, error) { }) return "", err } -*/ func deleteYAML(filename string, ns string) error { cmd := fmt.Sprintf("kubectl delete -f %s -n %s", filename, ns) diff --git a/test/e2e/nsx_security_policy_test.go b/test/e2e/nsx_security_policy_test.go index 5bef4affc..60450b090 100644 --- a/test/e2e/nsx_security_policy_test.go +++ b/test/e2e/nsx_security_policy_test.go @@ -274,7 +274,6 @@ func TestSecurityPolicyNamedPortWithoutPod(t *testing.T) { assertNil(t, err) } -/* // TestSecurityPolicyNamedPort0 verifies that the traffic of security policy when named port applied. // This test is to verify the named port feature of security policy. // When appliedTo is in policy level. @@ -282,9 +281,9 @@ func TestSecurityPolicyNamedPort0(t *testing.T) { nsClient := "client" nsWeb := "web" securityPolicyName := "named-port-policy" - clientA := "client" - webA := "web" - labelWeb := "tcp-deployment" + ruleName0 := "all-ingress-isolation" + ruleName1 := "all-egress-isolation" + var err error testData.deleteNamespace(nsClient, defaultTimeout) testData.deleteNamespace(nsWeb, defaultTimeout) @@ -298,27 +297,39 @@ func TestSecurityPolicyNamedPort0(t *testing.T) { _ = applyYAML(podPath, "") defer deleteYAML(podPath, "") - // Wait for pods - ps, err := testData.podWaitForIPs(defaultTimeout, clientA, nsClient) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) - psb, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod %s", webA) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + // Temporarily disable traffic check + /* + clientA := "client" + webA := "web" + labelWeb := "tcp-deployment" + + // Wait for pods + ps, err := testData.podWaitForIPs(defaultTimeout, clientA, nsClient) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) + psb, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod %s", webA) + err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) + assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + */ // Check nsx-t resource existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, true) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, true) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) assertNil(t, err) - // Nc from pod - err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[0], 80) - assertNil(t, err, "Error when running nc command from Pod %s", clientA) - err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[1], 80) - assertNil(t, err, "Error when running nc command from Pod %s", clientA) + // Temporarily disable traffic check + /* + // Nc from pod + err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[0], 80) + assertNil(t, err, "Error when running nc command from Pod %s", clientA) + err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[1], 80) + assertNil(t, err, "Error when running nc command from Pod %s", clientA) + */ // Delete all _ = deleteYAML(podPath, "") @@ -328,7 +339,9 @@ func TestSecurityPolicyNamedPort0(t *testing.T) { // Check nsx-t resource not existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, false) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, false) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) assertNil(t, err) } @@ -339,9 +352,9 @@ func TestSecurityPolicyNamedPort1(t *testing.T) { nsClient := "client" nsWeb := "web" securityPolicyName := "named-port-policy" - clientA := "client" - webA := "web" - labelWeb := "tcp-deployment" + ruleName0 := "all-ingress-isolation" + ruleName1 := "all-egress-isolation" + var err error testData.deleteNamespace(nsClient, defaultTimeout) testData.deleteNamespace(nsWeb, defaultTimeout) @@ -355,27 +368,39 @@ func TestSecurityPolicyNamedPort1(t *testing.T) { _ = applyYAML(podPath, "") defer deleteYAML(podPath, "") - // Wait for pods - ps, err := testData.podWaitForIPs(defaultTimeout, clientA, nsClient) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) - psb, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod %s", webA) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + // Temporarily disable traffic check + /* + clientA := "client" + webA := "web" + labelWeb := "tcp-deployment" + + // Wait for pods + ps, err := testData.podWaitForIPs(defaultTimeout, clientA, nsClient) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) + psb, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod %s", webA) + err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) + assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + */ // Check nsx-t resource existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, true) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, true) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) assertNil(t, err) - // Nc from pod - err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[0], 80) - assertNil(t, err, "Error when running nc command from Pod %s", clientA) - err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[1], 80) - assertNil(t, err, "Error when running nc command from Pod %s", clientA) + // Temporarily disable traffic check + /* + // Nc from pod + err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[0], 80) + assertNil(t, err, "Error when running nc command from Pod %s", clientA) + err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[1], 80) + assertNil(t, err, "Error when running nc command from Pod %s", clientA) + */ // Delete all _ = deleteYAML(podPath, "") @@ -385,7 +410,9 @@ func TestSecurityPolicyNamedPort1(t *testing.T) { // Check nsx-t resource not existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, false) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, false) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) assertNil(t, err) } @@ -396,9 +423,10 @@ func TestSecurityPolicyNamedPort2(t *testing.T) { nsClient := "client" nsWeb := "web" securityPolicyName := "named-port-policy" + ruleName0 := "all-ingress-isolation" + ruleName1 := "all-egress-isolation" clientA := "client" - webA := "web" - labelWeb := "tcp-deployment" + var err error testData.deleteNamespace(nsClient, defaultTimeout) testData.deleteNamespace(nsWeb, defaultTimeout) @@ -412,20 +440,28 @@ func TestSecurityPolicyNamedPort2(t *testing.T) { _ = applyYAML(podPath, "") defer deleteYAML(podPath, "") - // Wait for pods - ps, err := testData.podWaitForIPs(defaultTimeout, clientA, nsClient) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) - psb, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod %s", webA) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + // Temporarily disable traffic check + /* + webA := "web" + labelWeb := "tcp-deployment" + + // Wait for pods + ps, err := testData.podWaitForIPs(defaultTimeout, clientA, nsClient) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod %s", clientA) + psb, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod %s", webA) + err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) + assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + */ // Check nsx-t resource existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, true) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, true) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) assertNil(t, err) // Label ns @@ -433,11 +469,14 @@ func TestSecurityPolicyNamedPort2(t *testing.T) { _, err = runCommand(cmd) assertNil(t, err, "Error when running command %s", cmd) - // Nc from pod - err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[0], 80) - assertNil(t, err, "Error when running nc command from Pod %s", clientA) - err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[1], 80) - assertNil(t, err, "Error when running nc command from Pod %s", clientA) + // Temporarily disable traffic check + /* + // Nc from pod + err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[0], 80) + assertNil(t, err, "Error when running nc command from Pod %s", clientA) + err = testData.runNetcatCommandFromPod(nsClient, clientA, clientA, psb[1], 80) + assertNil(t, err, "Error when running nc command from Pod %s", clientA) + */ // Delete all _ = deleteYAML(podPath, "") @@ -447,7 +486,9 @@ func TestSecurityPolicyNamedPort2(t *testing.T) { // Check nsx-t resource not existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, false) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, false) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) assertNil(t, err) } @@ -457,10 +498,9 @@ func TestSecurityPolicyNamedPort2(t *testing.T) { func TestSecurityPolicyNamedPort3(t *testing.T) { nsDB := "db" nsWeb := "web" - containerName := "web" securityPolicyName := "named-port-policy" - labelWeb := "tcp-deployment" - labelDB := "mysql" + ruleName0 := "all-ingress-isolation" + ruleName1 := "all-egress-isolation" testData.deleteNamespace(nsDB, defaultTimeout) testData.deleteNamespace(nsWeb, defaultTimeout) @@ -479,26 +519,38 @@ func TestSecurityPolicyNamedPort3(t *testing.T) { _ = applyYAML(podPath, "") defer deleteYAML(podPath, "") - // Wait for pods - ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) + // Temporarily disable traffic check + /* + containerName := "web" + labelWeb := "tcp-deployment" + labelDB := "mysql" - _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + // Wait for pods + ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) + + _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) + err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) + assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + */ // Check nsx-t resource existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, true) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, true) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) assertNil(t, err) - // Nc from pod - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") + // Temporarily disable traffic check + /* + // Nc from pod + err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) + assertNil(t, err, "Error when running nc command from Pod %s", "web") + */ // Delete all _ = deleteYAML(podPath, "") @@ -508,7 +560,9 @@ func TestSecurityPolicyNamedPort3(t *testing.T) { // Check nsx-t resource not existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, false) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName0, false) + assertNil(t, err) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) assertNil(t, err) } @@ -518,10 +572,8 @@ func TestSecurityPolicyNamedPort3(t *testing.T) { func TestSecurityPolicyNamedPort4(t *testing.T) { nsDB := "db" nsWeb := "web" - containerName := "web" securityPolicyName := "named-port-policy" - labelWeb := "tcp-deployment" - labelDB := "mysql" + ruleName := "TCP.mysql-port.TCP.3306-egress-allow" testData.deleteNamespace(nsDB, defaultTimeout) testData.deleteNamespace(nsWeb, defaultTimeout) @@ -540,26 +592,36 @@ func TestSecurityPolicyNamedPort4(t *testing.T) { _ = applyYAML(podPath, "") defer deleteYAML(podPath, "") - // Wait for pods - ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) + // Temporarily disable traffic check + /* + containerName := "web" + labelWeb := "tcp-deployment" + labelDB := "mysql" - _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + // Wait for pods + ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) + + _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) + err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) + assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + */ // Check nsx-t resource existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, true) - assertNil(t, err) + // Temporarily disable traffic check + /* + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, true) + assertNil(t, err) - // Nc from pod - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") + // Nc from pod + err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) + assertNil(t, err, "Error when running nc command from Pod %s", "web") + */ // Delete all _ = deleteYAML(podPath, "") @@ -569,7 +631,7 @@ func TestSecurityPolicyNamedPort4(t *testing.T) { // Check nsx-t resource not existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, securityPolicyName, false) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, false) assertNil(t, err) } @@ -580,13 +642,10 @@ func TestSecurityPolicyNamedPort5(t *testing.T) { nsDB := "db" nsDB2 := "db2" nsWeb := "web" - containerName := "web" securityPolicyName := "named-port-policy" - ruleName := "named-port-policy-0-0-0" - ruleName1 := "named-port-policy-0-0-1" - labelWeb := "tcp-deployment" - labelDB := "mysql" - labelDB2 := "mysql2" + ruleName := "TCP.mysql-port.TCP.3306-egress-allow" + ruleName1 := "TCP.mysql-port.TCP.1234-egress-allow" + ruleName2 := "all-egress-isolation" testData.deleteNamespace(nsDB, defaultTimeout) testData.deleteNamespace(nsDB2, defaultTimeout) @@ -608,32 +667,45 @@ func TestSecurityPolicyNamedPort5(t *testing.T) { _ = applyYAML(podPath, "") defer deleteYAML(podPath, "") - // Wait for pods - ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) + // Temporarily disable traffic check + /* + containerName := "web" + labelWeb := "tcp-deployment" + labelDB := "mysql" + labelDB2 := "mysql2" - ps2, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB2, labelDB2) - t.Logf("Pods are %v", ps2) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB2) + // Wait for pods + ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) + t.Logf("Pods are %v", ps) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) - _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + ps2, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB2, labelDB2) + t.Logf("Pods are %v", ps2) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB2) + + _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) + t.Logf("Pods are %v", psb) + assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) + err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) + assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) + */ // Check nsx-t resource existing err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, true) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName2, true) assertNil(t, err) - - // Nc from pod - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps2[0], 1234) - assertNotNil(t, err, "Error when running nc command from Pod %s", "web") - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") + // Temporarily disable traffic check + /* + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, true) + assertNil(t, err) + + // Nc from pod + err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps2[0], 1234) + assertNotNil(t, err, "Error when running nc command from Pod %s", "web") + err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) + assertNil(t, err, "Error when running nc command from Pod %s", "web") + */ // Label ns cmd = fmt.Sprintf("kubectl label ns %s %s=%s --overwrite", nsDB2, "role", "db") @@ -641,14 +713,17 @@ func TestSecurityPolicyNamedPort5(t *testing.T) { assertNil(t, err, "Error when running command %s", cmd) err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) - assertNil(t, err) - - // Nc from pod - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps2[0], 1234) - assertNil(t, err, "Error when running nc command from Pod %s", "web") - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") + // Temporarily disable traffic check + /* + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) + assertNil(t, err) + + // Nc from pod + err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps2[0], 1234) + assertNil(t, err, "Error when running nc command from Pod %s", "web") + err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) + assertNil(t, err, "Error when running nc command from Pod %s", "web") + */ // Delete all _ = deleteYAML(podPath, "") @@ -662,171 +737,7 @@ func TestSecurityPolicyNamedPort5(t *testing.T) { assertNil(t, err) err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) assertNil(t, err) -} - -// TestSecurityPolicyNamedPort6 verifies that the traffic of security policy when named port applied. -// This test is to verify the named port feature of security policy. -// When appliedTo is in rule level and there is destination selector in rule. -// If the port number is the same in multiple pods, then there should be only one rule created, -// and the ip set group consists of multiple ips and the port number is only one. -func TestSecurityPolicyNamedPort6(t *testing.T) { - nsDB := "db" - nsDB2 := "db2" - nsWeb := "web" - containerName := "web" - securityPolicyName := "named-port-policy" - ruleName := "named-port-policy-0-0-0" - ruleName1 := "named-port-policy-0-0-1" - labelWeb := "tcp-deployment" - labelDB := "mysql" - labelDB2 := "mysql2" - - testData.deleteNamespace(nsDB, defaultTimeout) - testData.deleteNamespace(nsDB2, defaultTimeout) - testData.deleteNamespace(nsWeb, defaultTimeout) - _ = testData.createNamespace(nsDB) - _ = testData.createNamespace(nsDB2) - _ = testData.createNamespace(nsWeb) - defer testData.deleteNamespace(nsDB, defaultTimeout) - defer testData.deleteNamespace(nsDB2, defaultTimeout) - defer testData.deleteNamespace(nsWeb, defaultTimeout) - - // Label ns - cmd := fmt.Sprintf("kubectl label ns %s %s=%s --overwrite", nsDB2, "role", "db") - _, err := runCommand(cmd) - assertNil(t, err, "Error when running command %s", cmd) - cmd = fmt.Sprintf("kubectl label ns %s %s=%s --overwrite", nsDB, "role", "db") - _, err = runCommand(cmd) - assertNil(t, err, "Error when running command %s", cmd) - - // Create all - podPath, _ := filepath.Abs("./manifest/testSecurityPolicy/rule-out-rule-applied-to-with-dst-with-dup-port.yaml") - _ = applyYAML(podPath, "") - defer deleteYAML(podPath, "") - - // Wait for pods - ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) - - ps2, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB2, labelDB2) - t.Logf("Pods are %v", ps2) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB2) - - _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) - - // Check nsx-t resource existing - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, true) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) - assertNil(t, err) - - // Nc from pod - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps2[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") - - // Delete all - _ = deleteYAML(podPath, "") - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Deleted) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) - - // Check nsx-t resource not existing - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, false) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) + err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName2, false) assertNil(t, err) } -// TestSecurityPolicyNamedPort7 verifies that the traffic of security policy when named port applied. -// This test is to verify the named port feature of security policy. -// When appliedTo is in rule level and there is destination selector in rule. -// If the port number is not the same in multiple pods, then there should be multiple rules created, -// and each rule has an ip set group, and the port number is also different. -func TestSecurityPolicyNamedPort7(t *testing.T) { - nsDB := "db" - nsDB2 := "db2" - nsWeb := "web" - containerName := "web" - securityPolicyName := "named-port-policy" - ruleName := "named-port-policy-0-0-0" - ruleName1 := "named-port-policy-0-0-1" - labelWeb := "tcp-deployment" - labelDB := "mysql" - labelDB2 := "mysql2" - - testData.deleteNamespace(nsDB, defaultTimeout) - testData.deleteNamespace(nsDB2, defaultTimeout) - testData.deleteNamespace(nsWeb, defaultTimeout) - _ = testData.createNamespace(nsDB) - _ = testData.createNamespace(nsDB2) - _ = testData.createNamespace(nsWeb) - defer testData.deleteNamespace(nsDB, defaultTimeout) - defer testData.deleteNamespace(nsDB2, defaultTimeout) - defer testData.deleteNamespace(nsWeb, defaultTimeout) - - // Label ns - cmd := fmt.Sprintf("kubectl label ns %s %s=%s --overwrite", nsDB2, "role", "db") - _, err := runCommand(cmd) - assertNil(t, err, "Error when running command %s", cmd) - cmd = fmt.Sprintf("kubectl label ns %s %s=%s --overwrite", nsDB, "role", "db") - _, err = runCommand(cmd) - assertNil(t, err, "Error when running command %s", cmd) - - // Create all - podPath, _ := filepath.Abs("./manifest/testSecurityPolicy/rule-out-rule-applied-to-with-dst-with-dup-port-multi.yaml") - _ = applyYAML(podPath, "") - defer deleteYAML(podPath, "") - - // Wait for pods - ps, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB, labelDB) - t.Logf("Pods are %v", ps) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB) - - ps2, _, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsDB2, labelDB2) - t.Logf("Pods are %v", ps2) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsDB2) - - _, psb, err := testData.deploymentWaitForIPsOrNames(defaultTimeout, nsWeb, labelWeb) - t.Logf("Pods are %v", psb) - assertNil(t, err, "Error when waiting for IP for Pod ns %s", nsWeb) - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Ready) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) - - // Check nsx-t resource existing - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, true) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, true) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, true) - assertNil(t, err) - - // Nc from pod - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps2[0], 1234) - assertNil(t, err, "Error when running nc command from Pod %s", "web") - err = testData.runNetcatCommandFromPod(nsWeb, psb[0], containerName, ps[0], 3306) - assertNil(t, err, "Error when running nc command from Pod %s", "web") - - // Delete all - _ = deleteYAML(podPath, "") - err = testData.waitForCRReadyOrDeleted(defaultTimeout, SP, nsWeb, securityPolicyName, Deleted) - assertNil(t, err, "Error when waiting for Security Policy %s", securityPolicyName) - - // Check nsx-t resource not existing - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeSecurityPolicy, securityPolicyName, false) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName, false) - assertNil(t, err) - err = testData.waitForResourceExistOrNot(nsWeb, common.ResourceTypeRule, ruleName1, false) - assertNil(t, err) -} -*/