Skip to content

Commit

Permalink
fix: utilize admin app for egress anywhere
Browse files Browse the repository at this point in the history
  • Loading branch information
@UnicornChance
UnicornChance committed Feb 6, 2025
1 parent 3554036 commit 9634ff4
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 236 deletions.
25 changes: 25 additions & 0 deletions src/test/app-admin.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,15 @@ spec:
uri:
# Only allow routing to /status/410
exact: /status/410
allow:
- direction: Egress
selector:
app: httpbin
remoteGenerated: Anywhere
ports:
- 443
- 8080
- 80
---
apiVersion: v1
kind: ServiceAccount
Expand All @@ -51,6 +60,9 @@ spec:
- name: http
port: 8000
targetPort: 80
- name: port8080
port: 8080
targetPort: 8080
selector:
app: httpbin
---
Expand Down Expand Up @@ -96,3 +108,16 @@ spec:
- ALL
add:
- NET_BIND_SERVICE
- name: curl
image: curlimages/curl
imagePullPolicy: IfNotPresent
command: ["sleep", "3600"]
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
ports:
- containerPort: 8080
195 changes: 0 additions & 195 deletions src/test/app-curl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,67 +135,6 @@ metadata:
---
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
name: curl-3
namespace: curl-test-2
spec:
network:
allow:
- direction: Egress
selector:
app: curl-3
---
apiVersion: v1
kind: Service
metadata:
name: curl-3
namespace: curl-test-2
labels:
name: curl-3
namespace: curl-test-2
spec:
ports:
- name: port8080
port: 8080
targetPort: 8080
selector:
app: curl-3
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: curl-3
namespace: curl-test-2
spec:
replicas: 1
selector:
matchLabels:
app: curl-3
template:
metadata:
labels:
app: curl-3
annotations:
sidecar.istio.io/proxyCPU: "10m"
sidecar.istio.io/proxyMemory: "16Mi"
spec:
containers:
- name: curl-3
image: curlimages/curl
imagePullPolicy: IfNotPresent
command: ["sleep", "3600"]
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
ports:
- containerPort: 8080
---
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
name: curl-4
namespace: curl-test-2
Expand Down Expand Up @@ -267,79 +206,6 @@ spec:
---
apiVersion: v1
kind: Namespace
metadata:
labels:
uds: curl-testing-namespace
name: curl-test-3
---
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
name: curl-5
namespace: curl-test-3
spec:
network:
allow:
- direction: Egress
selector:
app: curl-5
remoteGenerated: Anywhere
ports:
- 443
- 8080
- 80
---
apiVersion: v1
kind: Service
metadata:
name: curl-5
namespace: curl-test-3
labels:
name: curl-5
namespace: curl-test-3
spec:
ports:
- name: port8080
port: 8080
targetPort: 8080
selector:
app: curl-5
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: curl-5
namespace: curl-test-3
spec:
replicas: 1
selector:
matchLabels:
app: curl-5
template:
metadata:
labels:
app: curl-5
annotations:
sidecar.istio.io/proxyCPU: "10m"
sidecar.istio.io/proxyMemory: "16Mi"
spec:
containers:
- name: curl-5
image: curlimages/curl
imagePullPolicy: IfNotPresent
command: ["sleep", "3600"]
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Namespace
metadata:
labels:
uds: curl-testing-namespace
Expand Down Expand Up @@ -556,67 +422,6 @@ metadata:
---
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
name: curl-9
namespace: curl-test-7
spec:
network:
allow:
- direction: Egress
selector:
app: curl-9
---
apiVersion: v1
kind: Service
metadata:
name: curl-9
namespace: curl-test-7
labels:
name: curl-9
namespace: curl-test-7
spec:
ports:
- name: port8080
port: 8080
targetPort: 8080
selector:
app: curl-9
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: curl-9
namespace: curl-test-7
spec:
replicas: 1
selector:
matchLabels:
app: curl-9
template:
metadata:
labels:
app: curl-9
annotations:
sidecar.istio.io/proxyCPU: "10m"
sidecar.istio.io/proxyMemory: "16Mi"
spec:
containers:
- name: curl-9
image: curlimages/curl
imagePullPolicy: IfNotPresent
command: ["sleep", "3600"]
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
ports:
- containerPort: 8080
---
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
name: curl-10
namespace: curl-test-7
Expand Down
24 changes: 0 additions & 24 deletions src/test/tasks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,14 +178,6 @@ tasks:
namespace: curl-test-1
condition: Ready

- description: "Wait for Packages to be Ready"
wait:
cluster:
kind: Pod
name: app=curl-3
namespace: curl-test-2
condition: Ready

- description: "Wait for Packages to be Ready"
wait:
cluster:
Expand All @@ -194,14 +186,6 @@ tasks:
namespace: curl-test-2
condition: Ready

- description: "Wait for Packages to be Ready"
wait:
cluster:
kind: Pod
name: app=curl-5
namespace: curl-test-3
condition: Ready

- description: "Wait for Packages to be Ready"
wait:
cluster:
Expand All @@ -226,14 +210,6 @@ tasks:
namespace: curl-test-6
condition: Ready

- description: "Wait for Packages to be Ready"
wait:
cluster:
kind: Pod
name: app=curl-9
namespace: curl-test-7
condition: Ready

- description: "Wait for Packages to be Ready"
wait:
cluster:
Expand Down
28 changes: 11 additions & 17 deletions test/jest/network.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,27 +62,21 @@ async function execInPod(namespace: string, podName: string, containerName: stri
}

let curlPodName1 = "";
let curlPodName3 = "";
let curlPodName5 = "";
let testAdminApp = "";
let curlPodName6 = "";
let curlPodName8 = "";
let curlPodName9 = "";

beforeAll(async () => {
[
curlPodName1,
curlPodName3,
curlPodName5,
testAdminApp,
curlPodName6,
curlPodName8,
curlPodName9,
] = await Promise.all([
getPodName("curl-test-1", "app=curl-1"),
getPodName("curl-test-2", "app=curl-3"),
getPodName("curl-test-3", "app=curl-5"),
getPodName("test-admin-app", "app=httpbin"),
getPodName("curl-test-4", "app=curl-6"),
getPodName("curl-test-6", "app=curl-8"),
getPodName("curl-test-7", "app=curl-9"),
]);
});

Expand Down Expand Up @@ -123,7 +117,7 @@ describe("Network Policy Validation", () => {

test.concurrent("Basic Wide Open Ingress and Wide Open Egress", async () => {
// Validate Curl between two pods is successful
const success_response = await execInPod("curl-test-2", curlPodName3, "curl-3", INTERNAL_CURL_COMMAND_2);
const success_response = await execInPod("test-admin-app", testAdminApp, "curl", INTERNAL_CURL_COMMAND_2);
expect(success_response.stdout).toBe("200");

const CURL_INTERNAL_8081 = [
Expand All @@ -137,26 +131,26 @@ describe("Network Policy Validation", () => {
];

// Deny request when port is not allowed on ingress
const denied_incorrect_port_response = await execInPod("curl-test-2", curlPodName3, "curl-3", CURL_INTERNAL_8081);
const denied_incorrect_port_response = await execInPod("test-admin-app", testAdminApp, "curl", CURL_INTERNAL_8081);
expect(denied_incorrect_port_response.stdout).toBe("503");

// Default Deny for undefined Ingress port
const blocked_port_curl = getCurlCommand("curl-4", "curl-test-2", 9999);
const denied_port_response = await execInPod("curl-test-2", curlPodName3, "curl-3", blocked_port_curl);
const denied_port_response = await execInPod("test-admin-app", testAdminApp, "curl", blocked_port_curl);
expect(denied_port_response.stdout).toBe("503");

// Wide open Egress means successful google curl
const successful_google_response = await execInPod("curl-test-2", curlPodName3, "curl-3", GOOGLE_CURL);
const successful_google_response = await execInPod("test-admin-app", testAdminApp, "curl", GOOGLE_CURL);
expect(successful_google_response.stdout).toBe("200");
});

test.concurrent("Anywhere Egress", async () => {
// Validate that request is successful when Egress Anywhere is used
const success_response = await execInPod("curl-test-3", curlPodName5, "curl-5", CURL_EXTERNAL);
const success_response = await execInPod("test-admin-app", testAdminApp, "curl", CURL_EXTERNAL);
expect(success_response.stdout).toBe("200");

// Validate Egress to Google is successful
const successful_google_response = await execInPod("curl-test-3", curlPodName5, "curl-5", GOOGLE_CURL);
const successful_google_response = await execInPod("test-admin-app", testAdminApp, "curl", GOOGLE_CURL);
expect(successful_google_response.stdout).toBe("200");
});

Expand Down Expand Up @@ -205,11 +199,11 @@ describe("Network Policy Validation", () => {

test.concurrent("RemoteCidr Restrictions", async () => {
// Validate successful request when using RemoteCidr
const success_response = await execInPod("curl-test-7", curlPodName9, "curl-9", INTERNAL_CURL_COMMAND_7);
const success_response = await execInPod("test-admin-app", testAdminApp, "curl", INTERNAL_CURL_COMMAND_7);
expect(success_response.stdout).toBe("200");

// Validate successful request to Google because of wide open remoteCidr
const denied_google_response = await execInPod("curl-test-7", curlPodName9, "curl-9", GOOGLE_CURL);
const denied_google_response = await execInPod("test-admin-app", testAdminApp, "curl", GOOGLE_CURL);
expect(denied_google_response.stdout).toBe("200");
});
});

0 comments on commit 9634ff4

Please sign in to comment.