mirror of https://github.com/k3s-io/k3s
360 lines
14 KiB
Go
360 lines
14 KiB
Go
// This test verifies:
|
|
// * externaltrafficpolicy for both local and cluster values
|
|
// * internaltrafficpolicy for both local and cluster values
|
|
// * services firewall based on loadBalancerSourceRanges field
|
|
|
|
package svcpoliciesandfirewall
|
|
|
|
import (
|
|
"flag"
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
"text/template"
|
|
|
|
"github.com/k3s-io/k3s/tests/e2e"
|
|
. "github.com/onsi/ginkgo/v2"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
// Valid nodeOS: bento/ubuntu-24.04, opensuse/Leap-15.6.x86_64
|
|
var nodeOS = flag.String("nodeOS", "bento/ubuntu-24.04", "VM operating system")
|
|
var serverCount = flag.Int("serverCount", 1, "number of server nodes")
|
|
var agentCount = flag.Int("agentCount", 1, "number of agent nodes")
|
|
var ci = flag.Bool("ci", false, "running on CI")
|
|
var local = flag.Bool("local", false, "deploy a locally built K3s binary")
|
|
|
|
func Test_E2EPoliciesAndFirewall(t *testing.T) {
|
|
flag.Parse()
|
|
RegisterFailHandler(Fail)
|
|
suiteConfig, reporterConfig := GinkgoConfiguration()
|
|
RunSpecs(t, "Services Traffic Policies and Firewall config Suite", suiteConfig, reporterConfig)
|
|
}
|
|
|
|
var (
|
|
kubeConfigFile string
|
|
serverNodeNames []string
|
|
agentNodeNames []string
|
|
nodes []e2e.Node
|
|
)
|
|
|
|
var _ = ReportAfterEach(e2e.GenReport)
|
|
|
|
var _ = Describe("Verify Services Traffic policies and firewall config", Ordered, func() {
|
|
|
|
It("Starts up with no issues", func() {
|
|
var err error
|
|
if *local {
|
|
serverNodeNames, agentNodeNames, err = e2e.CreateLocalCluster(*nodeOS, *serverCount, *agentCount)
|
|
} else {
|
|
serverNodeNames, agentNodeNames, err = e2e.CreateCluster(*nodeOS, *serverCount, *agentCount)
|
|
}
|
|
Expect(err).NotTo(HaveOccurred(), e2e.GetVagrantLog(err))
|
|
fmt.Println("CLUSTER CONFIG")
|
|
fmt.Println("OS:", *nodeOS)
|
|
fmt.Println("Server Nodes:", serverNodeNames)
|
|
fmt.Println("Agent Nodes:", agentNodeNames)
|
|
kubeConfigFile, err = e2e.GenKubeConfigFile(serverNodeNames[0])
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
It("Checks Node Status", func() {
|
|
Eventually(func(g Gomega) {
|
|
var err error
|
|
nodes, err = e2e.ParseNodes(kubeConfigFile, false)
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
for _, node := range nodes {
|
|
g.Expect(node.Status).Should(Equal("Ready"))
|
|
}
|
|
}, "300s", "5s").Should(Succeed())
|
|
_, err := e2e.ParseNodes(kubeConfigFile, true)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
It("Checks Pod Status", func() {
|
|
Eventually(func(g Gomega) {
|
|
pods, err := e2e.ParsePods(kubeConfigFile, false)
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
for _, pod := range pods {
|
|
if strings.Contains(pod.Name, "helm-install") {
|
|
g.Expect(pod.Status).Should(Equal("Completed"), pod.Name)
|
|
} else {
|
|
g.Expect(pod.Status).Should(Equal("Running"), pod.Name)
|
|
}
|
|
}
|
|
}, "300s", "5s").Should(Succeed())
|
|
_, err := e2e.ParsePods(kubeConfigFile, true)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
// Verifies that the service with external traffic policy=local is deployed
|
|
// Verifies that the external-ip is only set to the node IP where the server runs
|
|
// It also verifies that the service with external traffic policy=cluster has both node IPs as externalIP
|
|
It("Verify external traffic policy=local gets set up correctly", func() {
|
|
_, err := e2e.DeployWorkload("loadbalancer.yaml", kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred(), "loadbalancer not deployed")
|
|
_, err = e2e.DeployWorkload("loadbalancer-extTrafficPol.yaml", kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred(), "loadbalancer-extTrafficPol not deployed")
|
|
|
|
// Check where the server pod is running
|
|
var serverNodeName string
|
|
Eventually(func() (string, error) {
|
|
pods, err := e2e.ParsePods(kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred(), "failed to parse pods")
|
|
for _, pod := range pods {
|
|
if strings.Contains(pod.Name, "test-loadbalancer-ext") {
|
|
serverNodeName = pod.Node
|
|
break
|
|
}
|
|
}
|
|
return serverNodeName, nil
|
|
}, "25s", "5s").ShouldNot(BeEmpty(), "server pod not found")
|
|
|
|
var serverNodeIP string
|
|
for _, node := range nodes {
|
|
if node.Name == serverNodeName {
|
|
serverNodeIP = node.InternalIP
|
|
}
|
|
}
|
|
|
|
// Verify there is only one external-ip and it is matching the node IP
|
|
lbSvc := "nginx-loadbalancer-svc"
|
|
lbSvcExt := "nginx-loadbalancer-svc-ext"
|
|
Eventually(func() ([]string, error) {
|
|
return e2e.FetchExternalIPs(kubeConfigFile, lbSvc)
|
|
}, "25s", "5s").Should(HaveLen(2), "external IP count not equal to 2")
|
|
|
|
Eventually(func(g Gomega) {
|
|
externalIPs, _ := e2e.FetchExternalIPs(kubeConfigFile, lbSvcExt)
|
|
g.Expect(externalIPs).To(HaveLen(1), "more than 1 exernalIP found")
|
|
g.Expect(externalIPs[0]).To(Equal(serverNodeIP), "external IP does not match servernodeIP")
|
|
}, "25s", "5s").Should(Succeed())
|
|
})
|
|
|
|
// Verifies that the service is reachable from the outside and the source IP is nos MASQ
|
|
// It also verifies that the service with external traffic policy=cluster can be accessed and the source IP is MASQ
|
|
It("Verify connectivity in external traffic policy=local", func() {
|
|
lbSvc := "nginx-loadbalancer-svc"
|
|
lbSvcExternalIPs, _ := e2e.FetchExternalIPs(kubeConfigFile, lbSvc)
|
|
lbSvcExt := "nginx-loadbalancer-svc-ext"
|
|
lbSvcExtExternalIPs, _ := e2e.FetchExternalIPs(kubeConfigFile, lbSvcExt)
|
|
|
|
// Verify connectivity to the external IP of the lbsvc service and the IP should be the flannel interface IP because of MASQ
|
|
for _, externalIP := range lbSvcExternalIPs {
|
|
Eventually(func() (string, error) {
|
|
cmd := "curl -s " + externalIP + ":81/ip"
|
|
return e2e.RunCommand(cmd)
|
|
}, "25s", "5s").Should(ContainSubstring("10.42"))
|
|
}
|
|
|
|
// Verify connectivity to the external IP of the lbsvcExt service and the IP should not be the flannel interface IP
|
|
Eventually(func() (string, error) {
|
|
cmd := "curl -s " + lbSvcExtExternalIPs[0] + ":82/ip"
|
|
return e2e.RunCommand(cmd)
|
|
}, "25s", "5s").ShouldNot(ContainSubstring("10.42"))
|
|
|
|
// Verify connectivity to the other nodeIP does not work because of external traffic policy=local
|
|
for _, externalIP := range lbSvcExternalIPs {
|
|
if externalIP == lbSvcExtExternalIPs[0] {
|
|
// This IP we already test and it shuold work
|
|
continue
|
|
}
|
|
Eventually(func() error {
|
|
cmd := "curl -s --max-time 5 " + externalIP + ":82/ip"
|
|
_, err := e2e.RunCommand(cmd)
|
|
return err
|
|
}, "40s", "5s").Should(MatchError(ContainSubstring("exit status")))
|
|
}
|
|
})
|
|
|
|
// Verifies that the internal traffic policy=local is deployed
|
|
It("Verify internal traffic policy=local gets set up correctly", func() {
|
|
_, err := e2e.DeployWorkload("loadbalancer-intTrafficPol.yaml", kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred(), "loadbalancer-intTrafficPol not deployed")
|
|
_, err = e2e.DeployWorkload("pod_client.yaml", kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred(), "pod client not deployed")
|
|
|
|
// Check that service exists
|
|
Eventually(func() (string, error) {
|
|
clusterIP, _ := e2e.FetchClusterIP(kubeConfigFile, "nginx-loadbalancer-svc-int", false)
|
|
return clusterIP, nil
|
|
}, "25s", "5s").Should(ContainSubstring("10.43"))
|
|
|
|
// Check that client pods are running
|
|
Eventually(func() string {
|
|
pods, err := e2e.ParsePods(kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
for _, pod := range pods {
|
|
if strings.Contains(pod.Name, "client-deployment") {
|
|
return pod.Status
|
|
}
|
|
}
|
|
return ""
|
|
}, "50s", "5s").Should(Equal("Running"))
|
|
})
|
|
|
|
// Verifies that only the client pod running in the same node as the server pod can access the service
|
|
// It also verifies that the service with internal traffic policy=cluster can be accessed by both client pods
|
|
It("Verify connectivity in internal traffic policy=local", func() {
|
|
var clientPod1, clientPod1Node, clientPod1IP, clientPod2, clientPod2Node, clientPod2IP, serverNodeName string
|
|
Eventually(func(g Gomega) {
|
|
pods, err := e2e.ParsePods(kubeConfigFile, false)
|
|
Expect(err).NotTo(HaveOccurred(), "failed to parse pods")
|
|
for _, pod := range pods {
|
|
if strings.Contains(pod.Name, "test-loadbalancer-int") {
|
|
serverNodeName = pod.Node
|
|
}
|
|
if strings.Contains(pod.Name, "client-deployment") {
|
|
if clientPod1 == "" {
|
|
clientPod1 = pod.Name
|
|
clientPod1Node = pod.Node
|
|
clientPod1IP = pod.IP
|
|
} else {
|
|
clientPod2 = pod.Name
|
|
clientPod2Node = pod.Node
|
|
clientPod2IP = pod.IP
|
|
}
|
|
}
|
|
}
|
|
// As we need those variables for the connectivity test, let's check they are not emtpy
|
|
g.Expect(serverNodeName).ShouldNot(BeEmpty(), "server pod for internalTrafficPolicy=local not found")
|
|
g.Expect(clientPod1).ShouldNot(BeEmpty(), "client pod1 not found")
|
|
g.Expect(clientPod2).ShouldNot(BeEmpty(), "client pod2 not found")
|
|
g.Expect(clientPod1Node).ShouldNot(BeEmpty(), "client pod1 node not found")
|
|
g.Expect(clientPod2Node).ShouldNot(BeEmpty(), "client pod2 node not found")
|
|
g.Expect(clientPod1IP).ShouldNot(BeEmpty(), "client pod1 IP not found")
|
|
g.Expect(clientPod2IP).ShouldNot(BeEmpty(), "client pod2 IP not found")
|
|
}, "25s", "5s").Should(Succeed(), "All pod and names and IPs should be non-empty")
|
|
|
|
// Check that clientPod1Node and clientPod2Node are not equal
|
|
Expect(clientPod1Node).ShouldNot(Equal(clientPod2Node))
|
|
|
|
var workingCmd, nonWorkingCmd string
|
|
if serverNodeName == clientPod1Node {
|
|
workingCmd = "kubectl --kubeconfig=" + kubeConfigFile + " exec " + clientPod1 + " -- curl -s --max-time 5 nginx-loadbalancer-svc-int:83/ip"
|
|
nonWorkingCmd = "kubectl --kubeconfig=" + kubeConfigFile + " exec " + clientPod2 + " -- curl -s --max-time 5 nginx-loadbalancer-svc-int:83/ip"
|
|
}
|
|
if serverNodeName == clientPod2Node {
|
|
workingCmd = "kubectl --kubeconfig=" + kubeConfigFile + " exec " + clientPod2 + " -- curl -s --max-time 5 nginx-loadbalancer-svc-int:83/ip"
|
|
nonWorkingCmd = "kubectl --kubeconfig=" + kubeConfigFile + " exec " + clientPod1 + " -- curl -s --max-time 5 nginx-loadbalancer-svc-int:83/ip"
|
|
}
|
|
|
|
Eventually(func() (string, error) {
|
|
out, err := e2e.RunCommand(workingCmd)
|
|
return out, err
|
|
}, "25s", "5s").Should(SatisfyAny(
|
|
ContainSubstring(clientPod1IP),
|
|
ContainSubstring(clientPod2IP),
|
|
))
|
|
|
|
// Check the non working command fails because of internal traffic policy=local
|
|
Eventually(func() bool {
|
|
_, err := e2e.RunCommand(nonWorkingCmd)
|
|
if err != nil && strings.Contains(err.Error(), "exit status") {
|
|
// Treat exit status as a successful condition
|
|
return true
|
|
}
|
|
return false
|
|
}, "40s", "5s").Should(BeTrue())
|
|
|
|
// curling a service with internal traffic policy=cluster. It should work on both pods
|
|
for _, pod := range []string{clientPod1, clientPod2} {
|
|
cmd := "kubectl --kubeconfig=" + kubeConfigFile + " exec " + pod + " -- curl -s --max-time 5 nginx-loadbalancer-svc:81/ip"
|
|
Eventually(func() (string, error) {
|
|
return e2e.RunCommand(cmd)
|
|
}, "20s", "5s").Should(SatisfyAny(
|
|
ContainSubstring(clientPod1IP),
|
|
ContainSubstring(clientPod2IP),
|
|
))
|
|
}
|
|
})
|
|
|
|
// Set up the service manifest with loadBalancerSourceRanges
|
|
It("Applies service manifest with loadBalancerSourceRanges", func() {
|
|
// Define the service manifest with a placeholder for the IP
|
|
serviceManifest := `
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: nginx-loadbalancer-svc-ext-firewall
|
|
spec:
|
|
type: LoadBalancer
|
|
loadBalancerSourceRanges:
|
|
- {{.NodeIP}}/32
|
|
ports:
|
|
- port: 82
|
|
targetPort: 80
|
|
protocol: TCP
|
|
name: http
|
|
selector:
|
|
k8s-app: nginx-app-loadbalancer-ext
|
|
`
|
|
// Remove the service nginx-loadbalancer-svc-ext
|
|
_, err := e2e.RunCommand("kubectl --kubeconfig=" + kubeConfigFile + " delete svc nginx-loadbalancer-svc-ext")
|
|
Expect(err).NotTo(HaveOccurred(), "failed to remove service nginx-loadbalancer-svc-ext")
|
|
|
|
// Parse and execute the template with the node IP
|
|
tmpl, err := template.New("service").Parse(serviceManifest)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
var filledManifest strings.Builder
|
|
err = tmpl.Execute(&filledManifest, struct{ NodeIP string }{NodeIP: nodes[0].InternalIP})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
// Write the filled manifest to a temporary file
|
|
tmpFile, err := os.CreateTemp("", "service-*.yaml")
|
|
Expect(err).NotTo(HaveOccurred())
|
|
defer os.Remove(tmpFile.Name())
|
|
|
|
_, err = tmpFile.WriteString(filledManifest.String())
|
|
Expect(err).NotTo(HaveOccurred())
|
|
tmpFile.Close()
|
|
|
|
// Apply the manifest using kubectl
|
|
applyCmd := fmt.Sprintf("kubectl --kubeconfig=%s apply -f %s", kubeConfigFile, tmpFile.Name())
|
|
out, err := e2e.RunCommand(applyCmd)
|
|
Expect(err).NotTo(HaveOccurred(), out)
|
|
|
|
Eventually(func() (string, error) {
|
|
clusterIP, _ := e2e.FetchClusterIP(kubeConfigFile, "nginx-loadbalancer-svc-ext-firewall", false)
|
|
return clusterIP, nil
|
|
}, "25s", "5s").Should(ContainSubstring("10.43"))
|
|
})
|
|
|
|
// Verify that only the allowed node can curl. That node should be able to curl both externalIPs (i.e. node.InternalIP)
|
|
It("Verify firewall is working", func() {
|
|
for _, node := range nodes {
|
|
// Verify connectivity from nodes[0] works because we passed its IP to the loadBalancerSourceRanges
|
|
Eventually(func() (string, error) {
|
|
cmd := "curl -s --max-time 5 " + node.InternalIP + ":82"
|
|
return e2e.RunCmdOnNode(cmd, nodes[0].Name)
|
|
}, "40s", "5s").Should(ContainSubstring("Welcome to nginx"))
|
|
|
|
// Verify connectivity from nodes[1] fails because we did not pass its IP to the loadBalancerSourceRanges
|
|
Eventually(func(g Gomega) error {
|
|
cmd := "curl -s --max-time 5 " + node.InternalIP + ":82"
|
|
_, err := e2e.RunCmdOnNode(cmd, nodes[1].Name)
|
|
return err
|
|
}, "40s", "5s").Should(MatchError(ContainSubstring("exit status")))
|
|
}
|
|
})
|
|
})
|
|
|
|
var failed bool
|
|
var _ = AfterEach(func() {
|
|
failed = failed || CurrentSpecReport().Failed()
|
|
})
|
|
|
|
var _ = AfterSuite(func() {
|
|
if failed {
|
|
AddReportEntry("journald-logs", e2e.TailJournalLogs(1000, append(serverNodeNames, agentNodeNames...)))
|
|
} else {
|
|
Expect(e2e.GetCoverageReport(append(serverNodeNames, agentNodeNames...))).To(Succeed())
|
|
}
|
|
if !failed || *ci {
|
|
Expect(e2e.DestroyCluster()).To(Succeed())
|
|
Expect(os.Remove(kubeConfigFile)).To(Succeed())
|
|
}
|
|
})
|