def test_deny_all_policy_periodic_validate(self):
"""
Validate network policy periodic self-healing when
deny-all firewall policy is detached from APS.
"""
# Check if we have a valid config to start with.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Create namespace.
self._create_namespace(self.ns_name, None, True)
# Create a network policy.
np_name = unittest.TestCase.id(self)
np_spec = {'podSelector': {}, 'policyTypes': ['Ingress', 'Egress']}
# Create a user network policy.
np_uuid = self._add_update_network_policy(np_name, np_spec)
self._validate_network_policy_resources(np_name,
np_uuid,
np_spec,
namespace=self.ns_name)
# Validate that config is sane after user policy add.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Get some basic object handles.
self.assertIsNotNone(VncSecurityPolicy.deny_all_fw_policy_uuid)
fw_policy_obj = self._vnc_lib.firewall_policy_read(
id=VncSecurityPolicy.deny_all_fw_policy_uuid)
aps_obj = self._get_default_application_policy_set()
self.assertIsNotNone(fw_policy_obj)
self.assertIsNotNone(aps_obj)
# Detach deny-all policy from APS to introduce error.
aps_obj.del_firewall_policy(fw_policy_obj)
self._vnc_lib.application_policy_set_update(aps_obj)
# Verify that validation of APS will fail.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertFalse(valid)
# Fix the inconsisteny in APS.
VncSecurityPolicy.recreate_cluster_security_policy()
# Verify that validation of APS will succeed now.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Cleanup user created network policy.
self._delete_network_policy(np_name, np_uuid, np_spec)
self._validate_network_policy_resources(np_name,
np_uuid,
np_spec,
validate_delete=True,
namespace=self.ns_name)
def test_deny_all_policy_periodic_validate(self):
"""
Validate network policy periodic self-healing when
deny-all firewall policy is detached from APS.
"""
# Check if we have a valid config to start with.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Create namespace.
self._create_namespace(self.ns_name, None, True)
# Create a network policy.
np_name = unittest.TestCase.id(self)
np_spec = {
'podSelector': {},
'policyTypes': ['Ingress', 'Egress']
}
# Create a user network policy.
np_uuid = self._add_update_network_policy(np_name, np_spec)
self._validate_network_policy_resources(np_name, np_uuid, np_spec,
namespace=self.ns_name)
# Validate that config is sane after user policy add.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Get some basic object handles.
self.assertIsNotNone(VncSecurityPolicy.deny_all_fw_policy_uuid)
fw_policy_obj = self._vnc_lib.firewall_policy_read(
id=VncSecurityPolicy.deny_all_fw_policy_uuid)
aps_obj = self._get_default_application_policy_set()
self.assertIsNotNone(fw_policy_obj)
self.assertIsNotNone(aps_obj)
# Detach deny-all policy from APS to introduce error.
aps_obj.del_firewall_policy(fw_policy_obj)
self._vnc_lib.application_policy_set_update(aps_obj)
# Verify that validation of APS will fail.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertFalse(valid)
# Fix the inconsisteny in APS.
VncSecurityPolicy.recreate_cluster_security_policy()
# Verify that validation of APS will succeed now.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Cleanup user created network policy.
self._delete_network_policy(np_name, np_uuid, np_spec)
self._validate_network_policy_resources(np_name, np_uuid, np_spec,
validate_delete=True,
namespace=self.ns_name)
def test_network_policy_ordering_resolve_during_modify(self):
# Check if we have a valid config to start with.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Get deny-all object handle.
self.assertIsNotNone(VncSecurityPolicy.deny_all_fw_policy_uuid)
fw_policy_obj = self._vnc_lib.firewall_policy_read(
id=VncSecurityPolicy.deny_all_fw_policy_uuid)
aps_obj = self._get_default_application_policy_set()
self.assertIsNotNone(fw_policy_obj)
self.assertIsNotNone(aps_obj)
# Detach deny-all policy from APS to introduce error.
aps_obj.del_firewall_policy(fw_policy_obj)
self._vnc_lib.application_policy_set_update(aps_obj)
# Verify that validation of APS will fail.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertFalse(valid)
# Add deny-all policy to TAIL.
# This is essentially an error condition where there is already
# post-tail objects in the APS, but the deny-all gets added after
# post-tail objects.
VncSecurityPolicy.add_firewall_policy(
VncSecurityPolicy.deny_all_fw_policy_uuid,
tail=True)
# Verify that validation of APS will fail.
# Validation will fail because "tail" object is found after objects
# that are marked as post-tail.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertFalse(valid)
# Get allow-all object handle.
self.assertIsNotNone(VncSecurityPolicy.allow_all_fw_policy_uuid)
fw_policy_obj = self._vnc_lib.firewall_policy_read(
id=VncSecurityPolicy.allow_all_fw_policy_uuid)
aps_obj = self._get_default_application_policy_set()
self.assertIsNotNone(fw_policy_obj)
self.assertIsNotNone(aps_obj)
# Re-add attempt of object marked post-tail should cause the post-tail
# object to be re-arranged after tail, even though the object is already
# present on the APS.
VncSecurityPolicy.add_firewall_policy(
VncSecurityPolicy.allow_all_fw_policy_uuid,
append_after_tail=True)
# Validation of APS should now succeed.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
def _network_policy_sync(self):
"""
Validate and synchronize network policy config.
"""
# Validate current network policy config.
valid = VncSecurityPolicy.validate_cluster_security_policy()
if not valid:
# Validation of current network policy config failed.
self._logger.error(
"%s - Periodic validation of cluster security policy failed."
" Attempting to heal." % (self._name))
# Attempt to heal the inconsistency in network policy config.
VncSecurityPolicy.recreate_cluster_security_policy()
# Validate and sync that K8s API and Contrail API.
# This handles the cases where kube-manager could have missed delete events
# from K8s API, which is possible if kube-manager was down when the policy
# was deleted.
headless_fw_policy_uuids = VncSecurityPolicy.sync_cluster_security_policy(
)
# Delete config objects for network policies not found in K8s API server but
# are found in Contrail API.
for fw_policy_uuid in headless_fw_policy_uuids:
self._logger.error(
"%s - Generating delete event for orphaned FW policy [%s]" %
(self._name, fw_policy_uuid))
self._create_network_policy_delete_event(fw_policy_uuid)
def test_periodic_validate_with_user_policies(self):
"""
Validate network policy periodic self-healing when
multiple user created policies are present.
"""
np_uuid_dict = {}
test_range = list(range(1, 10))
for i in test_range:
np_spec = {'podSelector': {}, 'ingress': [{}]}
np_name = "-".join([unittest.TestCase.id(self), str(i)])
np_uuid_dict[i] = self._add_update_network_policy(np_name, np_spec)
self._validate_network_policy_resources(np_name, np_uuid_dict[i],
np_spec)
# Check if we have a valid config to start with.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Get some basic object handles.
self.assertIsNotNone(VncSecurityPolicy.allow_all_fw_policy_uuid)
fw_policy_obj = self._vnc_lib.firewall_policy_read(
id=VncSecurityPolicy.allow_all_fw_policy_uuid)
aps_obj = self._get_default_application_policy_set()
self.assertIsNotNone(fw_policy_obj)
self.assertIsNotNone(aps_obj)
# Detach allow-all policy from APS to introduce error.
aps_obj.del_firewall_policy(fw_policy_obj)
self._vnc_lib.application_policy_set_update(aps_obj)
# Verify that validation of APS will fail.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertFalse(valid)
# Fix the inconsisteny in APS.
VncSecurityPolicy.recreate_cluster_security_policy()
# Verify that validation of APS will succeed now.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
#
# After self-healing, verify that the first on the APS, the FW policies
# are ordered as follows:
# - Ingress-svc fw policy
# - User created policies
# - Deny-all fw policy
# - Allow-all fw policy
#
previous_sequence = None
aps = ApplicationPolicySetKM.locate(aps_obj.get_uuid())
aps.update()
fw_policy_refs = aps.get_firewall_policy_refs_sorted()
ingress_fw_policy_idx = None
for index, fw_policy_ref in enumerate(fw_policy_refs):
fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
if fw_policy.owner and\
fw_policy.cluster_name == self.cluster_name():
self.assertTrue(fw_policy.uuid ==
VncSecurityPolicy.ingress_svc_fw_policy_uuid)
ingress_fw_policy_idx = index
break
last_user_policy_index = None
loop_start_index = ingress_fw_policy_idx + 1
for i in test_range:
np_name = "-".join([unittest.TestCase.id(self), str(i)])
fw_policy_name = VncSecurityPolicy.get_firewall_policy_name(
np_name, self.ns_name, False)
for index, fw_policy in enumerate(
fw_policy_refs[loop_start_index:]):
if fw_policy_name == fw_policy['to'][-1]:
if previous_sequence:
self.assertTrue(previous_sequence < \
fw_policy['attr']['sequence'])
previous_sequence = fw_policy['attr']['sequence']
last_user_policy_index = loop_start_index + index
break
deny_all_policy_index = None
loop_start_index = last_user_policy_index + 1
for index, fw_policy_ref in enumerate(
fw_policy_refs[loop_start_index:]):
fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
if fw_policy.cluster_name and\
fw_policy.cluster_name == self.cluster_name():
self.assertTrue(fw_policy.uuid ==
VncSecurityPolicy.deny_all_fw_policy_uuid)
deny_all_policy_index = loop_start_index + index
break
loop_start_index = deny_all_policy_index + 1
for fw_policy_ref in fw_policy_refs[loop_start_index:]:
fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
if fw_policy.cluster_name and\
fw_policy.cluster_name == self.cluster_name():
self.assertTrue(fw_policy.uuid ==
VncSecurityPolicy.allow_all_fw_policy_uuid)
break
for i in test_range:
self._delete_network_policy(unittest.TestCase.id(self),
np_uuid_dict[i])
self._validate_network_policy_resources(np_name,
np_uuid_dict[i],
np_spec,
validate_delete=True)
def test_periodic_validate_with_user_policies(self):
"""
Validate network policy periodic self-healing when
multiple user created policies are present.
"""
np_uuid_dict={}
test_range = range(1, 10)
for i in test_range:
np_spec = {
'podSelector': {},
'ingress': [{}]
}
np_name = "-".join([unittest.TestCase.id(self), str(i)])
np_uuid_dict[i] = self._add_update_network_policy(np_name, np_spec)
self._validate_network_policy_resources(np_name, np_uuid_dict[i],
np_spec)
# Check if we have a valid config to start with.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
# Get some basic object handles.
self.assertIsNotNone(VncSecurityPolicy.allow_all_fw_policy_uuid)
fw_policy_obj = self._vnc_lib.firewall_policy_read(
id=VncSecurityPolicy.allow_all_fw_policy_uuid)
aps_obj = self._get_default_application_policy_set()
self.assertIsNotNone(fw_policy_obj)
self.assertIsNotNone(aps_obj)
# Detach allow-all policy from APS to introduce error.
aps_obj.del_firewall_policy(fw_policy_obj)
self._vnc_lib.application_policy_set_update(aps_obj)
# Verify that validation of APS will fail.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertFalse(valid)
# Fix the inconsisteny in APS.
VncSecurityPolicy.recreate_cluster_security_policy()
# Verify that validation of APS will succeed now.
valid = VncSecurityPolicy.validate_cluster_security_policy()
self.assertTrue(valid)
#
# After self-healing, verify that the first on the APS, the FW policies
# are ordered as follows:
# - Ingress-svc fw policy
# - User created policies
# - Deny-all fw policy
# - Allow-all fw policy
#
previous_sequence = None
aps = ApplicationPolicySetKM.locate(aps_obj.get_uuid())
aps.update()
fw_policy_refs = aps.get_firewall_policy_refs_sorted()
ingress_fw_policy_idx = None
for index, fw_policy_ref in enumerate(fw_policy_refs):
fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
if fw_policy.owner and\
fw_policy.cluster_name == self.cluster_name():
self.assertTrue(fw_policy.uuid == VncSecurityPolicy.ingress_svc_fw_policy_uuid)
ingress_fw_policy_idx = index
break
last_user_policy_index = None
loop_start_index = ingress_fw_policy_idx+1
for i in test_range:
np_name = "-".join([unittest.TestCase.id(self), str(i)])
fw_policy_name = VncSecurityPolicy.get_firewall_policy_name(np_name,
self.ns_name, False)
for index, fw_policy in enumerate(fw_policy_refs[loop_start_index:]):
if fw_policy_name == fw_policy['to'][-1]:
if previous_sequence:
self.assertTrue(previous_sequence < \
fw_policy['attr']['sequence'])
previous_sequence = fw_policy['attr']['sequence']
last_user_policy_index = loop_start_index + index
break
deny_all_policy_index = None
loop_start_index = last_user_policy_index + 1
for index, fw_policy_ref in enumerate(fw_policy_refs[loop_start_index:]):
fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
if fw_policy.cluster_name and\
fw_policy.cluster_name == self.cluster_name():
self.assertTrue(fw_policy.uuid == VncSecurityPolicy.deny_all_fw_policy_uuid)
deny_all_policy_index = loop_start_index + index
break
loop_start_index = deny_all_policy_index + 1
for fw_policy_ref in fw_policy_refs[loop_start_index:]:
fw_policy = FirewallPolicyKM.locate(fw_policy_ref['uuid'])
if fw_policy.cluster_name and\
fw_policy.cluster_name == self.cluster_name():
self.assertTrue(fw_policy.uuid == VncSecurityPolicy.allow_all_fw_policy_uuid)
break
for i in test_range:
self._delete_network_policy(unittest.TestCase.id(self), np_uuid_dict[i])
self._validate_network_policy_resources(np_name, np_uuid_dict[i],
np_spec, validate_delete=True)