def create_test_project(suffix, port):
project_name = 'imperative-verify-test-project-network-{}'.format(suffix)
# Delete any existing resources
oc.delete_project(project_name, ignore_not_found=True, grace_period=1)
server_name = 'server-{}'.format(suffix)
client_name = 'client-{}'.format(suffix)
with oc.new_project(project_name):
# Create a simple http server running in project-A
# It will be exposed by a service and route of the same name
report_progress("Creating server in: " + project_name)
server_sel = oc.create(
simple_http_server_resources(server_name, port, create_service=True, create_route=True)
)
report_progress("Created: {}".format(server_sel.qnames()))
report_progress("Waiting for resources readiness...")
server_sel.narrow('pod').until_all(1, success_func=oc.status.is_pod_running)
server_sel.narrow('route').until_all(1, success_func=oc.status.is_route_admitted)
# Create a passive pod that blocks forever so we exec commands within it
client_sel = oc.create(
oc.build_pod_simple(client_name, image='python:3', command=['tail', '-f', '/dev/null']))
client_sel.until_all(1, success_func=oc.status.is_pod_running)
server_pod = server_sel.narrow('pod').object()
service = server_sel.narrow('service').object()
route = server_sel.narrow('route').object()
client_pod = client_sel.narrow('pod').object()
report_progress('Ensure client pod can communicate to server pod IP in same namespace')
client_pod.execute(cmd_to_exec=['curl', 'http://{}:{}'.format(server_pod.model.status.podIP, port)],
auto_raise=True)
report_progress('Ensure client pod can communicate to server service IP in same namespace')
client_pod.execute(cmd_to_exec=['curl', 'http://{}:{}'.format(service.model.spec.clusterIP, port)],
auto_raise=True)
report_progress('Ensure client pod can communicate to server service DNS in same namespace')
client_pod.execute(cmd_to_exec=['curl', 'http://{}:{}'.format(server_name, port)],
auto_raise=True)
report_progress('Ensure client pod can communicate to server route in same namespace')
client_pod.execute(cmd_to_exec=['curl', 'http://{}'.format(route.model.spec.host)],
auto_raise=True)
# Return a selector for server resources and client resources
return project_name, server_pod, service, route, client_pod
def temp_project(name, adm=False, cleanup=True):
"""
Useful context manager for testing purposes. Creates a temporary project,
runs the context within oc.project, and then deletes the project on exit.
Exceptions thrown by content are thrown by contextmanager as well.
:param name: The name of the project to create.
:param adm: If True, the project will be created with 'oc adm ...'
:param cleanup: If True, project will be deleted on return. Only set to False if you
are trying to leave behind some sort of debug breadcrumb.
:return:
"""
oc.delete_project(name, ignore_not_found=True)
try:
with oc.new_project(name, adm=adm):
yield
finally:
if cleanup:
report_progress('Cleaning up test project: {}'.format(name))
oc.delete_project(name, ignore_not_found=True)
def check_online_network_multitenant():
def create_test_project(suffix, port):
project_name = 'imperative-verify-test-project-network-{}'.format(
suffix)
# Delete any existing resources
oc.delete_project(project_name, ignore_not_found=True)
server_name = 'server-{}'.format(suffix)
client_name = 'client-{}'.format(suffix)
with oc.new_project(project_name):
# Create a simple http server running in project-A
# It will be exposed by a service and route of the same name
report_progress("Creating server in: " + project_name)
server_sel = oc.create(
simple_http_server_resources(server_name,
port,
create_service=True,
create_route=True))
report_progress("Created: {}".format(server_sel.qnames()))
report_progress("Waiting for resources readiness...")
server_sel.narrow('pod').until_all(
1, success_func=oc.status.is_pod_running)
server_sel.narrow('route').until_all(
1, success_func=oc.status.is_route_admitted)
# Create a passive pod that blocks forever so we exec commands within it
client_sel = oc.create(
oc.build_pod_simple(client_name,
image='python:3',
command=['tail', '-f', '/dev/null']))
client_sel.until_all(1, success_func=oc.status.is_pod_running)
server_pod = server_sel.narrow('pod').object()
service = server_sel.narrow('service').object()
route = server_sel.narrow('route').object()
client_pod = client_sel.narrow('pod').object()
report_progress(
'Ensure client pod can communicate to server pod IP in same namespace'
)
client_pod.execute(cmd_to_exec=[
'curl', 'http://{}:{}'.format(server_pod.model.status.podIP,
port)
],
auto_raise=True)
report_progress(
'Ensure client pod can communicate to server service IP in same namespace'
)
client_pod.execute(cmd_to_exec=[
'curl', 'http://{}:{}'.format(service.model.spec.clusterIP,
port)
],
auto_raise=True)
report_progress(
'Ensure client pod can communicate to server service DNS in same namespace'
)
client_pod.execute(
cmd_to_exec=['curl', 'http://{}:{}'.format(server_name, port)],
auto_raise=True)
report_progress(
'Ensure client pod can communicate to server route in same namespace'
)
client_pod.execute(cmd_to_exec=[
'curl', 'http://{}'.format(route.model.spec.host)
],
auto_raise=True)
# Return a selector for server resources and client resources
return project_name, server_pod, service, route, client_pod
port_a = 4444
port_b = 4555
# Create two projects, A and B. Both will self test to make sure they can communicate within
# pods in the same namespace.
proj_a_name, server_pod_a, service_a, route_a, client_pod_a = create_test_project(
'a', port_a)
proj_b_name, server_pod_b, service_b, route_b, client_pod_b = create_test_project(
'b', port_b)
report_progress(
'Ensure client pod A cannot communicate to server service in another namespace'
)
assert client_pod_a.execute(
cmd_to_exec=['nc', '-z', service_b.model.spec.clusterIP, port_b],
auto_raise=False).status() != 0, 'Expected error 1'
report_progress(
'Ensure client pod B cannot communicate to server service in another namespace'
)
assert client_pod_b.execute(
cmd_to_exec=['nc', '-z', service_a.model.spec.clusterIP, port_a],
auto_raise=False).status() != 0, 'Expected error 2'
report_progress(
'Ensure client pod A cannot communicate to server pod IP in another namespace'
)
assert client_pod_a.execute(
cmd_to_exec=['nc', '-z', server_pod_b.model.status.podIP, port_b],
auto_raise=False).status() != 0, 'Expected error 1'
report_progress(
'Ensure client pod B cannot communicate to server pod IP in another namespace'
)
assert client_pod_b.execute(
cmd_to_exec=['nc', '-z', server_pod_a.model.status.podIP, port_a],
auto_raise=False).status() != 0, 'Expected error 1'
report_progress(
'Ensure client pod A can communicate to server route in another namespace'
)
client_pod_a.execute(
cmd_to_exec=['curl', 'http://{}'.format(route_b.model.spec.host)])
report_progress(
'Ensure client pod B can communicate to server route in another namespace'
)
client_pod_b.execute(
cmd_to_exec=['curl', 'http://{}'.format(route_a.model.spec.host)])
report_progress("Deleting project: " + proj_a_name)
oc.delete_project(proj_a_name)
report_progress("Deleting project: " + proj_b_name)
oc.delete_project(proj_b_name)
report_verified("Network policy for multitenant seems solid!")
