def test__parse_rules_all_selectors(self, m_match_selector, m_get_pods, m_get_pod_ip, m_create_sg_rule): crd = get_crd_obj_with_all_selectors() policy = crd['spec']['networkpolicy_spec'] i_rule = policy.get('ingress')[0] ns_selector = i_rule['from'][0].get('namespaceSelector') pod_selector = i_rule['from'][0].get('podSelector') ns = get_match_crd_namespace_obj() pod = get_match_crd_pod_obj() m_match_selector.return_value = True m_get_pods.return_value = {"items": [pod]} m_get_pod_ip.return_value = pod['status']['podIP'] m_create_sg_rule.return_value = get_sg_rule() matched, rules = network_policy_security_groups._parse_rules( 'ingress', crd, namespace=ns) m_match_selector.assert_called_once_with(ns_selector, ns['metadata']['labels']) m_get_pods.assert_called_once_with(pod_selector, ns['metadata']['name']) m_get_pod_ip.assert_called_once_with(pod) m_create_sg_rule.assert_called_once() self.assertEqual(matched, True) self.assertEqual(rules, [get_sg_rule()])
def test__parse_rules_multiple_selectors(self, m_parse_selectors_on_pod): no_selector = None matched_selector = True pod = mock.sentinel.pod m_parse_selectors_on_pod.side_effect = [matched_selector] * 2 direction = "ingress" pod_selector = mock.sentinel.pod_selector namespace_selector = mock.sentinel.namespace_selector rule_block = { 'from': [{ 'podSelector': pod_selector }, { 'namespaceSelector': namespace_selector }] } policy = {"ingress": [rule_block], "policyTypes": ["Ingress"]} crd = {"spec": {"ingressSgRules": []}} matched = network_policy_security_groups._parse_rules(direction, crd, policy, pod=pod) calls = [ mock.call(crd, pod, pod_selector, no_selector, rule_block, direction, not matched_selector), mock.call(crd, pod, no_selector, namespace_selector, rule_block, direction, matched_selector) ] m_parse_selectors_on_pod.assert_has_calls(calls) self.assertEqual(matched, matched_selector)
def test__parse_rules_no_match(self, m_match_selector): crd = get_crd_obj_no_match() policy = crd['spec']['networkpolicy_spec'] i_rule = policy.get('ingress')[0] ns_selector = i_rule['from'][0].get('namespaceSelector') ns = get_no_match_crd_namespace_obj() m_match_selector.return_value = False matched = network_policy_security_groups._parse_rules( 'ingress', crd, policy, namespace=ns) m_match_selector.assert_called_once_with(ns_selector, ns['metadata']['labels']) self.assertEqual(matched, False)
def test__parse_rules(self, m_get_ns_subnet_cidr, m_match_selector, m_create_sg_rule): crd = get_crd_obj_no_match() policy = crd['spec']['networkpolicy_spec'] i_rule = policy.get('ingress')[0] ns_selector = i_rule['from'][0].get('namespaceSelector') ns = get_match_crd_namespace_obj() m_get_ns_subnet_cidr.return_value = '10.0.2.0/26' m_match_selector.return_value = True m_create_sg_rule.return_value = get_sg_rule() matched, rules = network_policy_security_groups._parse_rules( 'ingress', crd, namespace=ns) m_get_ns_subnet_cidr.assert_called_once_with(ns) m_match_selector.assert_called_once_with(ns_selector, ns['metadata']['labels']) m_create_sg_rule.assert_called_once() self.assertEqual(matched, True) self.assertEqual(rules, [get_sg_rule()])