def jwt_secrets_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller, test_namespace) -> JWTSecretsSetup:
with open(f"{TEST_DATA}/jwt-secrets/tokens/jwt-secrets-token.jwt",
"r") as token_file:
token = token_file.read().replace('\n', '')
print(
"------------------------- Deploy JWT Secrets Example -----------------------------------"
)
create_items_from_yaml(
kube_apis,
f"{TEST_DATA}/jwt-secrets/{request.param}/jwt-secrets-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/jwt-secrets/{request.param}/jwt-secrets-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up the JWT Secrets Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis,
f"{TEST_DATA}/jwt-secrets/{request.param}/jwt-secrets-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return JWTSecretsSetup(ingress_controller_endpoint, ingress_host, token)
def wildcard_tls_secret_setup(request, kube_apis, ingress_controller_endpoint,
test_namespace) -> WildcardTLSSecretSetup:
ing_type = request.param
print(
"------------------------- Deploy Wildcard-Tls-Secret-Example -----------------------------------"
)
create_items_from_yaml(
kube_apis,
f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml",
test_namespace)
host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml"
)
common_app = create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
def fin():
print("Clean up Wildcard-Tls-Secret-Example:")
delete_items_from_yaml(
kube_apis,
f"{TEST_DATA}/wildcard-tls-secret/{ing_type}/wildcard-secret-ingress.yaml",
test_namespace)
delete_common_app(kube_apis.v1, kube_apis.apps_v1_api, common_app,
test_namespace)
request.addfinalizer(fin)
return WildcardTLSSecretSetup(ingress_controller_endpoint, test_namespace,
host)
def test_ap_enable_false_policy_incorrect(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace):
"""
Test malicious script request is working normally while AppProtect is disabled in with incorrect policy in ingress
"""
create_ingress_with_ap_annotations(
kube_apis,
src_ing_yaml,
test_namespace,
"invalid-policy",
"False",
"True",
"127.0.0.1:514",
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is disabled with incorrect policy ---------"
)
wait_before_test(40)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_valid_responses(response)
def test_ap_enable_true_policy_correct_uds(self, request, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace):
"""
Test request with UDS rule string is rejected while AppProtect with User Defined Signatures is enabled in Ingress
"""
usersig_name = create_ap_usersig_from_yaml(kube_apis.custom_objects,
uds_crd_resource,
test_namespace)
# Apply dataguard-alarm AP policy with UDS
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy_uds}.yaml",
test_namespace,
)
wait_before_test()
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy and UDS ---------"
)
ap_crd_info = read_ap_custom_resource(kube_apis.custom_objects,
test_namespace, "appolicies",
ap_policy)
wait_before_test(120)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url,
headers={"host": ingress_host},
verify=False,
data="kic")
print(response.text)
reload_ms = get_last_reload_time(appprotect_setup.metrics_url, "nginx")
print(f"last reload duration: {reload_ms} ms")
reload_times[
f"{request.node.name}"] = f"last reload duration: {reload_ms} ms"
# Restore default dataguard-alarm policy
delete_and_create_ap_policy_from_yaml(
kube_apis.custom_objects,
ap_policy,
f"{TEST_DATA}/appprotect/{ap_policy}.yaml",
test_namespace,
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_ap_crd_info(ap_crd_info, ap_policy)
assert_invalid_responses(response)
def auth_basic_secrets_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller,
test_namespace) -> AuthBasicSecretsSetup:
with open(f"{TEST_DATA}/auth-basic-secrets/credentials/credentials.txt",
"r") as credentials_file:
credentials = credentials_file.read().replace('\n', '')
print(
"------------------------- Deploy Auth Basic Secrets Example -----------------------------------"
)
create_items_from_yaml(
kube_apis,
f"{TEST_DATA}/auth-basic-secrets/{request.param}/auth-basic-secrets-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/auth-basic-secrets/{request.param}/auth-basic-secrets-ingress.yaml"
)
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up the Auth Basic Secrets Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis,
f"{TEST_DATA}/auth-basic-secrets/{request.param}/auth-basic-secrets-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return AuthBasicSecretsSetup(ingress_controller_endpoint, ingress_host,
credentials)
def smoke_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller, test_namespace) -> SmokeSetup:
print(
"------------------------- Deploy Smoke Example -----------------------------------"
)
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
write_to_json(f"reload-{get_test_file_name(request.node.fspath)}.json",
reload_times)
request.addfinalizer(fin)
return SmokeSetup(ingress_controller_endpoint, ingress_host)
def hsts_setup(request, kube_apis, ingress_controller_prerequisites,
ingress_controller_endpoint, ingress_controller,
test_namespace) -> HSTSSetup:
print(
"------------------------- Deploy HSTS-Example -----------------------------------"
)
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml",
test_namespace)
ingress_name = get_name_from_yaml(
f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml")
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
req_https_url = f"https://{ingress_controller_endpoint.public_ip}:" \
f"{ingress_controller_endpoint.port_ssl}/backend1"
ensure_response_from_backend(req_https_url, ingress_host)
def fin():
print("Clean up HSTS Example:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return HSTSSetup(ingress_controller_endpoint,
f"{TEST_DATA}/hsts/{request.param}/hsts-ingress.yaml",
ingress_name, ingress_host, test_namespace)
def smoke_setup(request, kube_apis, ingress_controller_endpoint,
ingress_controller, test_namespace) -> SmokeSetup:
print(
"------------------------- Deploy Smoke Example -----------------------------------"
)
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml")
common_app = create_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1,
test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up the Smoke Application:")
delete_common_app(kube_apis.v1, kube_apis.extensions_v1_beta1,
common_app, test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/{request.param}/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return SmokeSetup(ingress_controller_endpoint, ingress_host)
def ingress_setup(request, kube_apis, ingress_controller_endpoint,
test_namespace) -> IngressSetup:
print(
"------------------------- Deploy Ingress Example -----------------------------------"
)
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
create_items_from_yaml(kube_apis,
f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml",
test_namespace)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1"
def fin():
print("Clean up simple app")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml",
test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return IngressSetup(req_url, ingress_host)
def annotations_grpc_setup(request,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint, ingress_controller, test_namespace) -> AnnotationsSetup:
print("------------------------- Deploy gRPC Annotations-Example -----------------------------------")
create_items_from_yaml(kube_apis,
f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml",
test_namespace)
ingress_name = get_names_from_yaml(f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml")[0]
ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml")
replace_configmap_from_yaml(kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/common/configmap-with-grpc.yaml")
ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated"
error_text = f"{event_text}, but not applied: Error reloading NGINX"
def fin():
print("Clean up gRPC Annotations Example:")
delete_items_from_yaml(kube_apis,
f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return AnnotationsSetup(ingress_controller_endpoint,
f"{TEST_DATA}/annotations/grpc/annotations-ingress.yaml",
ingress_name, ingress_host, ic_pod_name, test_namespace, event_text, error_text)
def test_ap_perf_create_ingress(
self,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
crd_ingress_controller_with_ap,
appprotect_setup,
enable_prometheus_port,
test_namespace,
):
"""
Test reload times for creating AP ingress
"""
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print("--------- Run test while AppProtect module is enabled with correct policy ---------")
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_before_test(40)
response = requests.get(
appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
)
print(response.text)
self.collect_prom_reload_metrics(
reload_ap,
"creating AP ingress",
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.metrics_port,
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_invalid_responses(response)
def tls_setup(request, kube_apis, ingress_controller_prerequisites,
ingress_controller_endpoint, ingress_controller,
test_namespace) -> TLSSetup:
print(
"------------------------- Deploy TLS setup -----------------------------------"
)
test_data_path = f"{TEST_DATA}/tls"
ingress_path = f"{test_data_path}/{request.param}/ingress.yaml"
create_ingress_from_yaml(kube_apis.networking_v1, test_namespace,
ingress_path)
wait_before_test(1)
ingress_host = get_first_ingress_host_from_yaml(ingress_path)
secret_name = get_name_from_yaml(f"{test_data_path}/tls-secret.yaml")
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up TLS setup")
delete_items_from_yaml(kube_apis, ingress_path, test_namespace)
if is_secret_present(kube_apis.v1, secret_name, test_namespace):
delete_secret(kube_apis.v1, secret_name, test_namespace)
request.addfinalizer(fin)
return TLSSetup(ingress_host, secret_name,
f"{test_data_path}/tls-secret.yaml",
f"{test_data_path}/new-tls-secret.yaml",
f"{test_data_path}/invalid-tls-secret.yaml")
def test_ap_nginx_config_entries(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test to verify AppProtect annotations in nginx config
"""
conf_annotations = [
f"app_protect_enable on;",
f"app_protect_policy_file /etc/nginx/waf/nac-policies/{test_namespace}_{ap_policy};",
f"app_protect_security_log_enable on;",
f"app_protect_security_log /etc/nginx/waf/nac-logconfs/{test_namespace}_logconf syslog:server=127.0.0.1:514;",
]
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
pod_name = get_first_pod_name(kube_apis.v1, "nginx-ingress")
result_conf = get_ingress_nginx_template_conf(kube_apis.v1,
test_namespace,
"appprotect-ingress",
pod_name,
"nginx-ingress")
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
for _ in conf_annotations:
assert _ in result_conf
def test_ap_enable_false_policy_correct(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test malicious script request is working normally while AppProtect is disabled in Ingress
"""
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "False",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is disabled with correct policy ---------"
)
events_before_ingress = len(get_events(kube_apis.v1, test_namespace))
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_status = wait_for_event_increment(kube_apis, test_namespace,
events_before_ingress)
ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace,
"appolicies", ap_policy)
assert_ap_crd_info(ap_crd_info)
wait_before_test(10)
response = ""
if wait_status:
print(
"----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_valid_responses(response)
def backend_setup(request, kube_apis, ingress_controller_endpoint, test_namespace) -> BackendSetup:
"""
Deploy simple application and all the Ingress resources under test in one namespace.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
print("------------------------- Deploy the backend -----------------------------------")
create_example_app(kube_apis, "simple", test_namespace)
req_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/backend1"
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
print("------------------------- Deploy ingresses under test -----------------------------------")
ingress_hosts = {}
for item in ingresses_under_test:
src_ing_yaml = f"{TEST_DATA}/ingress-class/{item}-ingress.yaml"
create_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
ingress_hosts[item] = get_first_ingress_host_from_yaml(src_ing_yaml)
wait_before_test(2)
def fin():
print("Clean up:")
delete_common_app(kube_apis, "simple", test_namespace)
for item in ingresses_under_test:
src_ing_yaml = f"{TEST_DATA}/ingress-class/{item}-ingress.yaml"
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
request.addfinalizer(fin)
return BackendSetup(req_url, ingress_hosts)
def jwt_auth_setup(request, kube_apis, ingress_controller_endpoint, ingress_controller, test_namespace) -> JWTAuthMergeableSetup:
tokens = {"master": get_token_from_file("master"), "minion": get_token_from_file("minion")}
master_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret.yaml")
minion_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret.yaml")
print("------------------------- Deploy JWT Auth Mergeable Minions Example -----------------------------------")
create_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml", test_namespace)
ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml")
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
wait_before_test(2)
def fin():
print("Delete Master Secret:")
if is_secret_present(kube_apis.v1, master_secret_name, test_namespace):
delete_secret(kube_apis.v1, master_secret_name, test_namespace)
print("Delete Minion Secret:")
if is_secret_present(kube_apis.v1, minion_secret_name, test_namespace):
delete_secret(kube_apis.v1, minion_secret_name, test_namespace)
print("Clean up the JWT Auth Mergeable Minions Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(kube_apis, f"{TEST_DATA}/jwt-auth-mergeable/mergeable/jwt-auth-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return JWTAuthMergeableSetup(ingress_controller_endpoint, ingress_host, master_secret_name, minion_secret_name, tokens)
def test_ap_enable_true_policy_correct(self, kube_apis,
crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test malicious script request is rejected while AppProtect is enabled in Ingress
"""
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
ap_crd_info = read_ap_crd(kube_apis.custom_objects, test_namespace,
"appolicies", ap_policy)
assert_ap_crd_info(ap_crd_info, ap_policy)
wait_before_test(40)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
print("----------------------- Send request ----------------------")
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_invalid_responses(response)
def ap_ingress_setup(
request, kube_apis, ingress_controller_endpoint, test_namespace
) -> IngressSetup:
"""
Deploy a simple application and AppProtect manifests.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
print("------------------------- Deploy backend application -------------------------")
create_example_app(kube_apis, "simple", test_namespace)
req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1"
metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics"
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
print("------------------------- Deploy Secret -----------------------------")
src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml"
create_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
print("------------------------- Deploy logconf -----------------------------")
src_log_yaml = f"{TEST_DATA}/appprotect/logconf.yaml"
log_name = create_ap_logconf_from_yaml(kube_apis.custom_objects, src_log_yaml, test_namespace)
print(f"------------------------- Deploy appolicy: ---------------------------")
src_pol_yaml = f"{TEST_DATA}/appprotect/dataguard-alarm.yaml"
pol_name = create_ap_policy_from_yaml(kube_apis.custom_objects, src_pol_yaml, test_namespace)
print("------------------------- Deploy ingress -----------------------------")
ingress_host = {}
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, "dataguard-alarm", "True", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
wait_before_test()
def fin():
print("Clean up:")
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_ap_policy(kube_apis.custom_objects, pol_name, test_namespace)
delete_ap_logconf(kube_apis.custom_objects, log_name, test_namespace)
delete_common_app(kube_apis, "simple", test_namespace)
src_sec_yaml = f"{TEST_DATA}/appprotect/appprotect-secret.yaml"
delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
request.addfinalizer(fin)
return IngressSetup(req_url, metrics_url, ingress_host)
def test_ap_perf_response(
self,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
crd_ingress_controller_with_ap,
appprotect_setup,
enable_prometheus_port,
test_namespace,
setup_users,
setup_time,
setup_rate,
):
"""
Test response times for AP ingress by running locust as a subprocess.
"""
src_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
print(src_ing_yaml)
# create ingress with AP annotations
create_ingress_with_ap_annotations(
kube_apis, src_ing_yaml, test_namespace, ap_policy, "True", "True", "127.0.0.1:514"
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print("--------- Run test while AppProtect module is enabled with correct policy ---------")
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_before_test(30)
response = ""
response = requests.get(
appprotect_setup.req_url + "/<script>", headers={"host": ingress_host}, verify=False
)
print(appprotect_setup.req_url + "/<script>")
print(ingress_host)
print(response.text)
# run response time tests using locust.io
subprocess.run(
[
"locust",
"-f",
"suite/ap_request_perf.py",
"--headless",
"--host",
appprotect_setup.req_url,
"--csv",
"ap_response_times",
"-u",
setup_users, # total no. of users
"-r",
setup_rate, # no. of users hatched per second
"-t",
setup_time, # locust session duration in seconds
]
)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert_invalid_responses(response)
def external_name_setup(request, kube_apis, ingress_controller_prerequisites,
ingress_controller_endpoint, ingress_controller,
test_namespace) -> ExternalNameSetup:
print(
"------------------------- Deploy External-Backend -----------------------------------"
)
external_ns = create_namespace_with_name_from_yaml(
kube_apis.v1, "external-ns", f"{TEST_DATA}/common/ns.yaml")
external_svc_name = create_service_with_name(kube_apis.v1, external_ns,
"external-backend-svc")
create_deployment_with_name(kube_apis.apps_v1_api, external_ns,
"external-backend")
print(
"------------------------- Deploy External-Name-Example -----------------------------------"
)
ingress_name = create_ingress_from_yaml(
kube_apis.extensions_v1_beta1, test_namespace,
f"{TEST_DATA}/externalname-services/externalname-ingress.yaml")
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/externalname-services/externalname-ingress.yaml")
external_host = f"{external_svc_name}.{external_ns}.svc.cluster.local"
config_map_name = ingress_controller_prerequisites.config_map["metadata"][
"name"]
replace_configmap_from_yaml(
kube_apis.v1, config_map_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/externalname-services/nginx-config.yaml")
svc_name = create_service_from_yaml(
kube_apis.v1, test_namespace,
f"{TEST_DATA}/externalname-services/externalname-svc.yaml")
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
def fin():
print("Clean up External-Name-Example:")
delete_namespace(kube_apis.v1, external_ns)
replace_configmap(kube_apis.v1, config_map_name,
ingress_controller_prerequisites.namespace,
ingress_controller_prerequisites.config_map)
delete_ingress(kube_apis.extensions_v1_beta1, ingress_name,
test_namespace)
delete_service(kube_apis.v1, svc_name, test_namespace)
request.addfinalizer(fin)
return ExternalNameSetup(ingress_controller_endpoint, ingress_name,
ingress_host, ic_pod_name, svc_name,
external_host, test_namespace)
def test_ap_perf_multiple_ingress(
self,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
crd_ingress_controller_with_ap,
appprotect_setup,
enable_prometheus_port,
test_namespace,
):
"""
Test reload times for creating AP ingress while a simple ingress exists.
"""
src1_ing_yaml = f"{TEST_DATA}/appprotect/appprotect-ingress.yaml"
print(src1_ing_yaml)
src2_ing_yaml = os.path.join(os.path.dirname(__file__),
"../data/non-ap-ingress.yaml")
print(src2_ing_yaml)
with open(src2_ing_yaml) as f:
doc = yaml.safe_load(f)
# create ingress without AP annotation
create_ingress(kube_apis.extensions_v1_beta1, test_namespace, doc)
wait_before_test(10)
# create ingress with AP annotations
create_ingress_with_ap_annotations(kube_apis, src1_ing_yaml,
test_namespace, ap_policy, "True",
"True", "127.0.0.1:514")
ingress_host = get_first_ingress_host_from_yaml(src1_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
wait_before_test(30)
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
self.collect_prom_reload_metrics(
reload_ap_with_ingress,
"creating AP ingress alongside a simple ingress",
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.metrics_port,
)
delete_items_from_yaml(kube_apis, src1_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src2_ing_yaml, test_namespace)
assert_invalid_responses(response)
def annotations_setup(request,
kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint, ingress_controller, test_namespace) -> AnnotationsSetup:
print("------------------------- Deploy Annotations-Example -----------------------------------")
create_items_from_yaml(kube_apis,
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml",
test_namespace)
ingress_name = get_name_from_yaml(f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml")
ingress_host = get_first_ingress_host_from_yaml(f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml")
if request.param == 'mergeable':
minions_info = get_minions_info_from_yaml(f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml")
else:
minions_info = None
create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
upstream_names = []
if request.param == 'mergeable':
event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated"
error_text = f"{test_namespace}/{ingress_name} was rejected: with error"
for minion in minions_info:
upstream_names.append(f"{test_namespace}-{minion['name']}-{ingress_host}-{minion['svc_name']}-80")
else:
event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated"
error_text = f"{test_namespace}/{ingress_name} was rejected: with error"
upstream_names.append(f"{test_namespace}-{ingress_name}-{ingress_host}-backend1-svc-80")
upstream_names.append(f"{test_namespace}-{ingress_name}-{ingress_host}-backend2-svc-80")
def fin():
print("Clean up Annotations Example:")
replace_configmap_from_yaml(kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
delete_common_app(kube_apis, "simple", test_namespace)
delete_items_from_yaml(kube_apis,
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return AnnotationsSetup(ingress_controller_endpoint,
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml",
ingress_name, ingress_host, ic_pod_name, test_namespace, event_text, error_text,
upstream_names)
def annotations_setup(request, kube_apis, ingress_controller_prerequisites,
ingress_controller_endpoint, ingress_controller,
test_namespace) -> AnnotationsSetup:
print(
"------------------------- Deploy Annotations-Example -----------------------------------"
)
create_items_from_yaml(
kube_apis,
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml",
test_namespace)
ingress_name = get_names_from_yaml(
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml")[0]
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml")
common_app = create_example_app(kube_apis, "simple", test_namespace)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
if request.param == 'mergeable':
event_text = f"Configuration for {test_namespace}/{ingress_name}(Master) was added or updated"
error_text = f"{event_text} but was not applied: Error reloading NGINX"
else:
event_text = f"Configuration for {test_namespace}/{ingress_name} was added or updated"
error_text = f"{event_text}, but not applied: Error reloading NGINX"
def fin():
print("Clean up Annotations Example:")
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
delete_common_app(kube_apis.v1, kube_apis.apps_v1_api, common_app,
test_namespace)
delete_items_from_yaml(
kube_apis,
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml",
test_namespace)
request.addfinalizer(fin)
return AnnotationsSetup(
ingress_controller_endpoint,
f"{TEST_DATA}/annotations/{request.param}/annotations-ingress.yaml",
ingress_name, ingress_host, ic_pod_name, test_namespace, event_text,
error_text)
def simple_ingress_setup(
request,
kube_apis,
ingress_controller_endpoint,
test_namespace,
ingress_controller,
) -> IngressSetup:
"""
Deploy simple application and all the Ingress resources under test in one namespace.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:param test_namespace:
:return: BackendSetup
"""
req_url = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/backend1"
metrics_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.metrics_port}/metrics"
secret_name = create_secret_from_yaml(
kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml"
)
create_example_app(kube_apis, "simple", test_namespace)
create_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace
)
ingress_host = get_first_ingress_host_from_yaml(
f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml"
)
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl,
)
def fin():
print("Clean up the Application:")
delete_common_app(kube_apis, "simple", test_namespace)
delete_secret(kube_apis.v1, secret_name, test_namespace)
delete_items_from_yaml(
kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace
)
request.addfinalizer(fin)
return IngressSetup(req_url, metrics_url, ingress_host)
def test_ap_pod_startup(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace,
):
"""
Log pod startup time while scaling up from 0 to 1
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
syslog_ep = get_service_endpoint(kube_apis, "syslog-svc",
test_namespace)
# items[-1] because syslog pod is last one to spin-up
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
ns = ingress_controller_prerequisites.namespace
scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress",
ns, 0)
while get_pods_amount(kube_apis.v1, ns) is not 0:
print(f"Number of replicas not 0, retrying...")
wait_before_test()
num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api,
"nginx-ingress", ns, 1)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
assert num is None
def test_ap_nginx_config_entries(self, kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_dos,
dos_setup, test_namespace):
"""
Test to verify Dos directive in nginx config
"""
conf_directive = [
f"app_protect_dos_enable on;",
f"app_protect_dos_security_log_enable on;",
f"app_protect_dos_monitor uri=dos.example.com protocol=http1 timeout=5;",
f"app_protect_dos_name \"{test_namespace}/dos-protected/name\";",
f"app_protect_dos_policy_file /etc/nginx/dos/policies/{test_namespace}_{dos_setup.pol_name}.json;",
f"app_protect_dos_security_log_enable on;",
f"app_protect_dos_security_log /etc/nginx/dos/logconfs/{test_namespace}_{dos_setup.log_name}.json syslog:server=syslog-svc.{ingress_controller_prerequisites.namespace}.svc.cluster.local:514;",
]
create_ingress_with_dos_annotations(
kube_apis,
src_ing_yaml,
test_namespace,
test_namespace + "/dos-protected",
)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
ensure_response_from_backend(dos_setup.req_url,
ingress_host,
check404=True)
pod_name = self.getPodNameThatContains(
kube_apis, ingress_controller_prerequisites.namespace,
"nginx-ingress")
result_conf = get_ingress_nginx_template_conf(kube_apis.v1,
test_namespace,
"dos-ingress", pod_name,
"nginx-ingress")
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
for _ in conf_directive:
assert _ in result_conf
def backend_setup(request, kube_apis,
ingress_controller_endpoint) -> BackendSetup:
"""
Create 2 namespaces and deploy simple applications in them.
:param request: pytest fixture
:param kube_apis: client apis
:param ingress_controller_endpoint: public endpoint
:return: BackendSetup
"""
watched_namespace = create_namespace_with_name_from_yaml(
kube_apis.v1, f"watched-ns", f"{TEST_DATA}/common/ns.yaml")
foreign_namespace = create_namespace_with_name_from_yaml(
kube_apis.v1, f"foreign-ns", f"{TEST_DATA}/common/ns.yaml")
ingress_hosts = {}
for ns in [watched_namespace, foreign_namespace]:
print(
f"------------------------- Deploy the backend in {ns} -----------------------------------"
)
create_example_app(kube_apis, "simple", ns)
src_ing_yaml = f"{TEST_DATA}/watch-namespace/{ns}-ingress.yaml"
create_items_from_yaml(kube_apis, src_ing_yaml, ns)
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
ingress_hosts[f"{ns}-ingress"] = ingress_host
req_url = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/backend1"
wait_until_all_pods_are_ready(kube_apis.v1, ns)
ensure_connection_to_public_endpoint(
ingress_controller_endpoint.public_ip,
ingress_controller_endpoint.port,
ingress_controller_endpoint.port_ssl)
def fin():
print("Clean up:")
delete_namespace(kube_apis.v1, watched_namespace)
delete_namespace(kube_apis.v1, foreign_namespace)
request.addfinalizer(fin)
return BackendSetup(req_url, ingress_hosts)
def custom_annotations_setup(request, kube_apis,
ingress_controller_prerequisites,
ingress_controller_endpoint,
test_namespace) -> CustomAnnotationsSetup:
ing_type = request.param
print(
"------------------------- Deploy ConfigMap with custom template -----------------------------------"
)
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/custom-annotations/{ing_type}/nginx-config.yaml")
print(
"------------------------- Deploy Custom Annotations Ingress -----------------------------------"
)
ing_src = f"{TEST_DATA}/custom-annotations/{ing_type}/annotations-ingress.yaml"
create_items_from_yaml(kube_apis, ing_src, test_namespace)
host = get_first_ingress_host_from_yaml(ing_src)
ingress_name = get_name_from_yaml(ing_src)
wait_before_test(1)
ic_pod_name = get_first_pod_name(
kube_apis.v1, ingress_controller_prerequisites.namespace)
def fin():
print("Clean up Custom Annotations Example:")
replace_configmap_from_yaml(
kube_apis.v1,
ingress_controller_prerequisites.config_map['metadata']['name'],
ingress_controller_prerequisites.namespace,
f"{DEPLOYMENTS}/common/nginx-config.yaml")
delete_items_from_yaml(kube_apis, ing_src, test_namespace)
request.addfinalizer(fin)
return CustomAnnotationsSetup(ingress_controller_endpoint, ingress_name,
test_namespace, host, ic_pod_name)
def test_ap_pod_startup(
self,
request,
kube_apis,
ingress_controller_prerequisites,
crd_ingress_controller_with_ap,
appprotect_setup,
test_namespace,
):
"""
Log pod startup time while scaling up from 0 to 1
"""
syslog_dst = f"syslog-svc.{test_namespace}"
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_dst}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- AppProtect module is enabled with correct policy ---------"
)
ensure_response_from_backend(appprotect_setup.req_url,
ingress_host,
check404=True)
ns = ingress_controller_prerequisites.namespace
scale_deployment(kube_apis.v1, kube_apis.apps_v1_api, "nginx-ingress",
ns, 0)
while get_pods_amount(kube_apis.v1, ns) is not 0:
print(f"Number of replicas not 0, retrying...")
wait_before_test()
num = scale_deployment(kube_apis.v1, kube_apis.apps_v1_api,
"nginx-ingress", ns, 1)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
assert num is None
def test_ap_sec_logs_on(self, kube_apis, crd_ingress_controller_with_ap,
appprotect_setup, test_namespace):
"""
Test corresponding log entries with correct policy (includes setting up a syslog server as defined in syslog.yaml)
"""
src_syslog_yaml = f"{TEST_DATA}/appprotect/syslog.yaml"
log_loc = f"/var/log/messages"
create_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
wait_before_test(40)
syslog_ep = (kube_apis.v1.read_namespaced_endpoints(
"syslog-svc", test_namespace).subsets[0].addresses[0].ip)
# items[-1] because syslog pod is last one to spin-up
syslog_pod = kube_apis.v1.list_namespaced_pod(
test_namespace).items[-1].metadata.name
create_ingress_with_ap_annotations(kube_apis, src_ing_yaml,
test_namespace, ap_policy, "True",
"True", f"{syslog_ep}:514")
ingress_host = get_first_ingress_host_from_yaml(src_ing_yaml)
print(
"--------- Run test while AppProtect module is enabled with correct policy ---------"
)
wait_before_test(40)
ensure_response_from_backend(appprotect_setup.req_url, ingress_host)
print(
"----------------------- Send invalid request ----------------------"
)
response = requests.get(appprotect_setup.req_url + "/<script>",
headers={"host": ingress_host},
verify=False)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
assert_invalid_responses(response)
assert (
f'ASM:attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)"'
in log_contents)
assert f'severity="Critical"' in log_contents
assert f'request_status="blocked"' in log_contents
assert f'outcome="REJECTED"' in log_contents
print(
"----------------------- Send valid request ----------------------"
)
headers = {
"Host":
ingress_host,
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0",
}
response = requests.get(appprotect_setup.req_url,
headers=headers,
verify=False)
print(response.text)
wait_before_test(5)
log_contents = get_file_contents(kube_apis.v1, log_loc, syslog_pod,
test_namespace)
delete_items_from_yaml(kube_apis, src_ing_yaml, test_namespace)
delete_items_from_yaml(kube_apis, src_syslog_yaml, test_namespace)
assert_valid_responses(response)
assert f'ASM:attack_type="N/A"' in log_contents
assert f'severity="Informational"' in log_contents
assert f'request_status="passed"' in log_contents
assert f'outcome="PASSED"' in log_contents
