diff --git a/test/extended/networking/egress_firewall.go b/test/extended/networking/egress_firewall.go index c2fb822768d9..200e311e986c 100644 --- a/test/extended/networking/egress_firewall.go +++ b/test/extended/networking/egress_firewall.go @@ -22,9 +22,11 @@ import ( const ( egressFWTestPod = "egressfirewall" egressFWE2E = "egress-firewall-e2e" + wcEgressFWE2E = "wildcard-egress-firewall-e2e" noEgressFWE2E = "no-egress-firewall-e2e" egressFWTestImage = "registry.k8s.io/e2e-test-images/agnhost:2.47" oVNKManifest = "ovnk-egressfirewall-test.yaml" + oVNKWCManifest = "ovnk-egressfirewall-wildcard-test.yaml" openShiftSDNManifest = "sdn-egressnetworkpolicy-test.yaml" ) @@ -37,7 +39,7 @@ var _ = g.Describe("[sig-network][Feature:EgressFirewall]", func() { InOVNKubernetesContext( func() { g.It("should ensure egressfirewall is created", func() { - doEgressFwTest(egFwf, egFwoc, oVNKManifest, true) + doEgressFwTest(egFwf, egFwoc, oVNKManifest, true, false) }) }, ) @@ -45,10 +47,11 @@ var _ = g.Describe("[sig-network][Feature:EgressFirewall]", func() { InOpenShiftSDNContext( func() { g.It("should ensure egressnetworkpolicy is created [apigroup:network.openshift.io]", func() { - doEgressFwTest(egFwf, egFwoc, openShiftSDNManifest, false) + doEgressFwTest(egFwf, egFwoc, openShiftSDNManifest, false, false) }) }, ) + noegFwoc := exutil.NewCLIWithPodSecurityLevel(noEgressFWE2E, admissionapi.LevelBaseline) noegFwf := noegFwoc.KubeFramework() g.It("egressFirewall should have no impact outside its namespace", func() { @@ -81,7 +84,25 @@ var _ = g.Describe("[sig-network][Feature:EgressFirewall]", func() { }) }) -func doEgressFwTest(f *e2e.Framework, oc *exutil.CLI, manifest string, nodeSelectorSupport bool) error { +var _ = g.Describe("[sig-network][OCPFeatureGate:DNSNameResolver][Feature:EgressFirewall]", func() { + // When OVNKubernetes subnet and coredns-ocp-dnsnameresolver plugins are enabled. + // coredns-ocp-dnsnameresolver plugin is a TechPreview feature. + // TODO: + // - Merge this section with main section when feature is GA. + // - Merge oVNKManifest & oVNKWCManifest contents. + // - Update doEgressFwTest and sendEgressFwTraffic functions. + wcEgFwOc := exutil.NewCLIWithPodSecurityLevel(wcEgressFWE2E, admissionapi.LevelPrivileged) + wcEgFwF := wcEgFwOc.KubeFramework() + InOVNKubernetesContext( + func() { + g.It("should ensure egressfirewall with wildcard dns rules is created", func() { + doEgressFwTest(wcEgFwF, wcEgFwOc, oVNKWCManifest, true, true) + }) + }, + ) +}) + +func doEgressFwTest(f *e2e.Framework, oc *exutil.CLI, manifest string, nodeSelectorSupport, checkWildcard bool) error { g.By("creating test pod") o.Expect(createTestEgressFw(f, egressFWTestPod)).To(o.Succeed()) @@ -98,14 +119,14 @@ func doEgressFwTest(f *e2e.Framework, oc *exutil.CLI, manifest string, nodeSelec err := oc.AsAdmin().Run("create").Args("-f", egFwYaml).Execute() o.Expect(err).NotTo(o.HaveOccurred(), "created egress-firewall object") - o.Expect(sendEgressFwTraffic(f, oc, egressFWTestPod, nodeSelectorSupport)).To(o.Succeed()) + o.Expect(sendEgressFwTraffic(f, oc, egressFWTestPod, nodeSelectorSupport, checkWildcard)).To(o.Succeed()) g.By("deleting test pod") deleteTestEgressFw(f) return err } -func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelectorSupport bool) error { +func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelectorSupport, checkWildcard bool) error { infra, err := oc.AdminConfigClient().ConfigV1().Infrastructures().Get(context.Background(), "cluster", metav1.GetOptions{}) o.Expect(err).NotTo(o.HaveOccurred(), "failed to get cluster-wide infrastructure") @@ -128,10 +149,22 @@ func sendEgressFwTraffic(f *e2e.Framework, oc *exutil.CLI, pod string, nodeSelec _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://docs.openshift.com").Output() expectNoError(err) - // Test curl to www.google.com:80 should fail - // because we don't have allow dns rule for www.google.com:80 + if checkWildcard { + // Test curl to `www.google.com` and `translate.google.com` should pass + // because we have allow dns rule for `*.google.com`. + g.By("sending traffic to `www.google.com` that matches allow dns rule for `*.google.com`") + _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://www.google.com").Output() + expectNoError(err) + + g.By("sending traffic to `translate.google.com` that matches allow dns rule for `*.google.com`") + _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "https://translate.google.com").Output() + expectNoError(err) + } + + // Test curl to www.redhat.com should fail + // because we don't have allow dns rule for www.redhat.com g.By("sending traffic that does not match allow dns rule") - _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "http://www.google.com:80").Output() + _, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m3", "http://www.redhat.com").Output() expectError(err) if nodeSelectorSupport { diff --git a/test/extended/testdata/bindata.go b/test/extended/testdata/bindata.go index 2a900e62db26..eb4e67b0d4aa 100644 --- a/test/extended/testdata/bindata.go +++ b/test/extended/testdata/bindata.go @@ -306,6 +306,7 @@ // test/extended/testdata/deployments/test-deployment-broken.yaml // test/extended/testdata/deployments/test-deployment-test.yaml // test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml +// test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml // test/extended/testdata/egress-firewall/sdn-egressnetworkpolicy-test.yaml // test/extended/testdata/egress-router-cni/egress-router-cni-v4-cr.yaml // test/extended/testdata/egress-router-cni/egress-router-cni-v6-cr.yaml @@ -43416,6 +43417,46 @@ func testExtendedTestdataEgressFirewallOvnkEgressfirewallTestYaml() (*asset, err return a, nil } +var _testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYaml = []byte(`apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default +spec: + egress: + - type: Allow + to: + dnsName: docs.openshift.com + - type: Allow + to: + dnsName: "*.google.com" + - type: Allow + to: + cidrSelector: 8.8.8.8/32 + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: '' + - type: Deny + to: + cidrSelector: 0.0.0.0/0 +`) + +func testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYamlBytes() ([]byte, error) { + return _testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYaml, nil +} + +func testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYaml() (*asset, error) { + bytes, err := testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _testExtendedTestdataEgressFirewallSdnEgressnetworkpolicyTestYaml = []byte(`apiVersion: network.openshift.io/v1 kind: EgressNetworkPolicy metadata: @@ -55234,6 +55275,7 @@ var _bindata = map[string]func() (*asset, error){ "test/extended/testdata/deployments/test-deployment-broken.yaml": testExtendedTestdataDeploymentsTestDeploymentBrokenYaml, "test/extended/testdata/deployments/test-deployment-test.yaml": testExtendedTestdataDeploymentsTestDeploymentTestYaml, "test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml": testExtendedTestdataEgressFirewallOvnkEgressfirewallTestYaml, + "test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml": testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYaml, "test/extended/testdata/egress-firewall/sdn-egressnetworkpolicy-test.yaml": testExtendedTestdataEgressFirewallSdnEgressnetworkpolicyTestYaml, "test/extended/testdata/egress-router-cni/egress-router-cni-v4-cr.yaml": testExtendedTestdataEgressRouterCniEgressRouterCniV4CrYaml, "test/extended/testdata/egress-router-cni/egress-router-cni-v6-cr.yaml": testExtendedTestdataEgressRouterCniEgressRouterCniV6CrYaml, @@ -55914,8 +55956,9 @@ var _bintree = &bintree{nil, map[string]*bintree{ "test-deployment-test.yaml": {testExtendedTestdataDeploymentsTestDeploymentTestYaml, map[string]*bintree{}}, }}, "egress-firewall": {nil, map[string]*bintree{ - "ovnk-egressfirewall-test.yaml": {testExtendedTestdataEgressFirewallOvnkEgressfirewallTestYaml, map[string]*bintree{}}, - "sdn-egressnetworkpolicy-test.yaml": {testExtendedTestdataEgressFirewallSdnEgressnetworkpolicyTestYaml, map[string]*bintree{}}, + "ovnk-egressfirewall-test.yaml": {testExtendedTestdataEgressFirewallOvnkEgressfirewallTestYaml, map[string]*bintree{}}, + "ovnk-egressfirewall-wildcard-test.yaml": {testExtendedTestdataEgressFirewallOvnkEgressfirewallWildcardTestYaml, map[string]*bintree{}}, + "sdn-egressnetworkpolicy-test.yaml": {testExtendedTestdataEgressFirewallSdnEgressnetworkpolicyTestYaml, map[string]*bintree{}}, }}, "egress-router-cni": {nil, map[string]*bintree{ "egress-router-cni-v4-cr.yaml": {testExtendedTestdataEgressRouterCniEgressRouterCniV4CrYaml, map[string]*bintree{}}, diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml new file mode 100644 index 000000000000..fa39c329f2eb --- /dev/null +++ b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml @@ -0,0 +1,23 @@ +apiVersion: k8s.ovn.org/v1 +kind: EgressFirewall +metadata: + name: default +spec: + egress: + - type: Allow + to: + dnsName: docs.openshift.com + - type: Allow + to: + dnsName: "*.google.com" + - type: Allow + to: + cidrSelector: 8.8.8.8/32 + - type: Allow + to: + nodeSelector: + matchLabels: + node-role.kubernetes.io/control-plane: '' + - type: Deny + to: + cidrSelector: 0.0.0.0/0 diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go index 8222ca4287b5..4ba727fa7fd2 100644 --- a/test/extended/util/annotate/generated/zz_generated.annotations.go +++ b/test/extended/util/annotate/generated/zz_generated.annotations.go @@ -1437,6 +1437,8 @@ var Annotations = map[string]string{ "[sig-network][Feature:vlan] should create pingable pods with vlan interface on an in-container master [apigroup:k8s.cni.cncf.io]": " [Suite:openshift/conformance/parallel]", + "[sig-network][OCPFeatureGate:DNSNameResolver][Feature:EgressFirewall] when using openshift ovn-kubernetes should ensure egressfirewall with wildcard dns rules is created": " [Suite:openshift/conformance/parallel]", + "[sig-network][OCPFeatureGate:NetworkDiagnosticsConfig][Serial] Should be enabled by default": " [Suite:openshift/conformance/serial]", "[sig-network][OCPFeatureGate:NetworkDiagnosticsConfig][Serial] Should function without any target pods": " [Suite:openshift/conformance/serial]", diff --git a/zz_generated.manifests/test-reporting.yaml b/zz_generated.manifests/test-reporting.yaml index d839a4861b76..168659498fce 100644 --- a/zz_generated.manifests/test-reporting.yaml +++ b/zz_generated.manifests/test-reporting.yaml @@ -5,6 +5,11 @@ metadata: name: cluster spec: testsForFeatureGates: + - featureGate: DNSNameResolver + tests: + - testName: '[sig-network][OCPFeatureGate:DNSNameResolver][Feature:EgressFirewall] + when using openshift ovn-kubernetes should ensure egressfirewall with wildcard + dns rules is created' - featureGate: Example tests: - testName: '[sig-arch][OCPFeatureGate:Example] should only run FeatureGated test