allow kubernetes_patch_networkpolicy to separately enable/disable (#171)

ingress/egress
IntelLabs · Aug 30, 2024 · f18623f · f18623f
1 parent 03486e6
commit f18623f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 12 deletions.
diff --git a/docs/libraries.rst b/docs/libraries.rst
@@ -437,10 +437,14 @@ Patch an existing Kubernetes network policy.
      - ``string``
      - 
      - The target network policy to patch
-   * - ``network_enabled``
+   * - ``ingress_enabled``
      - ``bool``
      - 
-     - Should the network be enabled
+     - Should ingress (i.e., incoming) network traffic be enabled
+   * - ``egress_enabled``
+     - ``bool``
+     - 
+     - Should egress (i.e., outgoing) network traffic be enabled
    * - ``match_label``
      - ``key_value``
      - 

diff --git a/...rio_execution_kubernetes/scenario_execution_kubernetes/kubernetes_patch_network_policy.py b/...rio_execution_kubernetes/scenario_execution_kubernetes/kubernetes_patch_network_policy.py
@@ -29,11 +29,12 @@ class KubernetesPatchNetworkPolicyState(Enum):
 
 class KubernetesPatchNetworkPolicy(BaseAction):
 
-    def __init__(self, namespace: str, target: str, network_enabled: bool, match_label: tuple, within_cluster: bool):
+    def __init__(self, namespace: str, target: str, ingress_enabled: bool, egress_enabled: bool, match_label: tuple, within_cluster: bool):
         super().__init__()
         self.namespace = namespace
         self.target = target
-        self.network_enabled = network_enabled
+        self.ingress_enabled = ingress_enabled
+        self.egress_enabled = egress_enabled
         self.within_cluster = within_cluster
         if not isinstance(match_label, dict) or not "key" in match_label or not "value" in match_label:
             raise ValueError("match_label expected to be key-value pair.")
@@ -53,7 +54,7 @@ def setup(self, **kwargs):
     def update(self) -> py_trees.common.Status:  # pylint: disable=too-many-return-statements
         if self.current_state == KubernetesPatchNetworkPolicyState.IDLE:
             self.current_request = self.network_client.patch_namespaced_network_policy(self.target, body=self.get_network_policy(
-                policy_name=self.target, enable=self.network_enabled, match_label=self.match_label), namespace=self.namespace, async_req=True)
+                policy_name=self.target, enable_ingress=self.ingress_enabled, enable_egress=self.egress_enabled, match_label=self.match_label), namespace=self.namespace, async_req=True)
             self.current_state = KubernetesPatchNetworkPolicyState.REQUEST_SENT
             self.feedback_message = f"Requested patching '{self.target}' in namespace '{self.namespace}'"  # pylint: disable= attribute-defined-outside-init
             return py_trees.common.Status.RUNNING
@@ -76,14 +77,16 @@ def update(self) -> py_trees.common.Status:  # pylint: disable=too-many-return-s
                 return py_trees.common.Status.FAILURE
         return py_trees.common.Status.FAILURE
 
-    def get_network_policy(self, policy_name, match_label, enable):
+    def get_network_policy(self, policy_name, match_label, enable_ingress, enable_egress):
         body = client.V1NetworkPolicy()
         body.metadata = client.V1ObjectMeta(name=f"{policy_name}")
         body.spec = client.V1NetworkPolicySpec(pod_selector=client.V1LabelSelector(match_labels={match_label["key"]: match_label["value"]}))
-        if enable:
-            body.spec.egress = [client.V1NetworkPolicyEgressRule()]
+        if enable_ingress:
             body.spec.ingress = [client.V1NetworkPolicyIngressRule()]
         else:
-            body.spec.egress = []
             body.spec.ingress = []
+        if enable_egress:
+            body.spec.egress = [client.V1NetworkPolicyEgressRule()]
+        else:
+            body.spec.egress = []
         return body
diff --git a/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/lib_osc/kubernetes.osc b/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/lib_osc/kubernetes.osc
@@ -36,7 +36,8 @@ action kubernetes_delete inherits kubernetes_base_action:
 action kubernetes_patch_network_policy inherits kubernetes_base_action:
     # patch an existing network policy
     target: string                              # network-policy to patch
-    network_enabled: bool                       # should the network be enabled?
+    ingress_enabled: bool                       # should incoming network traffic be enabled?
+    egress_enabled: bool                        # should outgoing network traffic be enabled?
     match_label: key_value   
 
 action kubernetes_patch_pod inherits kubernetes_base_action:

diff --git a/libs/scenario_execution_kubernetes/scenarios/test_kubernetes_create_delete.osc b/libs/scenario_execution_kubernetes/scenarios/test_kubernetes_create_delete.osc
@@ -8,6 +8,6 @@ scenario test_kubernetes_create_from_yaml:
         kubernetes_create_from_yaml(yaml_file: "test.yaml")
         kubernetes_wait_for_pod_status(target: "test", status: kubernetes_pod_status!running)
         #kubernetes_wait_for_network_policy_status("test-network-policy", kubernetes_network_policy_status!added)
-        kubernetes_patch_network_policy(target: "test-network-policy", network_enabled: false, match_label: key_value("app", "foo"))
-        kubernetes_patch_network_policy(target: "test-network-policy", network_enabled: true, match_label: key_value("app", "foo"))
+        kubernetes_patch_network_policy(target: "test-network-policy", ingress_enabled: false, egress_enabled: false, match_label: key_value("app", "foo"))
+        kubernetes_patch_network_policy(target: "test-network-policy", ingress_enabled: true, egress_enabled: true, match_label: key_value("app", "foo"))
         kubernetes_delete(target: "test", element_type: kubernetes_element_type!pod)