From f18623f15422e9e177e21fcc7d8aca761cc81d95 Mon Sep 17 00:00:00 2001 From: Florian Mirus Date: Fri, 30 Aug 2024 15:47:09 +0200 Subject: [PATCH] allow kubernetes_patch_networkpolicy to separately enable/disable (#171) ingress/egress --- docs/libraries.rst | 8 ++++++-- .../kubernetes_patch_network_policy.py | 17 ++++++++++------- .../lib_osc/kubernetes.osc | 3 ++- .../scenarios/test_kubernetes_create_delete.osc | 4 ++-- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/docs/libraries.rst b/docs/libraries.rst index bdcaf422..82d4655c 100644 --- a/docs/libraries.rst +++ b/docs/libraries.rst @@ -437,10 +437,14 @@ Patch an existing Kubernetes network policy. - ``string`` - - The target network policy to patch - * - ``network_enabled`` + * - ``ingress_enabled`` - ``bool`` - - - Should the network be enabled + - Should ingress (i.e., incoming) network traffic be enabled + * - ``egress_enabled`` + - ``bool`` + - + - Should egress (i.e., outgoing) network traffic be enabled * - ``match_label`` - ``key_value`` - diff --git a/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/kubernetes_patch_network_policy.py b/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/kubernetes_patch_network_policy.py index 4f8a98c6..e7282fef 100644 --- a/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/kubernetes_patch_network_policy.py +++ b/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/kubernetes_patch_network_policy.py @@ -29,11 +29,12 @@ class KubernetesPatchNetworkPolicyState(Enum): class KubernetesPatchNetworkPolicy(BaseAction): - def __init__(self, namespace: str, target: str, network_enabled: bool, match_label: tuple, within_cluster: bool): + def __init__(self, namespace: str, target: str, ingress_enabled: bool, egress_enabled: bool, match_label: tuple, within_cluster: bool): super().__init__() self.namespace = namespace self.target = target - self.network_enabled = network_enabled + self.ingress_enabled = ingress_enabled + self.egress_enabled = egress_enabled self.within_cluster = within_cluster if not isinstance(match_label, dict) or not "key" in match_label or not "value" in match_label: raise ValueError("match_label expected to be key-value pair.") @@ -53,7 +54,7 @@ def setup(self, **kwargs): def update(self) -> py_trees.common.Status: # pylint: disable=too-many-return-statements if self.current_state == KubernetesPatchNetworkPolicyState.IDLE: self.current_request = self.network_client.patch_namespaced_network_policy(self.target, body=self.get_network_policy( - policy_name=self.target, enable=self.network_enabled, match_label=self.match_label), namespace=self.namespace, async_req=True) + policy_name=self.target, enable_ingress=self.ingress_enabled, enable_egress=self.egress_enabled, match_label=self.match_label), namespace=self.namespace, async_req=True) self.current_state = KubernetesPatchNetworkPolicyState.REQUEST_SENT self.feedback_message = f"Requested patching '{self.target}' in namespace '{self.namespace}'" # pylint: disable= attribute-defined-outside-init return py_trees.common.Status.RUNNING @@ -76,14 +77,16 @@ def update(self) -> py_trees.common.Status: # pylint: disable=too-many-return-s return py_trees.common.Status.FAILURE return py_trees.common.Status.FAILURE - def get_network_policy(self, policy_name, match_label, enable): + def get_network_policy(self, policy_name, match_label, enable_ingress, enable_egress): body = client.V1NetworkPolicy() body.metadata = client.V1ObjectMeta(name=f"{policy_name}") body.spec = client.V1NetworkPolicySpec(pod_selector=client.V1LabelSelector(match_labels={match_label["key"]: match_label["value"]})) - if enable: - body.spec.egress = [client.V1NetworkPolicyEgressRule()] + if enable_ingress: body.spec.ingress = [client.V1NetworkPolicyIngressRule()] else: - body.spec.egress = [] body.spec.ingress = [] + if enable_egress: + body.spec.egress = [client.V1NetworkPolicyEgressRule()] + else: + body.spec.egress = [] return body diff --git a/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/lib_osc/kubernetes.osc b/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/lib_osc/kubernetes.osc index 170a5385..76224aed 100644 --- a/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/lib_osc/kubernetes.osc +++ b/libs/scenario_execution_kubernetes/scenario_execution_kubernetes/lib_osc/kubernetes.osc @@ -36,7 +36,8 @@ action kubernetes_delete inherits kubernetes_base_action: action kubernetes_patch_network_policy inherits kubernetes_base_action: # patch an existing network policy target: string # network-policy to patch - network_enabled: bool # should the network be enabled? + ingress_enabled: bool # should incoming network traffic be enabled? + egress_enabled: bool # should outgoing network traffic be enabled? match_label: key_value action kubernetes_patch_pod inherits kubernetes_base_action: diff --git a/libs/scenario_execution_kubernetes/scenarios/test_kubernetes_create_delete.osc b/libs/scenario_execution_kubernetes/scenarios/test_kubernetes_create_delete.osc index 7f98de05..f13f3448 100644 --- a/libs/scenario_execution_kubernetes/scenarios/test_kubernetes_create_delete.osc +++ b/libs/scenario_execution_kubernetes/scenarios/test_kubernetes_create_delete.osc @@ -8,6 +8,6 @@ scenario test_kubernetes_create_from_yaml: kubernetes_create_from_yaml(yaml_file: "test.yaml") kubernetes_wait_for_pod_status(target: "test", status: kubernetes_pod_status!running) #kubernetes_wait_for_network_policy_status("test-network-policy", kubernetes_network_policy_status!added) - kubernetes_patch_network_policy(target: "test-network-policy", network_enabled: false, match_label: key_value("app", "foo")) - kubernetes_patch_network_policy(target: "test-network-policy", network_enabled: true, match_label: key_value("app", "foo")) + kubernetes_patch_network_policy(target: "test-network-policy", ingress_enabled: false, egress_enabled: false, match_label: key_value("app", "foo")) + kubernetes_patch_network_policy(target: "test-network-policy", ingress_enabled: true, egress_enabled: true, match_label: key_value("app", "foo")) kubernetes_delete(target: "test", element_type: kubernetes_element_type!pod)