Skip to content

Commit

Permalink
Address comments
Browse files Browse the repository at this point in the history
Signed-off-by: Qiyue Yao <[email protected]>
  • Loading branch information
qiyueyao committed Apr 30, 2024
1 parent 1b9d133 commit 8c197a5
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions test/e2e/l7networkpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,8 @@ func testL7NetworkPolicyHTTP(t *testing.T, data *TestData) {
// Since the fist L7 NetworkPolicy has been deleted, corresponding packets will be matched by the second L7 NetworkPolicy,
// and the second L7 NetworkPolicy allows any HTTP path, then both path 'hostname' and 'clientip' are allowed.
probeL7NetworkPolicyHTTP(t, data, serverPodName, clientPodName, serverIPs, true, true)

data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowAnyPath, metav1.DeleteOptions{})
})
}

Expand Down Expand Up @@ -346,6 +348,8 @@ func testL7NetworkPolicyTLS(t *testing.T, data *TestData) {

probeL7NetworkPolicyTLS(t, data, clientPodName, "apis.google.com", false)
probeL7NetworkPolicyTLS(t, data, clientPodName, "www.facebook.com", true)

data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowSNIFacebook, metav1.DeleteOptions{})
}

func testL7NetworkPolicyLogging(t *testing.T, data *TestData) {
Expand Down Expand Up @@ -382,28 +386,26 @@ func testL7NetworkPolicyLogging(t *testing.T, data *TestData) {
},
},
}
// Create an L7 NetworkPolicies that allows HTTP path 'hostname', and probe twice
// Create one L7 NetworkPolicy that allows HTTP path 'hostname', and probe twice
// where HTTP path 'hostname' is allowed yet 'clientip' will be rejected.
createL7NetworkPolicy(t, data, true, policyAllowPathHostname, 1, clientPodLabels, serverPodLabels, ProtocolTCP, p8080, l7ProtocolAllowsPathHostname)
time.Sleep(networkPolicyDelay)
probeL7NetworkPolicyHTTP(t, data, serverPodName, clientPodName, serverIPs, true, false)

// Define log matchers for expected L7 NetworkPolicies log entries based on probe.
// Define log matchers for expected L7 NetworkPolicies log entries.
formatChecks := func(typeCheck, pathCheck string) *regexp.Regexp {
matchers := []string{"{", typeCheck}
for _, ip := range serverIPs {
matchers = append(matchers, "(\"hostname\":\""+ip.String()+")")
matchers = append(matchers, `("hostname":"`+ip.String()+`)`)
}
matchers = append(matchers, "(\"http_port\":8080)", pathCheck, "(\"protocol\":\"HTTP)", "}")
matchers = append(matchers, `("http_port":8080)`, pathCheck, `("protocol":"HTTP)`, `}`)
return regexp.MustCompile(strings.Join(matchers, ".*"))
}
clientChecks := formatChecks("(\"event_type\":\"alert\")", "(\"url\":\"/clientip\")")
hostChecks := formatChecks("(\"event_type\":\"http\")", "(\"url\":\"/hostname\")")
clientChecks := formatChecks(`("event_type":"alert")`, `("url":"/clientip")`)
hostChecks := formatChecks(`("event_type":"http")`, `("url":"/hostname")`)
l7LogMatchers := []*regexp.Regexp{clientChecks, hostChecks}

checkAuditLoggingResult(t, data, l7LoggingNode, l7LogDir, "http", l7LogMatchers)

// Delete the L7 NetworkPolicy that only allows HTTP path 'hostname'.
data.crdClient.CrdV1beta1().NetworkPolicies(data.testNamespace).Delete(context.TODO(), policyAllowPathHostname, metav1.DeleteOptions{})
time.Sleep(networkPolicyDelay)
}

0 comments on commit 8c197a5

Please sign in to comment.