🌟 add support of workspace networkpolicy

2019-07-23 11:26:41 +08:00
parent a61f9a52b8
commit 75d787f15f
42 changed files with 2867 additions and 31 deletions
--- a/pkg/controller/network/wsnetworkpolicy/wsnetworkpolicy_test.go
+++ b/pkg/controller/network/wsnetworkpolicy/wsnetworkpolicy_test.go
@@ -0,0 +1,241 @@
+package wsnetworkpolicy
+
+import (
+	"fmt"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	. "github.com/onsi/gomega/gstruct"
+	corev1 "k8s.io/api/core/v1"
+	k8snetwork "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	netv1lister "k8s.io/client-go/listers/networking/v1"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/klog"
+	"kubesphere.io/kubesphere/pkg/apis/network/v1alpha1"
+	tenant "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
+	controllertesting "kubesphere.io/kubesphere/pkg/controller/network/testing"
+)
+
+var (
+	fakeControllerBuilder *controllertesting.FakeControllerBuilder
+	c                     Controller
+	npLister              netv1lister.NetworkPolicyLister
+	stopCh                chan struct{}
+	deletePolicy          metav1.DeletionPropagation
+	testName              string
+)
+
+var _ = Describe("Wsnetworkpolicy", func() {
+	BeforeEach(func() {
+		deletePolicy = metav1.DeletePropagationBackground
+		fakeControllerBuilder = controllertesting.NewFakeControllerBuilder()
+		informer, k8sinformer := fakeControllerBuilder.NewControllerInformer()
+		stopCh = make(chan struct{})
+		c = NewController(fakeControllerBuilder.KubeClient, fakeControllerBuilder.KsClient,
+			informer.Network().V1alpha1().WorkspaceNetworkPolicies(), k8sinformer.Networking().V1().NetworkPolicies(),
+			k8sinformer.Core().V1().Namespaces(), informer.Tenant().V1alpha1().Workspaces())
+		originalController := c.(*controller)
+		go originalController.wsnpInformer.Informer().Run(stopCh)
+		go originalController.networkPolicyInformer.Informer().Run(stopCh)
+		go originalController.namespaceInformer.Informer().Run(stopCh)
+		go originalController.workspaceInformer.Informer().Run(stopCh)
+		originalController.recorder = &record.FakeRecorder{}
+		go c.Run(1, stopCh)
+		npLister = k8sinformer.Networking().V1().NetworkPolicies().Lister()
+		testName = "test"
+		ns1 := newWorkspaceNamespaces("ns1", testName)
+		ns2 := newWorkspaceNamespaces("ns2", testName)
+		_, err := fakeControllerBuilder.KubeClient.CoreV1().Namespaces().Create(ns1)
+		Expect(err).ShouldNot(HaveOccurred())
+		_, err = fakeControllerBuilder.KubeClient.CoreV1().Namespaces().Create(ns2)
+		Expect(err).ShouldNot(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		close(stopCh)
+	})
+
+	It("Should proper ingress rule when using workspaceSelector", func() {
+		label := map[string]string{"workspace": "test-selector"}
+		ws := &tenant.Workspace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "test",
+				Labels: label,
+			},
+		}
+		_, err := fakeControllerBuilder.KsClient.TenantV1alpha1().Workspaces().Create(ws)
+		wsnp := newWorkspaceNP(testName)
+		wsnp.Spec.PolicyTypes = []k8snetwork.PolicyType{k8snetwork.PolicyTypeIngress}
+		wsnp.Spec.Ingress = []v1alpha1.WorkspaceNetworkPolicyIngressRule{
+			v1alpha1.WorkspaceNetworkPolicyIngressRule{
+				From: []v1alpha1.WorkspaceNetworkPolicyPeer{
+					v1alpha1.WorkspaceNetworkPolicyPeer{
+						WorkspaceSelector: &metav1.LabelSelector{
+							MatchLabels: label,
+						},
+					},
+				},
+			}}
+		_, err = fakeControllerBuilder.KsClient.NetworkV1alpha1().WorkspaceNetworkPolicies().Create(wsnp)
+		Expect(err).ShouldNot(HaveOccurred())
+		expect1Json := `{
+			"apiVersion": "networking.k8s.io/v1",
+			"kind": "NetworkPolicy",
+			"metadata": {
+				"name": "test-np",
+				"namespace": "ns1",
+				"labels": {
+					"networking.kubesphere.io/wsnp": "test"
+				}
+			},
+			"spec": {
+				"policyTypes": [
+					"Ingress"
+				],
+				"ingress": [
+					{
+						"from": [
+							{
+								"namespaceSelector": { 
+									"matchLabels": {
+										"kubesphere.io/workspace": "test"
+									}
+								}
+							}
+						]
+					}
+				]
+			}
+		}`
+		expect1 := &k8snetwork.NetworkPolicy{}
+		Expect(controllertesting.StringToObject(expect1Json, expect1)).ShouldNot(HaveOccurred())
+		nps := []*k8snetwork.NetworkPolicy{}
+		Eventually(func() error {
+			selector, _ := labels.Parse(workspaceNetworkPolicyLabel + "==test")
+			nps, err = npLister.List(selector)
+			if err != nil {
+				klog.Errorf("Failed to list npmerr:%s", err.Error())
+				return err
+			}
+			if len(nps) != 2 {
+				return fmt.Errorf("Length is not right, current length :%d", len(nps))
+			}
+			return nil
+		}, time.Second*5, time.Second).ShouldNot(HaveOccurred())
+
+		for _, np := range nps {
+			Expect(np.Labels).To(Equal(expect1.Labels))
+			Expect(np.Spec).To(Equal(expect1.Spec))
+		}
+		// create a new ws will change the `From`
+		ws2 := &tenant.Workspace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "test2",
+				Labels: label,
+			},
+		}
+		_, err = fakeControllerBuilder.KsClient.TenantV1alpha1().Workspaces().Create(ws2)
+		Expect(err).ShouldNot(HaveOccurred())
+		expect2Json := `{
+			"apiVersion": "networking.k8s.io/v1",
+			"kind": "NetworkPolicy",
+			"metadata": {
+				"name": "test-np",
+				"namespace": "ns1",
+				"labels": {
+					"networking.kubesphere.io/wsnp": "test"
+				}
+			},
+			"spec": {
+				"policyTypes": [
+					"Ingress"
+				],
+				"ingress": [
+					{
+						"from": [
+							{
+								"namespaceSelector": { 
+									"matchExpressions": [{
+										"key": "kubesphere.io/workspace",
+										"operator":"In",
+										"values": ["test", "test2"]
+									}]
+								}
+							}
+						]
+					}
+				]
+			}
+		}`
+		expect2 := &k8snetwork.NetworkPolicy{}
+		Expect(controllertesting.StringToObject(expect2Json, expect2)).ShouldNot(HaveOccurred())
+
+		id := func(element interface{}) string {
+			e := element.(*k8snetwork.NetworkPolicy)
+			return e.Namespace
+		}
+		Eventually(func() []*k8snetwork.NetworkPolicy {
+			selector, _ := labels.Parse(workspaceNetworkPolicyLabel + "=test")
+			nps, err := npLister.List(selector)
+			if err != nil {
+				return nil
+			}
+			if len(nps) != 2 {
+				klog.Errorf("Length is not right, current length :%d", len(nps))
+				return nil
+			}
+			return nps
+		}, time.Second*5, time.Second).Should(MatchAllElements(id, Elements{
+			"ns1": PointTo(MatchFields(IgnoreExtras, Fields{
+				"Spec": Equal(expect2.Spec),
+			})),
+			"ns2": PointTo(MatchFields(IgnoreExtras, Fields{
+				"Spec": Equal(expect2.Spec),
+			})),
+		}))
+	})
+
+	It("Should create networkpolicies", func() {
+		//create a wsnp
+		_, err := fakeControllerBuilder.KsClient.NetworkV1alpha1().WorkspaceNetworkPolicies().Create(newWorkspaceNP(testName))
+		Expect(err).ShouldNot(HaveOccurred())
+		Eventually(func() error {
+			selector, _ := labels.Parse(workspaceNetworkPolicyLabel + "=" + testName)
+			nps, err := npLister.List(selector)
+			if err != nil {
+				return err
+			}
+			if len(nps) != 2 {
+				return fmt.Errorf("Length is not right, current length :%d", len(nps))
+			}
+			return nil
+		}, time.Second*5, time.Second).ShouldNot(HaveOccurred())
+		err = fakeControllerBuilder.KsClient.NetworkV1alpha1().WorkspaceNetworkPolicies().Delete(testName, &metav1.DeleteOptions{
+			PropagationPolicy: &deletePolicy,
+		})
+		Expect(err).ShouldNot(HaveOccurred())
+	})
+})
+
+func newWorkspaceNP(name string) *v1alpha1.WorkspaceNetworkPolicy {
+	return &v1alpha1.WorkspaceNetworkPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: v1alpha1.WorkspaceNetworkPolicySpec{
+			Workspace: name,
+		},
+	}
+}
+
+func newWorkspaceNamespaces(ns, ws string) *corev1.Namespace {
+	return &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   ns,
+			Labels: map[string]string{workspaceSelectorLabel: ws},
+		},
+	}
+}