From fe29b185eb38be3ebe9bb8bf13ba9fc5c9b2e1c9 Mon Sep 17 00:00:00 2001 From: Matthias Bertschy Date: Thu, 22 Aug 2024 08:49:31 +0200 Subject: [PATCH] migrate network tests to NetworkNeighborhoods Signed-off-by: Matthias Bertschy --- ...ghborses.yaml => networkneighborhood.yaml} | 8 +- .../busybox-known-server.json | 90 ++++++++++++++ .../busybox.json | 93 ++++++++++++++ .../deployment-mariadb-basic.json | 41 ++++--- .../deployment-mariadb.json | 41 ++++--- .../deployment-nginx-basic.json | 57 +++++++++ .../deployment-nginx.json | 11 +- .../deployment-wikijs-basic.json | 76 ++++++++++++ .../deployment-wikijs.json | 112 +++++++++++++++++ .../busybox-known-server.json | 85 ------------- .../expected-network-neighbors/busybox.json | 88 -------------- .../deployment-nginx-basic.json | 52 -------- .../deployment-wikijs-basic.json | 71 ----------- .../deployment-wikijs.json | 107 ----------------- .../tests_cases/network_policy_tests.py | 40 +++---- infrastructure/kubectl_wrapper.py | 12 +- system_test_mapping.json | 12 +- systest_utils/statics.py | 2 +- tests_scripts/helm/base_network_policy.py | 85 +++++++------ tests_scripts/helm/network_policy.py | 113 +++++++++--------- tests_scripts/helm/synchronizer.py | 20 +++- tests_scripts/kubernetes/base_k8s.py | 43 ++++--- 22 files changed, 662 insertions(+), 597 deletions(-) rename configurations/kubescape-crds/supported/{networkneighborses.yaml => networkneighborhood.yaml} (85%) create mode 100644 configurations/network-policy/expected-network-neighborhood/busybox-known-server.json create mode 100644 configurations/network-policy/expected-network-neighborhood/busybox.json rename configurations/network-policy/{expected-network-neighbors => expected-network-neighborhood}/deployment-mariadb-basic.json (53%) rename configurations/network-policy/{expected-network-neighbors => expected-network-neighborhood}/deployment-mariadb.json (53%) create mode 100644 configurations/network-policy/expected-network-neighborhood/deployment-nginx-basic.json rename configurations/network-policy/{expected-network-neighbors => expected-network-neighborhood}/deployment-nginx.json (82%) create mode 100644 configurations/network-policy/expected-network-neighborhood/deployment-wikijs-basic.json create mode 100644 configurations/network-policy/expected-network-neighborhood/deployment-wikijs.json delete mode 100644 configurations/network-policy/expected-network-neighbors/busybox-known-server.json delete mode 100644 configurations/network-policy/expected-network-neighbors/busybox.json delete mode 100644 configurations/network-policy/expected-network-neighbors/deployment-nginx-basic.json delete mode 100644 configurations/network-policy/expected-network-neighbors/deployment-wikijs-basic.json delete mode 100644 configurations/network-policy/expected-network-neighbors/deployment-wikijs.json diff --git a/configurations/kubescape-crds/supported/networkneighborses.yaml b/configurations/kubescape-crds/supported/networkneighborhood.yaml similarity index 85% rename from configurations/kubescape-crds/supported/networkneighborses.yaml rename to configurations/kubescape-crds/supported/networkneighborhood.yaml index 0b291f88..06f8d83c 100644 --- a/configurations/kubescape-crds/supported/networkneighborses.yaml +++ b/configurations/kubescape-crds/supported/networkneighborhood.yaml @@ -1,10 +1,12 @@ -kind: NetworkNeighbors +kind: NetworkNeighborhood apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1 spec: matchLabels: app: nginx - ingress: - egress: + containers: + - name: nginx + ingress: + egress: metadata: name: deployment-nginx labels: diff --git a/configurations/network-policy/expected-network-neighborhood/busybox-known-server.json b/configurations/network-policy/expected-network-neighborhood/busybox-known-server.json new file mode 100644 index 00000000..133b4429 --- /dev/null +++ b/configurations/network-policy/expected-network-neighborhood/busybox-known-server.json @@ -0,0 +1,90 @@ +{ + "kind": "NetworkNeighborhood", + "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", + "metadata": { + "name": "deployment-busybox-deployment", + "namespace": "systest-ns-myoi", + "uid": "3ca77764-ca27-492f-b752-ef4560887a28", + "resourceVersion": "1", + "creationTimestamp": "2024-07-03T15:37:19Z", + "labels": { + "kubescape.io/workload-api-group": "apps", + "kubescape.io/workload-api-version": "v1", + "kubescape.io/workload-kind": "Deployment", + "kubescape.io/workload-name": "busybox-deployment" + }, + "annotations": { + "kubescape.io/completion": "complete", + "kubescape.io/status": "ready" + } + }, + "spec": { + "containers": [ + { + "name": "busybox", + "egress": [ + { + "identifier": "238053dc2e1cbe8820de562678e8cde84593e95d41e6f1a58bb987741f9e30a3", + "type": "external", + "dns": "", + "ports": [ + { + "name": "TCP-80", + "protocol": "TCP", + "port": 80 + } + ], + "podSelector": null, + "namespaceSelector": null, + "ipAddress": "185.199.108.153" + }, + { + "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "UDP-53", + "protocol": "UDP", + "port": 53 + } + ], + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + }, + "ipAddress": "" + }, + { + "identifier": "35d62fc884ab3d8896d6be5bad0176619aa60756d33dfa47c9de024902a720c5", + "type": "external", + "dns": "www.google.com.", + "dnsNames": [ + "www.google.com." + ], + "ports": [ + { + "name": "TCP-80", + "protocol": "TCP", + "port": 80 + } + ], + "podSelector": null, + "namespaceSelector": null, + "ipAddress": "142.250.179.68" + } + ], + "ingress": [] + } + ], + "matchLabels": { + "app": "busybox" + } + } +} diff --git a/configurations/network-policy/expected-network-neighborhood/busybox.json b/configurations/network-policy/expected-network-neighborhood/busybox.json new file mode 100644 index 00000000..69913072 --- /dev/null +++ b/configurations/network-policy/expected-network-neighborhood/busybox.json @@ -0,0 +1,93 @@ +{ + "kind": "NetworkNeighborhood", + "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", + "metadata": { + "name": "deployment-busybox-deployment", + "namespace": "systest-ns-rxrl", + "uid": "07e74b42-8ba2-46b1-9de9-f6c33e3b180c", + "resourceVersion": "1", + "creationTimestamp": "2024-07-03T15:30:40Z", + "labels": { + "kubescape.io/workload-api-group": "apps", + "kubescape.io/workload-api-version": "v1", + "kubescape.io/workload-kind": "Deployment", + "kubescape.io/workload-name": "busybox-deployment" + }, + "annotations": { + "kubescape.io/completion": "complete", + "kubescape.io/status": "ready" + } + }, + "spec": { + "containers": [ + { + "name": "busybox", + "egress": [ + { + "identifier": "66c89b9fd8bd51e9c16c2eb568c64285e1bf89a98e5eb878c7cfb123246857a6", + "type": "external", + "dns": "google.com.", + "dnsNames": [ + "google.com." + ], + "ports": [ + { + "name": "TCP-80", + "protocol": "TCP", + "port": 80 + } + ], + "podSelector": null, + "namespaceSelector": null, + "ipAddress": "142.250.179.78" + }, + { + "identifier": "35d62fc884ab3d8896d6be5bad0176619aa60756d33dfa47c9de024902a720c5", + "type": "external", + "dns": "www.google.com.", + "dnsNames": [ + "www.google.com." + ], + "ports": [ + { + "name": "TCP-80", + "protocol": "TCP", + "port": 80 + } + ], + "podSelector": null, + "namespaceSelector": null, + "ipAddress": "142.250.179.68" + }, + { + "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "UDP-53", + "protocol": "UDP", + "port": 53 + } + ], + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + }, + "ipAddress": "" + } + ], + "ingress": [] + } + ], + "matchLabels": { + "app": "busybox" + } + } +} diff --git a/configurations/network-policy/expected-network-neighbors/deployment-mariadb-basic.json b/configurations/network-policy/expected-network-neighborhood/deployment-mariadb-basic.json similarity index 53% rename from configurations/network-policy/expected-network-neighbors/deployment-mariadb-basic.json rename to configurations/network-policy/expected-network-neighborhood/deployment-mariadb-basic.json index c627d10a..a4ef2921 100644 --- a/configurations/network-policy/expected-network-neighbors/deployment-mariadb-basic.json +++ b/configurations/network-policy/expected-network-neighborhood/deployment-mariadb-basic.json @@ -1,5 +1,5 @@ { - "kind": "NetworkNeighbors", + "kind": "NetworkNeighborhood", "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", "metadata": { "name": "deployment-mariadb", @@ -22,27 +22,32 @@ "matchLabels": { "app": "mariadb" }, - "ingress": [ + "containers": [ { - "identifier": "ee5c5b2f07834fa64174c3d2ad0505366e4b26777174906b91e83dcd163f8ec2", - "type": "internal", - "dns": "", - "ports": [ + "name": "mariadb", + "ingress": [ { - "name": "TCP-3306", - "protocol": "TCP", - "port": 3306 + "identifier": "ee5c5b2f07834fa64174c3d2ad0505366e4b26777174906b91e83dcd163f8ec2", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "TCP-3306", + "protocol": "TCP", + "port": 3306 + } + ], + "podSelector": { + "matchLabels": { + "app": "wikijs" + } + }, + "namespaceSelector": null, + "ipAddress": "" } ], - "podSelector": { - "matchLabels": { - "app": "wikijs" - } - }, - "namespaceSelector": null, - "ipAddress": "" + "egress": [] } - ], - "egress": [] + ] } } diff --git a/configurations/network-policy/expected-network-neighbors/deployment-mariadb.json b/configurations/network-policy/expected-network-neighborhood/deployment-mariadb.json similarity index 53% rename from configurations/network-policy/expected-network-neighbors/deployment-mariadb.json rename to configurations/network-policy/expected-network-neighborhood/deployment-mariadb.json index 686bd6f9..36180162 100644 --- a/configurations/network-policy/expected-network-neighbors/deployment-mariadb.json +++ b/configurations/network-policy/expected-network-neighborhood/deployment-mariadb.json @@ -1,5 +1,5 @@ { - "kind": "NetworkNeighbors", + "kind": "NetworkNeighborhood", "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", "metadata": { "name": "deployment-mariadb", @@ -19,26 +19,31 @@ } }, "spec": { - "egress": [], - "ingress": [ + "containers": [ { - "identifier": "ee5c5b2f07834fa64174c3d2ad0505366e4b26777174906b91e83dcd163f8ec2", - "type": "internal", - "dns": "", - "ports": [ + "name": "mariadb", + "egress": [], + "ingress": [ { - "name": "TCP-3306", - "protocol": "TCP", - "port": 3306 + "identifier": "ee5c5b2f07834fa64174c3d2ad0505366e4b26777174906b91e83dcd163f8ec2", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "TCP-3306", + "protocol": "TCP", + "port": 3306 + } + ], + "podSelector": { + "matchLabels": { + "app": "wikijs" + } + }, + "namespaceSelector": null, + "ipAddress": "" } - ], - "podSelector": { - "matchLabels": { - "app": "wikijs" - } - }, - "namespaceSelector": null, - "ipAddress": "" + ] } ], "matchLabels": { diff --git a/configurations/network-policy/expected-network-neighborhood/deployment-nginx-basic.json b/configurations/network-policy/expected-network-neighborhood/deployment-nginx-basic.json new file mode 100644 index 00000000..59d264fa --- /dev/null +++ b/configurations/network-policy/expected-network-neighborhood/deployment-nginx-basic.json @@ -0,0 +1,57 @@ +{ + "kind": "NetworkNeighborhood", + "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", + "metadata": { + "name": "deployment-nginx", + "namespace": "systest-ns-hvt7", + "uid": "389bed91-3f2d-464d-9b70-7d29309162a5", + "resourceVersion": "1", + "creationTimestamp": "2024-07-03T15:42:51Z", + "labels": { + "kubescape.io/workload-api-group": "apps", + "kubescape.io/workload-api-version": "v1", + "kubescape.io/workload-kind": "Deployment", + "kubescape.io/workload-name": "nginx" + }, + "annotations": { + "kubescape.io/completion": "complete", + "kubescape.io/status": "ready" + } + }, + "spec": { + "matchLabels": { + "app": "nginx" + }, + "containers": [ + { + "name": "nginx", + "ingress": [], + "egress": [ + { + "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "UDP-53", + "protocol": "UDP", + "port": 53 + } + ], + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + }, + "ipAddress": "" + } + ] + } + ] + } +} diff --git a/configurations/network-policy/expected-network-neighbors/deployment-nginx.json b/configurations/network-policy/expected-network-neighborhood/deployment-nginx.json similarity index 82% rename from configurations/network-policy/expected-network-neighbors/deployment-nginx.json rename to configurations/network-policy/expected-network-neighborhood/deployment-nginx.json index 189a6967..92a90174 100644 --- a/configurations/network-policy/expected-network-neighbors/deployment-nginx.json +++ b/configurations/network-policy/expected-network-neighborhood/deployment-nginx.json @@ -1,5 +1,5 @@ { - "kind": "NetworkNeighbors", + "kind": "NetworkNeighborhood", "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", "metadata": { "name": "deployment-nginx", @@ -19,8 +19,13 @@ } }, "spec": { - "egress": [], - "ingress": [], + "containers": [ + { + "name": "nginx", + "egress": [], + "ingress": [] + } + ], "matchLabels": { "app": "nginx" } diff --git a/configurations/network-policy/expected-network-neighborhood/deployment-wikijs-basic.json b/configurations/network-policy/expected-network-neighborhood/deployment-wikijs-basic.json new file mode 100644 index 00000000..3bf9cc46 --- /dev/null +++ b/configurations/network-policy/expected-network-neighborhood/deployment-wikijs-basic.json @@ -0,0 +1,76 @@ +{ + "kind": "NetworkNeighborhood", + "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", + "metadata": { + "name": "deployment-wikijs", + "namespace": "systest-ns-hvt7", + "uid": "6601c441-3774-42c8-8350-39770c6021ea", + "resourceVersion": "1", + "creationTimestamp": "2024-07-03T15:42:52Z", + "labels": { + "kubescape.io/workload-api-group": "apps", + "kubescape.io/workload-api-version": "v1", + "kubescape.io/workload-kind": "Deployment", + "kubescape.io/workload-name": "wikijs" + }, + "annotations": { + "kubescape.io/completion": "complete", + "kubescape.io/status": "ready" + } + }, + "spec": { + "matchLabels": { + "app": "wikijs" + }, + "containers": [ + { + "name": "wikijs", + "ingress": [], + "egress": [ + { + "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "UDP-53", + "protocol": "UDP", + "port": 53 + } + ], + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + }, + "ipAddress": "" + }, + { + "identifier": "9230d773194d84ea09e198e98b8aaa1dd71fd6f406314796f234240bb5111425", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "TCP-3306", + "protocol": "TCP", + "port": 3306 + } + ], + "podSelector": { + "matchLabels": { + "app": "mariadb" + } + }, + "namespaceSelector": null, + "ipAddress": "" + } + ] + } + ] + } +} diff --git a/configurations/network-policy/expected-network-neighborhood/deployment-wikijs.json b/configurations/network-policy/expected-network-neighborhood/deployment-wikijs.json new file mode 100644 index 00000000..7a34e547 --- /dev/null +++ b/configurations/network-policy/expected-network-neighborhood/deployment-wikijs.json @@ -0,0 +1,112 @@ +{ + "kind": "NetworkNeighborhood", + "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", + "metadata": { + "name": "deployment-wikijs", + "namespace": "systest-ns-j1m4", + "uid": "571e146a-600f-4893-9b7a-ea48c8f5c953", + "resourceVersion": "1", + "creationTimestamp": "2024-07-03T15:50:07Z", + "labels": { + "kubescape.io/workload-api-group": "apps", + "kubescape.io/workload-api-version": "v1", + "kubescape.io/workload-kind": "Deployment", + "kubescape.io/workload-name": "wikijs" + }, + "annotations": { + "kubescape.io/completion": "complete", + "kubescape.io/status": "ready" + } + }, + "spec": { + "containers": [ + { + "name": "wikijs", + "egress": [ + { + "identifier": "5ad9341e6dde8c3207c811b3304d1e18601c56151f02dfeb6ec20f4f7b6dfb47", + "type": "external", + "dns": "wikipedia.org.", + "dnsNames": [ + "wikipedia.org." + ], + "ports": [ + { + "name": "TCP-443", + "protocol": "TCP", + "port": 443 + } + ], + "podSelector": null, + "namespaceSelector": null, + "ipAddress": "185.15.58.224" + }, + { + "identifier": "66c89b9fd8bd51e9c16c2eb568c64285e1bf89a98e5eb878c7cfb123246857a6", + "type": "external", + "dns": "google.com.", + "dnsNames": [ + "google.com." + ], + "ports": [ + { + "name": "TCP-443", + "protocol": "TCP", + "port": 443 + } + ], + "podSelector": null, + "namespaceSelector": null, + "ipAddress": "142.250.179.78" + }, + { + "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "UDP-53", + "protocol": "UDP", + "port": 53 + } + ], + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + }, + "ipAddress": "" + }, + { + "identifier": "9230d773194d84ea09e198e98b8aaa1dd71fd6f406314796f234240bb5111425", + "type": "internal", + "dns": "", + "ports": [ + { + "name": "TCP-3306", + "protocol": "TCP", + "port": 3306 + } + ], + "podSelector": { + "matchLabels": { + "app": "mariadb" + } + }, + "namespaceSelector": null, + "ipAddress": "" + } + ], + "ingress": [] + } + ], + "matchLabels": { + "app": "wikijs" + } + } +} diff --git a/configurations/network-policy/expected-network-neighbors/busybox-known-server.json b/configurations/network-policy/expected-network-neighbors/busybox-known-server.json deleted file mode 100644 index 507eacbc..00000000 --- a/configurations/network-policy/expected-network-neighbors/busybox-known-server.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "kind": "NetworkNeighbors", - "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", - "metadata": { - "name": "deployment-busybox-deployment", - "namespace": "systest-ns-myoi", - "uid": "3ca77764-ca27-492f-b752-ef4560887a28", - "resourceVersion": "1", - "creationTimestamp": "2024-07-03T15:37:19Z", - "labels": { - "kubescape.io/workload-api-group": "apps", - "kubescape.io/workload-api-version": "v1", - "kubescape.io/workload-kind": "Deployment", - "kubescape.io/workload-name": "busybox-deployment" - }, - "annotations": { - "kubescape.io/completion": "complete", - "kubescape.io/status": "ready" - } - }, - "spec": { - "egress": [ - { - "identifier": "238053dc2e1cbe8820de562678e8cde84593e95d41e6f1a58bb987741f9e30a3", - "type": "external", - "dns": "", - "ports": [ - { - "name": "TCP-80", - "protocol": "TCP", - "port": 80 - } - ], - "podSelector": null, - "namespaceSelector": null, - "ipAddress": "185.199.108.153" - }, - { - "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "UDP-53", - "protocol": "UDP", - "port": 53 - } - ], - "podSelector": { - "matchLabels": { - "k8s-app": "kube-dns" - } - }, - "namespaceSelector": { - "matchLabels": { - "kubernetes.io/metadata.name": "kube-system" - } - }, - "ipAddress": "" - }, - { - "identifier": "35d62fc884ab3d8896d6be5bad0176619aa60756d33dfa47c9de024902a720c5", - "type": "external", - "dns": "www.google.com.", - "dnsNames": [ - "www.google.com." - ], - "ports": [ - { - "name": "TCP-80", - "protocol": "TCP", - "port": 80 - } - ], - "podSelector": null, - "namespaceSelector": null, - "ipAddress": "142.250.179.68" - } - ], - "ingress": [], - "matchLabels": { - "app": "busybox" - } - } -} diff --git a/configurations/network-policy/expected-network-neighbors/busybox.json b/configurations/network-policy/expected-network-neighbors/busybox.json deleted file mode 100644 index 93d477d1..00000000 --- a/configurations/network-policy/expected-network-neighbors/busybox.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "kind": "NetworkNeighbors", - "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", - "metadata": { - "name": "deployment-busybox-deployment", - "namespace": "systest-ns-rxrl", - "uid": "07e74b42-8ba2-46b1-9de9-f6c33e3b180c", - "resourceVersion": "1", - "creationTimestamp": "2024-07-03T15:30:40Z", - "labels": { - "kubescape.io/workload-api-group": "apps", - "kubescape.io/workload-api-version": "v1", - "kubescape.io/workload-kind": "Deployment", - "kubescape.io/workload-name": "busybox-deployment" - }, - "annotations": { - "kubescape.io/completion": "complete", - "kubescape.io/status": "ready" - } - }, - "spec": { - "egress": [ - { - "identifier": "66c89b9fd8bd51e9c16c2eb568c64285e1bf89a98e5eb878c7cfb123246857a6", - "type": "external", - "dns": "google.com.", - "dnsNames": [ - "google.com." - ], - "ports": [ - { - "name": "TCP-80", - "protocol": "TCP", - "port": 80 - } - ], - "podSelector": null, - "namespaceSelector": null, - "ipAddress": "142.250.179.78" - }, - { - "identifier": "35d62fc884ab3d8896d6be5bad0176619aa60756d33dfa47c9de024902a720c5", - "type": "external", - "dns": "www.google.com.", - "dnsNames": [ - "www.google.com." - ], - "ports": [ - { - "name": "TCP-80", - "protocol": "TCP", - "port": 80 - } - ], - "podSelector": null, - "namespaceSelector": null, - "ipAddress": "142.250.179.68" - }, - { - "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "UDP-53", - "protocol": "UDP", - "port": 53 - } - ], - "podSelector": { - "matchLabels": { - "k8s-app": "kube-dns" - } - }, - "namespaceSelector": { - "matchLabels": { - "kubernetes.io/metadata.name": "kube-system" - } - }, - "ipAddress": "" - } - ], - "ingress": [], - "matchLabels": { - "app": "busybox" - } - } -} diff --git a/configurations/network-policy/expected-network-neighbors/deployment-nginx-basic.json b/configurations/network-policy/expected-network-neighbors/deployment-nginx-basic.json deleted file mode 100644 index ee8537db..00000000 --- a/configurations/network-policy/expected-network-neighbors/deployment-nginx-basic.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "kind": "NetworkNeighbors", - "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", - "metadata": { - "name": "deployment-nginx", - "namespace": "systest-ns-hvt7", - "uid": "389bed91-3f2d-464d-9b70-7d29309162a5", - "resourceVersion": "1", - "creationTimestamp": "2024-07-03T15:42:51Z", - "labels": { - "kubescape.io/workload-api-group": "apps", - "kubescape.io/workload-api-version": "v1", - "kubescape.io/workload-kind": "Deployment", - "kubescape.io/workload-name": "nginx" - }, - "annotations": { - "kubescape.io/completion": "complete", - "kubescape.io/status": "ready" - } - }, - "spec": { - "matchLabels": { - "app": "nginx" - }, - "ingress": [], - "egress": [ - { - "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "UDP-53", - "protocol": "UDP", - "port": 53 - } - ], - "podSelector": { - "matchLabels": { - "k8s-app": "kube-dns" - } - }, - "namespaceSelector": { - "matchLabels": { - "kubernetes.io/metadata.name": "kube-system" - } - }, - "ipAddress": "" - } - ] - } -} diff --git a/configurations/network-policy/expected-network-neighbors/deployment-wikijs-basic.json b/configurations/network-policy/expected-network-neighbors/deployment-wikijs-basic.json deleted file mode 100644 index f412edf7..00000000 --- a/configurations/network-policy/expected-network-neighbors/deployment-wikijs-basic.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "kind": "NetworkNeighbors", - "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", - "metadata": { - "name": "deployment-wikijs", - "namespace": "systest-ns-hvt7", - "uid": "6601c441-3774-42c8-8350-39770c6021ea", - "resourceVersion": "1", - "creationTimestamp": "2024-07-03T15:42:52Z", - "labels": { - "kubescape.io/workload-api-group": "apps", - "kubescape.io/workload-api-version": "v1", - "kubescape.io/workload-kind": "Deployment", - "kubescape.io/workload-name": "wikijs" - }, - "annotations": { - "kubescape.io/completion": "complete", - "kubescape.io/status": "ready" - } - }, - "spec": { - "matchLabels": { - "app": "wikijs" - }, - "ingress": [], - "egress": [ - { - "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "UDP-53", - "protocol": "UDP", - "port": 53 - } - ], - "podSelector": { - "matchLabels": { - "k8s-app": "kube-dns" - } - }, - "namespaceSelector": { - "matchLabels": { - "kubernetes.io/metadata.name": "kube-system" - } - }, - "ipAddress": "" - }, - { - "identifier": "9230d773194d84ea09e198e98b8aaa1dd71fd6f406314796f234240bb5111425", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "TCP-3306", - "protocol": "TCP", - "port": 3306 - } - ], - "podSelector": { - "matchLabels": { - "app": "mariadb" - } - }, - "namespaceSelector": null, - "ipAddress": "" - } - ] - } -} diff --git a/configurations/network-policy/expected-network-neighbors/deployment-wikijs.json b/configurations/network-policy/expected-network-neighbors/deployment-wikijs.json deleted file mode 100644 index b492e1f7..00000000 --- a/configurations/network-policy/expected-network-neighbors/deployment-wikijs.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "kind": "NetworkNeighbors", - "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1", - "metadata": { - "name": "deployment-wikijs", - "namespace": "systest-ns-j1m4", - "uid": "571e146a-600f-4893-9b7a-ea48c8f5c953", - "resourceVersion": "1", - "creationTimestamp": "2024-07-03T15:50:07Z", - "labels": { - "kubescape.io/workload-api-group": "apps", - "kubescape.io/workload-api-version": "v1", - "kubescape.io/workload-kind": "Deployment", - "kubescape.io/workload-name": "wikijs" - }, - "annotations": { - "kubescape.io/completion": "complete", - "kubescape.io/status": "ready" - } - }, - "spec": { - "egress": [ - { - "identifier": "5ad9341e6dde8c3207c811b3304d1e18601c56151f02dfeb6ec20f4f7b6dfb47", - "type": "external", - "dns": "wikipedia.org.", - "dnsNames": [ - "wikipedia.org." - ], - "ports": [ - { - "name": "TCP-443", - "protocol": "TCP", - "port": 443 - } - ], - "podSelector": null, - "namespaceSelector": null, - "ipAddress": "185.15.58.224" - }, - { - "identifier": "66c89b9fd8bd51e9c16c2eb568c64285e1bf89a98e5eb878c7cfb123246857a6", - "type": "external", - "dns": "google.com.", - "dnsNames": [ - "google.com." - ], - "ports": [ - { - "name": "TCP-443", - "protocol": "TCP", - "port": 443 - } - ], - "podSelector": null, - "namespaceSelector": null, - "ipAddress": "142.250.179.78" - }, - { - "identifier": "e5e8ca3d76f701a19b7478fdc1c8c24ccc6cef9902b52c8c7e015439e2a1ddf3", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "UDP-53", - "protocol": "UDP", - "port": 53 - } - ], - "podSelector": { - "matchLabels": { - "k8s-app": "kube-dns" - } - }, - "namespaceSelector": { - "matchLabels": { - "kubernetes.io/metadata.name": "kube-system" - } - }, - "ipAddress": "" - }, - { - "identifier": "9230d773194d84ea09e198e98b8aaa1dd71fd6f406314796f234240bb5111425", - "type": "internal", - "dns": "", - "ports": [ - { - "name": "TCP-3306", - "protocol": "TCP", - "port": 3306 - } - ], - "podSelector": { - "matchLabels": { - "app": "mariadb" - } - }, - "namespaceSelector": null, - "ipAddress": "" - } - ], - "ingress": [], - "matchLabels": { - "app": "wikijs" - } - } -} diff --git a/configurations/system/tests_cases/network_policy_tests.py b/configurations/system/tests_cases/network_policy_tests.py index 4ca50c98..04445376 100644 --- a/configurations/system/tests_cases/network_policy_tests.py +++ b/configurations/system/tests_cases/network_policy_tests.py @@ -1,8 +1,8 @@ import inspect +from os.path import join from systest_utils import statics from .structures import TestConfiguration -from os.path import join class NetworkPolicyTests(object): @@ -18,10 +18,10 @@ def network_policy(): config_maps=join(statics.DEFAULT_CONFIGMAP_PATH, "wikijs"), deployments=join(statics.DEFAULT_DEPLOYMENT_PATH, "wikijs"), test_obj=NetworkPolicy, - expected_network_neighbors=[ - "configurations/network-policy/expected-network-neighbors/deployment-wikijs.json", - "configurations/network-policy/expected-network-neighbors/deployment-mariadb.json", - "configurations/network-policy/expected-network-neighbors/deployment-nginx.json", + expected_network_neighborhood=[ + "configurations/network-policy/expected-network-neighborhood/deployment-wikijs.json", + "configurations/network-policy/expected-network-neighborhood/deployment-mariadb.json", + "configurations/network-policy/expected-network-neighborhood/deployment-nginx.json", ], expected_generated_network_policies=[ "configurations/network-policy/expected-generated-network-policy/deployment-wikijs.json", @@ -44,20 +44,20 @@ def network_policy_data_appended(): config_maps=join(statics.DEFAULT_CONFIGMAP_PATH, "wikijs"), deployments=join(statics.DEFAULT_DEPLOYMENT_PATH, "wikijs"), test_obj=NetworkPolicyDataAppended, - expected_network_neighbors=[ - "configurations/network-policy/expected-network-neighbors/deployment-wikijs-basic.json", - "configurations/network-policy/expected-network-neighbors/deployment-mariadb-basic.json", - "configurations/network-policy/expected-network-neighbors/deployment-nginx-basic.json", + expected_network_neighborhood=[ + "configurations/network-policy/expected-network-neighborhood/deployment-wikijs-basic.json", + "configurations/network-policy/expected-network-neighborhood/deployment-mariadb-basic.json", + "configurations/network-policy/expected-network-neighborhood/deployment-nginx-basic.json", ], expected_generated_network_policies=[ "configurations/network-policy/expected-generated-network-policy/deployment-wikijs-basic.json", "configurations/network-policy/expected-generated-network-policy/deployment-mariadb-basic.json", "configurations/network-policy/expected-generated-network-policy/deployment-nginx-basic.json", ], - expected_updated_network_neighbors=[ - "configurations/network-policy/expected-network-neighbors/deployment-wikijs.json", - "configurations/network-policy/expected-network-neighbors/deployment-mariadb.json", - "configurations/network-policy/expected-network-neighbors/deployment-nginx.json", + expected_updated_network_neighborhood=[ + "configurations/network-policy/expected-network-neighborhood/deployment-wikijs.json", + "configurations/network-policy/expected-network-neighborhood/deployment-mariadb.json", + "configurations/network-policy/expected-network-neighborhood/deployment-nginx.json", ], expected_updated_generated_network_policies=[ "configurations/network-policy/expected-generated-network-policy/deployment-wikijs.json", @@ -78,10 +78,10 @@ def network_policy_pod_restarted(): config_maps=join(statics.DEFAULT_CONFIGMAP_PATH, "wikijs"), deployments=join(statics.DEFAULT_DEPLOYMENT_PATH, "wikijs"), test_obj=NetworkPolicyPodRestarted, - expected_network_neighbors=[ - "configurations/network-policy/expected-network-neighbors/deployment-wikijs-basic.json", - "configurations/network-policy/expected-network-neighbors/deployment-mariadb-basic.json", - "configurations/network-policy/expected-network-neighbors/deployment-nginx-basic.json", + expected_network_neighborhood=[ + "configurations/network-policy/expected-network-neighborhood/deployment-wikijs-basic.json", + "configurations/network-policy/expected-network-neighborhood/deployment-mariadb-basic.json", + "configurations/network-policy/expected-network-neighborhood/deployment-nginx-basic.json", ], expected_generated_network_policies=[ "configurations/network-policy/expected-generated-network-policy/deployment-wikijs-basic.json", @@ -99,7 +99,7 @@ def network_policy_multiple_replicas(): name=inspect.currentframe().f_code.co_name, deployments=join(statics.DEFAULT_DEPLOYMENT_PATH, "busybox"), test_obj=NetworkPolicyMultipleReplicas, - expected_network_neighbors=["configurations/network-policy/expected-network-neighbors/busybox.json", + expected_network_neighborhood=["configurations/network-policy/expected-network-neighborhood/busybox.json", ], expected_generated_network_policies=[ "configurations/network-policy/expected-generated-network-policy/busybox.json", @@ -116,8 +116,8 @@ def network_policy_known_servers(): deployments=join(statics.DEFAULT_DEPLOYMENT_PATH, "busybox"), knownservers=join(statics.DEFAULT_KNOWN_SERVERS_PATH, "known-server.json"), test_obj=NetworkPolicyKnownServers, - expected_network_neighbors=[ - "configurations/network-policy/expected-network-neighbors/busybox-known-server.json", + expected_network_neighborhood=[ + "configurations/network-policy/expected-network-neighborhood/busybox-known-server.json", ], expected_generated_network_policies=[ "configurations/network-policy/expected-generated-network-policy/busybox-known-server.json", diff --git a/infrastructure/kubectl_wrapper.py b/infrastructure/kubectl_wrapper.py index f73361e0..6cc8177c 100644 --- a/infrastructure/kubectl_wrapper.py +++ b/infrastructure/kubectl_wrapper.py @@ -1,15 +1,15 @@ # encoding: utf-8 import datetime -from http.client import FOUND +import subprocess import time -from crypt import methods +import requests +from kubernetes import client, config, dynamic from kubernetes.client import api_client -from kubernetes import client, config, dynamic, utils from kubernetes.client.exceptions import ApiException -import requests + from systest_utils import Logger, TestUtil, statics -import subprocess + class KubectlWrapper(object): """ CaKube provides kubernetes wrapper and helper functions""" @@ -19,7 +19,7 @@ class KubectlWrapper(object): 'ApplicationProfile': 'applicationprofiles', 'ApplicationProfileSummary': 'applicationprofilesummaries', 'GeneratedNetworkPolicy': 'generatednetworkpolicies', - 'NetworkNeighbors': 'networkneighborses', + 'NetworkNeighborhood': 'networkneighborhoods', 'OpenVulnerabilityExchangeContainer': 'openvulnerabilityexchangecontainers', 'SBOMSPDXv2p3Filtered': 'sbomspdxv2p3filtereds', 'SBOMSPDXv2p3': 'sbomspdxv2p3s', diff --git a/system_test_mapping.json b/system_test_mapping.json index 1ae8faef..b2338f0e 100644 --- a/system_test_mapping.json +++ b/system_test_mapping.json @@ -1000,7 +1000,7 @@ "cadashboardbe", "event-ingester-service" ], - "description": "Checks network policies and network neighbors in-cluster and backend match to expected", + "description": "Checks network policies and network neighborhood in-cluster and backend match to expected", "skip_on_environment": "", "owner": "" }, @@ -1017,7 +1017,7 @@ "cadashboardbe", "event-ingester-service" ], - "description": "Checks network policies and network neighbors in-cluster and backend match to expected before and after data appended", + "description": "Checks network policies and network neighborhood in-cluster and backend match to expected before and after data appended", "skip_on_environment": "", "owner": "" }, @@ -1034,7 +1034,7 @@ "cadashboardb_dummy", "event-ingester-service_dummy" ], - "description": "Checks network policies and network neighbors in-cluster and backend match to expected before and after pod restarted", + "description": "Checks network policies and network neighborhood in-cluster and backend match to expected before and after pod restarted", "skip_on_environment": "", "owner": "" }, @@ -1062,7 +1062,7 @@ "cadashboardbe", "event-ingester-service" ], - "description": "Checks network policies and network neighbors in-cluster and backend match to expected with multiple replicas", + "description": "Checks network policies and network neighborhood in-cluster and backend match to expected with multiple replicas", "skip_on_environment": "", "owner": "" }, @@ -1079,7 +1079,7 @@ "cadashboardbe", "event-ingester-service" ], - "description": "Checks network policies and network neighbors in-cluster and backend match to expected with known servers", + "description": "Checks network policies and network neighborhood in-cluster and backend match to expected with known servers", "skip_on_environment": "", "owner": "" }, @@ -1625,4 +1625,4 @@ "skip_on_environment": "", "owner": "rinao@armosec.io" } -} \ No newline at end of file +} diff --git a/systest_utils/statics.py b/systest_utils/statics.py index e7fd5721..cee163fc 100644 --- a/systest_utils/statics.py +++ b/systest_utils/statics.py @@ -231,7 +231,7 @@ GENERATED_NETWORK_POLICY_PLURAL = "generatednetworkpolicies" APPLICATION_PROFILE_PLURAL = "applicationprofiles" -NETWORK_NEIGHBOR_PLURAL = "networkneighborses" +NETWORK_NEIGHBOR_PLURAL = "networkneighborhoods" STORAGE_CVE_LABEL = "kubescape.io/context" STORAGE_FILTERED_CVE_LABEL_VALUE = "filtered" diff --git a/tests_scripts/helm/base_network_policy.py b/tests_scripts/helm/base_network_policy.py index 2c8c3713..20dcabd1 100644 --- a/tests_scripts/helm/base_network_policy.py +++ b/tests_scripts/helm/base_network_policy.py @@ -1,9 +1,8 @@ -import time, requests, os, re, random, yaml, base64, json, hashlib +import copy +import json + from systest_utils import statics, Logger, TestUtil from tests_scripts.helm.base_helm import BaseHelm -from pkg_resources import parse_version -from tests_scripts.kubernetes.base_k8s import BaseK8S -import copy class BaseNetworkPolicy(BaseHelm): @@ -20,7 +19,7 @@ def validate_basic_metadata(self, actual_obj, expected_obj, namespace): """ assert actual_obj['apiVersion'] == expected_obj['apiVersion'], f"in validate_basic_metadata: apiVersion is not equal, actual: {actual_obj['apiVersion']}, expected: {expected_obj['apiVersion']}, actual object: {actual_obj}, expected object: {expected_obj}" assert actual_obj['kind'] == expected_obj['kind'], f"in validate_basic_metadata: kind is not equal, actual: {actual_obj['kind']}, expected: {expected_obj['kind']}, actual object: {actual_obj}, expected object: {expected_obj}" - assert actual_obj['metadata']['name'] == expected_obj['metadata']['name'], f"in validate_basic_metadata: name is not equal, actual: {actual_obj['metadata']['name']}, expected: {expected_obj['metadata']['name']}, actual object: {actual_obj}, expected object: {expected_obj}" + assert actual_obj['metadata']['labels']['kubescape.io/workload-name'] == expected_obj['metadata']['labels']['kubescape.io/workload-name'], f"in validate_basic_metadata: workload-name is not equal, actual: {actual_obj['metadata']['labels']['kubescape.io/workload-name']}, expected: {expected_obj['metadata']['labels']['kubescape.io/workload-name']}, actual object: {actual_obj}, expected object: {expected_obj}" assert actual_obj['metadata']['namespace'] == namespace, f"in validate_basic_metadata: namespace is not equal, actual: {actual_obj['metadata']['namespace']}, expected: {namespace}, actual object: {actual_obj}, expected object: {expected_obj}" @@ -31,7 +30,7 @@ def validate_basic_metadata(self, actual_obj, expected_obj, namespace): for key, label in expected_obj['metadata']['labels'].items(): assert actual_obj['metadata']['labels'][key] == label, f"label {key} is not equal, actual: {actual_obj['metadata']['labels'][key]}, expected: {label}, actual object: {actual_obj}, expected object: {expected_obj}" - def store_netwrok_for_first_time_results(self, result_data, store_path): + def store_network_for_first_time_results(self, result_data, store_path): for file_path in store_path: with open(file_path) as f: expected_data = json.load(f) @@ -48,45 +47,45 @@ def store_netwrok_for_first_time_results(self, result_data, store_path): with open(file_path, 'w') as f: json.dump(result_data, f) - def validate_expected_network_neighbors_list(self, namespace, expected_network_neighbors_list): + def validate_expected_network_neighborhood_list(self, namespace, expected_network_neighborhood_list): """ - Validate expected network neighbors list. It pulls the actual network neighbors and validates each one of them + Validate expected network neighborhood list. It pulls the actual network neighborhood and validates each one of them param namespace: namespace of the object - param expected_network_neighbors_list: list of expected network neighbors + param expected_network_neighborhood_list: list of expected network neighborhood """ - for expected_network_neighbors in expected_network_neighbors_list: - actual_network_neighbors = self.get_network_neighbors(name=expected_network_neighbors['metadata']['name'] ,namespace=namespace) + for expected_network_neighborhood in expected_network_neighborhood_list: + actual_network_neighborhood = self.get_network_neighborhood(name=expected_network_neighborhood['metadata']['labels']['kubescape.io/workload-name'] ,namespace=namespace) if TestUtil.get_arg_from_dict(self.test_driver.kwargs, statics.CREATE_TEST_FIRST_TIME_RESULTS, False): - self.store_netwrok_for_first_time_results(result_data=actual_network_neighbors, store_path=self.test_obj["expected_network_neighbors"]) + self.store_network_for_first_time_results(result_data=actual_network_neighborhood, store_path=self.test_obj["expected_network_neighborhood"]) continue - if actual_network_neighbors: - nn_json = json.dumps(actual_network_neighbors) - Logger.logger.info(f"Actual Network Neighbor (name: {expected_network_neighbors['metadata']['name']}): {nn_json}") - self.validate_expected_network_neighbors(actual_network_neighbors=actual_network_neighbors, expected_network_neighbors=expected_network_neighbors, namespace=namespace) + if actual_network_neighborhood: + nn_json = json.dumps(actual_network_neighborhood) + Logger.logger.info(f"Actual Network Neighbor (name: {expected_network_neighborhood['metadata']['name']}): {nn_json}") + self.validate_expected_network_neighborhood(actual_network_neighborhood=actual_network_neighborhood, expected_network_neighborhood=expected_network_neighborhood, namespace=namespace) - def validate_expected_network_neighbors(self, actual_network_neighbors, expected_network_neighbors, namespace: str): + def validate_expected_network_neighborhood(self, actual_network_neighborhood, expected_network_neighborhood, namespace: str): """ - Validate expected network neighbors. It validates the basic metadata and then validates the network neighbors entries and the match labels - param actual_network_neighbors: actual network neighbors - param expected_network_neighbors: expected network neighbors + Validate expected network neighborhood. It validates the basic metadata and then validates the network neighborhood entries and the match labels + param actual_network_neighborhood: actual network neighborhood + param expected_network_neighborhood: expected network neighborhood param namespace: namespace of the object """ - self.validate_basic_metadata(actual_obj=actual_network_neighbors, expected_obj=expected_network_neighbors, namespace=namespace) + self.validate_basic_metadata(actual_obj=actual_network_neighborhood, expected_obj=expected_network_neighborhood, namespace=namespace) - for key, label in expected_network_neighbors['spec']['matchLabels'].items(): - assert actual_network_neighbors['spec']['matchLabels'][key] == label, f"label {key} is not equal, actual: {actual_network_neighbors['spec']['matchLabels'][key]}, expected: {label}" + for key, label in expected_network_neighborhood['spec']['matchLabels'].items(): + assert actual_network_neighborhood['spec']['matchLabels'][key] == label, f"label {key} is not equal, actual: {actual_network_neighborhood['spec']['matchLabels'][key]}, expected: {label}" - expected_egress_entries = expected_network_neighbors['spec']['egress'] - actual_egress_entries = actual_network_neighbors['spec']['egress'] + expected_egress_entries = expected_network_neighborhood['spec']['containers'][0]['egress'] + actual_egress_entries = actual_network_neighborhood['spec']['containers'][0]['egress'] self.validate_network_neighbor_entry(expected_egress_entries, actual_egress_entries) - expected_ingress_entries = expected_network_neighbors['spec']['ingress'] - actual_ingress_entries = actual_network_neighbors['spec']['ingress'] + expected_ingress_entries = expected_network_neighborhood['spec']['containers'][0]['ingress'] + actual_ingress_entries = actual_network_neighborhood['spec']['containers'][0]['ingress'] self.validate_network_neighbor_entry(expected_entries=expected_ingress_entries, actual_entries=actual_ingress_entries) @@ -168,42 +167,42 @@ def validate_network_neighbor_entry(self, expected_entries, actual_entries): else: raise ValueError("expected entry is not valid, it should contain either dns, ipAddress or namespaceSelector/podSelector") - def validate_expected_network_neighbors_and_generated_network_policies_lists(self, namespace, expected_network_neighbors_list, expected_generated_network_policy_list): + def validate_expected_network_neighborhood_and_generated_network_policies_lists(self, namespace, expected_network_neighborhood_list, expected_generated_network_policy_list): """ - Validate expected network neighbors and generated network policies lists. It validates the expected network neighbors list and the expected generated network policies list + Validate expected network neighborhood and generated network policies lists. It validates the expected network neighborhood list and the expected generated network policies list param namespace: namespace of the object - param expected_network_neighbors_list: list of expected network neighbors + param expected_network_neighborhood_list: list of expected network neighborhood param expected_generated_network_policy_list: list of expected generated network policies """ - Logger.logger.info("validating expected network neighbors") - self.validate_expected_network_neighbors_list(namespace=namespace, expected_network_neighbors_list=expected_network_neighbors_list) - Logger.logger.info("validated expected network neighbors") + Logger.logger.info("validating expected network neighborhood") + self.validate_expected_network_neighborhood_list(namespace=namespace, expected_network_neighborhood_list=expected_network_neighborhood_list) + Logger.logger.info("validated expected network neighborhood") Logger.logger.info("validating expected generated network policies") self.validate_expected_generated_network_policy_list(namespace=namespace, expected_generated_network_policy_list=expected_generated_network_policy_list) Logger.logger.info("validated expected generated network policies") - def validate_expected_backend_results(self, cluster, namespace, expected_workloads_list, expected_network_neighbors_list, expected_generated_network_policy_list): + def validate_expected_backend_results(self, cluster, namespace, expected_workloads_list, expected_network_neighborhood_list, expected_generated_network_policy_list): """ Validate expected backend results. It validates the expected backend workloads list and the expected backend generated network policies list param cluster: cluster name param namespace: namespace of the object param expected_workloads_list: list of expected workloads - param expected_network_neighbors_list: list of expected network neighbors + param expected_network_neighborhood_list: list of expected network neighborhood """ Logger.logger.info("validating expected backend workloads list") self.validate_expected_backend_workloads_list(cluster=cluster, namespace=namespace, expected_workloads_list=expected_workloads_list) Logger.logger.info("validated expected backend workloads list") Logger.logger.info("validating expected backend generated network policies") - self.validate_expected_backend_generated_network_policy_list(cluster=cluster, namespace=namespace, expected_network_policy_list=expected_generated_network_policy_list, expected_network_neighbors_list=expected_network_neighbors_list) + self.validate_expected_backend_generated_network_policy_list(cluster=cluster, namespace=namespace, expected_network_policy_list=expected_generated_network_policy_list, expected_network_neighborhood_list=expected_network_neighborhood_list) Logger.logger.info("validated expected backend generated network policies") def is_workload_deleted_from_backend(self, cluster, workload_name, namespace) -> bool: """ - Is workload deleted from backend. It pulls the actual network neighbors and validates that the workload is not in the list + Is workload deleted from backend. It pulls the actual network neighborhood and validates that the workload is not in the list param cluster: cluster name param workload_name: workload name param namespace: namespace of the object @@ -218,7 +217,7 @@ def is_workload_deleted_from_backend(self, cluster, workload_name, namespace) -> def validate_workload_deleted_from_backend(self, cluster, workload_name, namespace): """ - Validate workload deleted from backend. It pulls the actual network neighbors and validates that the workload is not in the list + Validate workload deleted from backend. It pulls the actual network neighborhood and validates that the workload is not in the list param cluster: cluster name param workload_name: workload name param namespace: namespace of the object @@ -248,13 +247,13 @@ def validate_expected_backend_workloads_list(self, cluster, namespace, expected_ assert len(workloads_list) == len(expected_workloads_list), f"workloads_list length is not equal to expected_workloads_list length, actual: len:{len(workloads_list)}, expected: len:{len(expected_workloads_list)}; actual results: {workloads_list}, expected results: {expected_workloads_list}" - def validate_expected_backend_generated_network_policy_list(self, cluster, namespace, expected_network_policy_list, expected_network_neighbors_list): + def validate_expected_backend_generated_network_policy_list(self, cluster, namespace, expected_network_policy_list, expected_network_neighborhood_list): """ validate_expected_backend_generated_network_policy_list validates the expected backend generated network policies list. It pulls the actual generated network policies and validates each one of them param cluster: cluster name param namespace: namespace of the object param expected_network_policy_list: list of expected backend generated network policies - param expected_network_neighbors_list: list of expected network neighbors + param expected_network_neighborhood_list: list of expected network neighborhood """ for i in range(0, len(expected_network_policy_list)): @@ -268,7 +267,7 @@ def validate_expected_backend_generated_network_policy_list(self, cluster, names self.validate_expected_backend_network_policy(expected_network_policy_list[i],backend_generated_network_policy, namespace) # TODO rewrite to use networkneighborhood for the graph - # self.validate_expected_network_neighbors(namespace=namespace, actual_network_neighbors=graph, expected_network_neighbors=expected_network_neighbors_list[i]) + # self.validate_expected_network_neighborhood(namespace=namespace, actual_network_neighborhood=graph, expected_network_neighborhood=expected_network_neighborhood_list[i]) def convert_backend_network_policy_to_generated_network_policy(self, backend_network_policy) -> dict: @@ -317,9 +316,9 @@ def validate_expected_generated_network_policy_list(self, namespace, expected_ge param expected_generated_network_policy_list: list of expected generated network policies """ for expected_generated_network_policy in expected_generated_network_policy_list: - actual_generated_network_policy = self.get_generated_network_policy(namespace=namespace, name=expected_generated_network_policy['metadata']['name']) + actual_generated_network_policy = self.get_generated_network_policy(namespace=namespace, name=expected_generated_network_policy['metadata']['labels']['kubescape.io/workload-name']) if TestUtil.get_arg_from_dict(self.test_driver.kwargs, statics.CREATE_TEST_FIRST_TIME_RESULTS, False): - self.store_netwrok_for_first_time_results(result_data=expected_generated_network_policy, store_path=self.test_obj["expected_generated_network_policies"]) + self.store_network_for_first_time_results(result_data=expected_generated_network_policy, store_path=self.test_obj["expected_generated_network_policies"]) continue self.validate_expected_generated_network_policy(actual_network_policy=actual_generated_network_policy,expected_network_policy=expected_generated_network_policy, namespace=namespace) diff --git a/tests_scripts/helm/network_policy.py b/tests_scripts/helm/network_policy.py index 94d27147..c782bedf 100644 --- a/tests_scripts/helm/network_policy.py +++ b/tests_scripts/helm/network_policy.py @@ -1,8 +1,9 @@ -from systest_utils.systests_utilities import TestUtil -from tests_scripts.helm.base_network_policy import BaseNetworkPolicy -from systest_utils import statics, Logger import json + +from systest_utils import statics, Logger +from systest_utils.systests_utilities import TestUtil from tests_scripts import base_test +from tests_scripts.helm.base_network_policy import BaseNetworkPolicy class NetworkPolicy(BaseNetworkPolicy): @@ -16,8 +17,8 @@ def start(self): 1. Install Armo helm-chart 2. Apply workloads 3. Generate traffic - 4. Validating in-cluster expected network neighbors and generated network policies - 5. Validating backend expected network neighbors and generated network policies + 4. Validating in-cluster expected network neighborhood and generated network policies + 5. Validating backend expected network neighborhood and generated network policies 6. Check deletion flow """ @@ -54,25 +55,25 @@ def start(self): update_period_in_seconds = helm_kwargs[statics.HELM_NODE_AGENT_UPDATE_PERIOD][:-1] TestUtil.sleep(6 * int(update_period_in_seconds), "wait for node-agent update period", "info") - expected_network_neighbors_list = TestUtil.load_objs_from_json_files( - self.test_obj["expected_network_neighbors"]) + expected_network_neighborhood_list = TestUtil.load_objs_from_json_files( + self.test_obj["expected_network_neighborhood"]) expected_generated_network_policy_list = TestUtil.load_objs_from_json_files( self.test_obj["expected_generated_network_policies"]) - Logger.logger.info("4. Validating in-cluster expected network neighbors and generated network policies") - self.validate_expected_network_neighbors_and_generated_network_policies_lists(namespace=namespace, - expected_network_neighbors_list=expected_network_neighbors_list, + Logger.logger.info("4. Validating in-cluster expected network neighborhood and generated network policies") + self.validate_expected_network_neighborhood_and_generated_network_policies_lists(namespace=namespace, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list) - Logger.logger.info("5. Validating backend expected network neighbors and generated network policies") + Logger.logger.info("5. Validating backend expected network neighborhood and generated network policies") self.wait_for_report(timeout=120, sleep_interval=5, report_type=self.validate_expected_backend_results, cluster=cluster, namespace=namespace, expected_workloads_list=workload_objs, - expected_network_neighbors_list=expected_network_neighbors_list, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list ) @@ -82,7 +83,7 @@ def start(self): self.kubernetes_obj.delete_workload(namespace=namespace, application=workload_objs[0]) TestUtil.sleep(120, "wait for workload deletion", "info") - deleted_workload_nn = expected_network_neighbors_list.pop(0) + deleted_workload_nn = expected_network_neighborhood_list.pop(0) deleted_workload_np = expected_generated_network_policy_list.pop(0) Logger.logger.info(f"validating workload {deleted_workload_name} was deleted") @@ -103,10 +104,10 @@ def start(self): Test plan: 1. Install Armo helm-chart 2. Apply workloads - 3. Validating in-cluster expected network neighbors and generated network policies before generating traffic + 3. Validating in-cluster expected network neighborhood and generated network policies before generating traffic 4. Generate traffic - 5. Validating in-cluster expected network neighbors and generated network policies after generating traffic - 6. Validating backend expected network neighbors and generated network policies after generating traffic + 5. Validating in-cluster expected network neighborhood and generated network policies after generating traffic + 6. Validating backend expected network neighborhood and generated network policies after generating traffic """ cluster, namespace = self.setup(apply_services=False) @@ -132,15 +133,15 @@ def start(self): duration_in_seconds = helm_kwargs[statics.HELM_NODE_AGENT_LEARNING_PERIOD][:-1] TestUtil.sleep(6 * int(duration_in_seconds), "wait for node-agent learning period", "info") - expected_network_neighbors_list = TestUtil.load_objs_from_json_files( - self.test_obj["expected_network_neighbors"]) + expected_network_neighborhood_list = TestUtil.load_objs_from_json_files( + self.test_obj["expected_network_neighborhood"]) expected_generated_network_policy_list = TestUtil.load_objs_from_json_files( self.test_obj["expected_generated_network_policies"]) Logger.logger.info( - "3. Validating in-cluster expected network neighbors and generated network policies before generating traffic") - self.validate_expected_network_neighbors_and_generated_network_policies_lists(namespace=namespace, - expected_network_neighbors_list=expected_network_neighbors_list, + "3. Validating in-cluster expected network neighborhood and generated network policies before generating traffic") + self.validate_expected_network_neighborhood_and_generated_network_policies_lists(namespace=namespace, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list) pod = self.wait_for_report(report_type=self.get_pod_if_ready, namespace=namespace, name="wikijs", timeout=180) @@ -154,10 +155,10 @@ def start(self): TestUtil.sleep(5 * int(update_period_in_seconds), "wait for node-agent update period", "info") Logger.logger.info( - "5. Validating in-cluster expected network neighbors and generated network policies after generating traffic") + "5. Validating in-cluster expected network neighborhood and generated network policies after generating traffic") - expected_updated_network_neighbors_list = TestUtil.load_objs_from_json_files( - self.test_obj["expected_updated_network_neighbors"]) + expected_updated_network_neighborhood_list = TestUtil.load_objs_from_json_files( + self.test_obj["expected_updated_network_neighborhood"]) expected_updated_generated_network_policy_list = TestUtil.load_objs_from_json_files( self.test_obj["expected_updated_generated_network_policies"]) @@ -165,19 +166,19 @@ def start(self): expected_generated_network_policy_list=expected_updated_generated_network_policy_list) Logger.logger.info("validated updated expected generated network policies") - self.validate_expected_network_neighbors_and_generated_network_policies_lists(namespace=namespace, - expected_network_neighbors_list=expected_updated_network_neighbors_list, + self.validate_expected_network_neighborhood_and_generated_network_policies_lists(namespace=namespace, + expected_network_neighborhood_list=expected_updated_network_neighborhood_list, expected_generated_network_policy_list=expected_updated_generated_network_policy_list) Logger.logger.info( - "6. Validating backend expected network neighbors and generated network policies after generating traffic") + "6. Validating backend expected network neighborhood and generated network policies after generating traffic") self.wait_for_report(timeout=120, sleep_interval=5, report_type=self.validate_expected_backend_results, cluster=cluster, namespace=namespace, expected_workloads_list=workload_objs, - expected_network_neighbors_list=expected_updated_network_neighbors_list, + expected_network_neighborhood_list=expected_updated_network_neighborhood_list, expected_generated_network_policy_list=expected_updated_generated_network_policy_list ) @@ -195,8 +196,8 @@ def start(self): 1. Apply workloads 2. Install Armo helm-chart 3. Restart workloads - 4. Validating in-cluster expected network neighbors and generated network policies - 5. Validating bakcned expected network neighbors and generated network policies + 4. Validating in-cluster expected network neighborhood and generated network policies + 5. Validating backend expected network neighborhood and generated network policies """ cluster, namespace = self.setup(apply_services=False) @@ -216,7 +217,7 @@ def start(self): self.add_and_upgrade_armo_to_repo() self.install_armo_helm_chart(helm_kwargs=helm_kwargs) self.verify_running_pods(namespace=statics.CA_NAMESPACE_FROM_HELM_NAME, timeout=360) - + TestUtil.sleep(40, "wait for 40 seconds before restarting pods", "info") pods_list = list(map(lambda obj: obj['metadata']['name'], workload_objs)) @@ -230,24 +231,24 @@ def start(self): duration_in_seconds = helm_kwargs[statics.HELM_NODE_AGENT_LEARNING_PERIOD][:-1] TestUtil.sleep(10 * int(duration_in_seconds), "wait for node-agent learning period", "info") - expected_network_neighbors_list = TestUtil.load_objs_from_json_files( - self.test_obj["expected_network_neighbors"]) + expected_network_neighborhood_list = TestUtil.load_objs_from_json_files( + self.test_obj["expected_network_neighborhood"]) expected_generated_network_policy_list = TestUtil.load_objs_from_json_files( self.test_obj["expected_generated_network_policies"]) - Logger.logger.info("4. Validating in-cluster expected network neighbors and generated network policies") - self.validate_expected_network_neighbors_and_generated_network_policies_lists(namespace=namespace, - expected_network_neighbors_list=expected_network_neighbors_list, + Logger.logger.info("4. Validating in-cluster expected network neighborhood and generated network policies") + self.validate_expected_network_neighborhood_and_generated_network_policies_lists(namespace=namespace, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list) - Logger.logger.info("5. Validating backend expected network neighbors and generated network policies") + Logger.logger.info("5. Validating backend expected network neighborhood and generated network policies") self.wait_for_report(timeout=240, sleep_interval=5, report_type=self.validate_expected_backend_results, cluster=cluster, namespace=namespace, expected_workloads_list=workload_objs, - expected_network_neighbors_list=expected_network_neighbors_list, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list ) @@ -265,8 +266,8 @@ def start(self): 1. Install Armo helm-chart 2. Apply workloads 3. Generate different traffic for one pod - 4. Validating in-cluster expected network neighbors and generated network policies - 5. Validating backend expected network neighbors and generated network policies + 4. Validating in-cluster expected network neighborhood and generated network policies + 5. Validating backend expected network neighborhood and generated network policies """ cluster, namespace = self.setup(apply_services=False) @@ -296,24 +297,24 @@ def start(self): duration_in_seconds = helm_kwargs[statics.HELM_NODE_AGENT_LEARNING_PERIOD][:-1] TestUtil.sleep(6 * int(duration_in_seconds), "wait for node-agent learning period", "info") - expected_network_neighbors_list = TestUtil.load_objs_from_json_files( - self.test_obj["expected_network_neighbors"]) + expected_network_neighborhood_list = TestUtil.load_objs_from_json_files( + self.test_obj["expected_network_neighborhood"]) expected_generated_network_policy_list = TestUtil.load_objs_from_json_files( self.test_obj["expected_generated_network_policies"]) - Logger.logger.info("4. Validating in-cluster expected network neighbors and generated network policies") - self.validate_expected_network_neighbors_and_generated_network_policies_lists(namespace=namespace, - expected_network_neighbors_list=expected_network_neighbors_list, + Logger.logger.info("4. Validating in-cluster expected network neighborhood and generated network policies") + self.validate_expected_network_neighborhood_and_generated_network_policies_lists(namespace=namespace, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list) - Logger.logger.info("5. Validating backend expected network neighbors and generated network policies") + Logger.logger.info("5. Validating backend expected network neighborhood and generated network policies") self.wait_for_report(timeout=120, sleep_interval=5, report_type=self.validate_expected_backend_results, cluster=cluster, namespace=namespace, expected_workloads_list=workload_objs, - expected_network_neighbors_list=expected_network_neighbors_list, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list ) @@ -332,8 +333,8 @@ def start(self): 2. Apply workloads 3. Send request from within Pod 4. Apply Known Servers - 5. Validating in-cluster expected network neighbors and generated network policies - 6. Validating backend expected network neighbors and generated network policies + 5. Validating in-cluster expected network neighborhood and generated network policies + 6. Validating backend expected network neighborhood and generated network policies """ cluster, namespace = self.setup(apply_services=False) @@ -365,24 +366,24 @@ def start(self): duration_in_seconds = helm_kwargs[statics.HELM_NODE_AGENT_LEARNING_PERIOD][:-1] TestUtil.sleep(5 * int(duration_in_seconds), "wait for node-agent learning period", "info") - expected_network_neighbors_list = TestUtil.load_objs_from_json_files( - self.test_obj["expected_network_neighbors"]) + expected_network_neighborhood_list = TestUtil.load_objs_from_json_files( + self.test_obj["expected_network_neighborhood"]) expected_generated_network_policy_list = TestUtil.load_objs_from_json_files( self.test_obj["expected_generated_network_policies"]) - Logger.logger.info("5. Validating in-cluster expected network neighbors and generated network policies") - self.validate_expected_network_neighbors_and_generated_network_policies_lists(namespace=namespace, - expected_network_neighbors_list=expected_network_neighbors_list, + Logger.logger.info("5. Validating in-cluster expected network neighborhood and generated network policies") + self.validate_expected_network_neighborhood_and_generated_network_policies_lists(namespace=namespace, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list) - Logger.logger.info("6. Validating backend expected network neighbors and generated network policies") + Logger.logger.info("6. Validating backend expected network neighborhood and generated network policies") self.wait_for_report(timeout=120, sleep_interval=5, report_type=self.validate_expected_backend_results, cluster=cluster, namespace=namespace, expected_workloads_list=workload_objs, - expected_network_neighbors_list=expected_network_neighbors_list, + expected_network_neighborhood_list=expected_network_neighborhood_list, expected_generated_network_policy_list=expected_generated_network_policy_list ) diff --git a/tests_scripts/helm/synchronizer.py b/tests_scripts/helm/synchronizer.py index 23e97594..cb03636c 100644 --- a/tests_scripts/helm/synchronizer.py +++ b/tests_scripts/helm/synchronizer.py @@ -2,11 +2,21 @@ KUBERNETES_RESOURCES_METADATA_KEY, KUBERNETES_RESOURCES_OBJECT_KEY, ) -from systest_utils.systests_utilities import TestUtil -from systest_utils import statics, Logger from systest_utils import statics, Logger, TestUtil from tests_scripts.helm.base_helm import BaseHelm -from datetime import datetime, timezone + + +def nameKind(cluster_resources): + results = [] + for resource in cluster_resources: + if isinstance(resource, dict): + kind = resource.get("kind", "") + name = resource.get("metadata", {}).get("name") + else: + kind = getattr(resource, "kind", "") + name = getattr(getattr(resource, "metadata", {}), "name") + results.append(f"{kind}/{name}") + return ', '.join(results) class BaseSynchronizer(BaseHelm): @@ -178,8 +188,8 @@ def verify_backend_resources( assert len(be_resources) > 0, "BE kubernetes resources is empty" assert len(be_resources) == len(cluster_resources), ( - "amount of kubernetes resources ('%d') is not as expected ('%d')" - % (len(be_resources), len(cluster_resources)) + "amount of kubernetes resources ('%s') is not as expected ('%s')" + % (nameKind(be_resources), nameKind(cluster_resources)) ) for be_resource in be_resources: diff --git a/tests_scripts/kubernetes/base_k8s.py b/tests_scripts/kubernetes/base_k8s.py index 9393a9fe..2989c56d 100755 --- a/tests_scripts/kubernetes/base_k8s.py +++ b/tests_scripts/kubernetes/base_k8s.py @@ -3,7 +3,6 @@ import json import operator import os -import tempfile import time # allow support for python 3.10 @@ -13,21 +12,17 @@ from collections import Iterable # from datetime import datetime -from threading import Thread import requests -import hashlib from infrastructure import KubectlWrapper -from infrastructure.helm_wrapper import HelmWrapper from infrastructure.thread_wrapper import WebsocketWrapper from systest_utils import Logger, TestUtil, statics -from systest_utils.data_structures import DataStructuresUtils from systest_utils.sid import SID from systest_utils.statics import Statistics from systest_utils.wlid import Wlid from tests_scripts.dockerize import BaseDockerizeTest -from kubernetes import config, client, dynamic +from kubernetes import config class BaseK8S(BaseDockerizeTest): @@ -1072,15 +1067,24 @@ def run_exec_cmd(self, pod_name: str, namespace: str, cmd: str, repeat: int = 1) time.sleep(0.5) # sleep between repeat's def get_generated_network_policy(self, namespace: str, name: str): - generated_network_policy = self.kubernetes_obj.client_CustomObjectsApi.get_namespaced_custom_object( + metadata_list = self.kubernetes_obj.client_CustomObjectsApi.list_namespaced_custom_object( group=statics.STORAGE_AGGREGATED_API_GROUP, version=statics.STORAGE_AGGREGATED_API_VERSION, - name=name, namespace=namespace, plural=statics.GENERATED_NETWORK_POLICY_PLURAL, ) - - return generated_network_policy + for metadata in metadata_list['items']: + if metadata['metadata']['labels']['kubescape.io/workload-name'] != name: + continue + item = self.kubernetes_obj.client_CustomObjectsApi.get_namespaced_custom_object( + group=statics.STORAGE_AGGREGATED_API_GROUP, + version=statics.STORAGE_AGGREGATED_API_VERSION, + name=metadata['metadata']['name'], + namespace=metadata['metadata']['namespace'], + plural=statics.GENERATED_NETWORK_POLICY_PLURAL, + ) + return item + raise Exception(f"no generated network policy found in namespace {namespace} with workload name {name}") def create_known_servers(self, body): self.kubernetes_obj.client_CustomObjectsApi.create_cluster_custom_object( @@ -1090,16 +1094,25 @@ def create_known_servers(self, body): body=body, ) - def get_network_neighbors(self, name: str, namespace: str): - network_neighbors = self.kubernetes_obj.client_CustomObjectsApi.get_namespaced_custom_object( + def get_network_neighborhood(self, name: str, namespace: str): + metadata_list = self.kubernetes_obj.client_CustomObjectsApi.list_namespaced_custom_object( group=statics.STORAGE_AGGREGATED_API_GROUP, version=statics.STORAGE_AGGREGATED_API_VERSION, - name=name, namespace=namespace, plural=statics.NETWORK_NEIGHBOR_PLURAL, ) - - return network_neighbors + for metadata in metadata_list['items']: + if metadata['metadata']['labels']['kubescape.io/workload-name'] != name: + continue + item = self.kubernetes_obj.client_CustomObjectsApi.get_namespaced_custom_object( + group=statics.STORAGE_AGGREGATED_API_GROUP, + version=statics.STORAGE_AGGREGATED_API_VERSION, + name=metadata['metadata']['name'], + namespace=metadata['metadata']['namespace'], + plural=statics.NETWORK_NEIGHBOR_PLURAL, + ) + return item + raise Exception(f"no network neighborhood found in namespace {namespace} with workload name {name}") def get_SBOM_from_storage(self, SBOMKeys): SBOMs = []