Make NetworkPolicy tests use pod IPs rather than service IPs (temporarily)

danwinship · danwinship · commit ae0344b17e9d · 2017-02-16T08:58:39.000-05:00
diff --git a/test/extended/networking/networkpolicy.go b/test/extended/networking/networkpolicy.go
@@ -34,6 +34,9 @@ import (
       kube #36673).
    3. Ported to use IPs rather than DNS names in tests since our extended
       networking tests don't run with DNS.
+   4. Changed to use pod IPs rather than service IPs in tests since our
+      NetworkPolicy implementation doesn't currently support services
+      correctly in Namespaces with NetworkPolicies with PodSelectors.
 */
 
 
@@ -68,19 +71,21 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for Server to come up.")
-			err := framework.WaitForPodRunningInNamespace(f.ClientSet, podServer)
+			err := f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			podServer, err = f.ClientSet.Core().Pods(ns.Name).Get(podServer.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			// Create a pod with name 'client-a', which should be able to communicate with server.
 			By("Creating client which will be able to contact the server since isolation is off.")
-			testCanConnect(f, ns, "client-can-connect", service, 80)
+			testCanConnect(f, ns, "client-can-connect", service, podServer.Status.PodIP, 80)
 
 			framework.Logf("Enabling network isolation.")
 			setNamespaceIsolation(f, ns, "DefaultDeny")
 
 			// Create a pod with name 'client-b', which will attempt to comunicate with the server,
 			// but should not be able to now that isolation is on.
-			testCannotConnect(f, ns, "client-cannot-connect", service, 80)
+			testCannotConnect(f, ns, "client-cannot-connect", service, podServer.Status.PodIP, 80)
 		})
 
 		It("should enforce policy based on PodSelector [Feature:NetworkPolicy]", func() {
@@ -102,7 +107,9 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for Server to come up.")
-			err := framework.WaitForPodRunningInNamespace(f.ClientSet, serverPod)
+			err := f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			serverPod, err = f.ClientSet.Core().Pods(ns.Name).Get(serverPod.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Creating a network policy for the server which allows traffic from the pod 'client-a'.")
@@ -142,8 +149,8 @@ var _ = Describe("NetworkPolicy", func() {
 			}()
 
 			By("Creating client-a which should be able to contact the server.")
-			testCanConnect(f, ns, "client-a", service, 80)
-			testCannotConnect(f, ns, "client-b", service, 80)
+			testCanConnect(f, ns, "client-a", service, serverPod.Status.PodIP, 80)
+			testCannotConnect(f, ns, "client-b", service, serverPod.Status.PodIP, 80)
 		})
 
 		It("should enforce policy based on Ports [Feature:NetworkPolicy]", func() {
@@ -165,18 +172,20 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for Server to come up.")
-			err := framework.WaitForPodRunningInNamespace(f.ClientSet, serverPod)
+			err := f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			serverPod, err = f.ClientSet.Core().Pods(ns.Name).Get(serverPod.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Testing pods can connect to both ports when isolation is off.")
-			testCanConnect(f, ns, "basecase-reachable-80", service, 80)
-			testCanConnect(f, ns, "basecase-reachable-81", service, 81)
+			testCanConnect(f, ns, "basecase-reachable-80", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "basecase-reachable-81", service, serverPod.Status.PodIP, 81)
 
 			setNamespaceIsolation(f, ns, "DefaultDeny")
 
 			By("Testing pods cannot by default when isolation is turned on.")
-			testCannotConnect(f, ns, "basecase-unreachable-80", service, 80)
-			testCannotConnect(f, ns, "basecase-unreachable-81", service, 81)
+			testCannotConnect(f, ns, "basecase-unreachable-80", service, serverPod.Status.PodIP, 80)
+			testCannotConnect(f, ns, "basecase-unreachable-81", service, serverPod.Status.PodIP, 81)
 
 			By("Creating a network policy for the Service which allows traffic only to one port.")
 			policy := extensions.NetworkPolicy{
@@ -208,8 +217,8 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 
-			testCannotConnect(f, ns, "client-a", service, 80)
-			testCanConnect(f, ns, "client-b", service, 81)
+			testCannotConnect(f, ns, "client-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "client-b", service, serverPod.Status.PodIP, 81)
 		})
 
 		It("shouldn't enforce policy when isolation is off [Feature:NetworkPolicy]", func() {
@@ -231,12 +240,14 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for Server to come up.")
-			err := framework.WaitForPodRunningInNamespace(f.ClientSet, serverPod)
+			err := f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			serverPod, err = f.ClientSet.Core().Pods(ns.Name).Get(serverPod.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Testing pods can connect to both ports when isolation is off and no policy is defined.")
-			testCanConnect(f, ns, "basecase-reachable-a", service, 80)
-			testCanConnect(f, ns, "basecase-reachable-b", service, 81)
+			testCanConnect(f, ns, "basecase-reachable-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "basecase-reachable-b", service, serverPod.Status.PodIP, 81)
 
 			By("Creating a network policy for the Service which allows traffic only to one port.")
 			policy := extensions.NetworkPolicy{
@@ -268,8 +279,8 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 
-			testCanConnect(f, ns, "client-a", service, 80)
-			testCanConnect(f, ns, "client-b", service, 81)
+			testCanConnect(f, ns, "client-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "client-b", service, serverPod.Status.PodIP, 81)
 		})
 
 		It("should enforce multiple, stacked policies with overlapping podSelectors [Feature:NetworkPolicy]", func() {
@@ -291,18 +302,20 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for Server to come up.")
-			err := framework.WaitForPodRunningInNamespace(f.ClientSet, serverPod)
+			err := f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			serverPod, err = f.ClientSet.Core().Pods(ns.Name).Get(serverPod.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Testing pods can connect to both ports when isolation is off.")
-			testCanConnect(f, ns, "test-a", service, 80)
-			testCanConnect(f, ns, "test-b", service, 81)
+			testCanConnect(f, ns, "test-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "test-b", service, serverPod.Status.PodIP, 81)
 
 			setNamespaceIsolation(f, ns, "DefaultDeny")
 
 			By("Testing pods cannot connect to either port when no policy is defined.")
-			testCannotConnect(f, ns, "test-a-2", service, 80)
-			testCannotConnect(f, ns, "test-b-2", service, 81)
+			testCannotConnect(f, ns, "test-a-2", service, serverPod.Status.PodIP, 80)
+			testCannotConnect(f, ns, "test-b-2", service, serverPod.Status.PodIP, 81)
 
 			By("Creating a network policy for the Service which allows traffic only to one port.")
 			policy := extensions.NetworkPolicy{
@@ -364,8 +377,8 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 
-			testCanConnect(f, ns, "client-a", service, 80)
-			testCanConnect(f, ns, "client-b", service, 81)
+			testCanConnect(f, ns, "client-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "client-b", service, serverPod.Status.PodIP, 81)
 		})
 
 		It("should support allow-all policy [Feature:NetworkPolicy]", func() {
@@ -387,18 +400,20 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for Server to come up.")
-			err := framework.WaitForPodRunningInNamespace(f.ClientSet, serverPod)
+			err := f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			serverPod, err = f.ClientSet.Core().Pods(ns.Name).Get(serverPod.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("Testing pods can connect to both ports when isolation is off.")
-			testCanConnect(f, ns, "test-a", service, 80)
-			testCanConnect(f, ns, "test-b", service, 81)
+			testCanConnect(f, ns, "test-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "test-b", service, serverPod.Status.PodIP, 81)
 
 			setNamespaceIsolation(f, ns, "DefaultDeny")
 
 			By("Testing pods cannot connect to either port when isolation is on.")
-			testCannotConnect(f, ns, "test-a", service, 80)
-			testCannotConnect(f, ns, "test-b", service, 81)
+			testCannotConnect(f, ns, "test-a", service, serverPod.Status.PodIP, 80)
+			testCannotConnect(f, ns, "test-b", service, serverPod.Status.PodIP, 81)
 
 			By("Creating a network policy which allows all traffic.")
 			policy := extensions.NetworkPolicy{
@@ -423,8 +438,8 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 
-			testCanConnect(f, ns, "client-a", service, 80)
-			testCanConnect(f, ns, "client-b", service, 81)
+			testCanConnect(f, ns, "client-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, ns, "client-b", service, serverPod.Status.PodIP, 81)
 		})
 
 		It("should enforce policy based on NamespaceSelector [Feature:NetworkPolicy]", func() {
@@ -455,7 +470,9 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 			framework.Logf("Waiting for server to come up.")
-			err = framework.WaitForPodRunningInNamespace(f.ClientSet, serverPod)
+			err = f.WaitForAnEndpoint(service.Name)
+			Expect(err).NotTo(HaveOccurred())
+			serverPod, err = f.ClientSet.Core().Pods(nsA.Name).Get(serverPod.Name)
 			Expect(err).NotTo(HaveOccurred())
 
 			// Create Policy for that service that allows traffic only via namespace B
@@ -493,15 +510,15 @@ var _ = Describe("NetworkPolicy", func() {
 				}
 			}()
 
-			testCannotConnect(f, nsA, "client-a", service, 80)
-			testCanConnect(f, nsB, "client-b", service, 80)
+			testCannotConnect(f, nsA, "client-a", service, serverPod.Status.PodIP, 80)
+			testCanConnect(f, nsB, "client-b", service, serverPod.Status.PodIP, 80)
 		})
 	})
 })
 
-func testCanConnect(f *framework.Framework, ns *api.Namespace, podName string, service *api.Service, targetPort int) {
+func testCanConnect(f *framework.Framework, ns *api.Namespace, podName string, service *api.Service, target string, targetPort int) {
 	By(fmt.Sprintf("Creating client pod %s that should successfully connect to %s.", podName, service.Name))
-	podClient := createNetworkClientPod(f, ns, podName, service.Spec.ClusterIP, targetPort)
+	podClient := createNetworkClientPod(f, ns, podName, target, targetPort)
 	defer func() {
 		By(fmt.Sprintf("Cleaning up the pod %s", podName))
 		if err := f.ClientSet.Core().Pods(ns.Name).Delete(podClient.Name, nil); err != nil {
@@ -518,9 +535,9 @@ func testCanConnect(f *framework.Framework, ns *api.Namespace, podName string, s
 	Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("checking %s could communicate with server.", podClient.Name))
 }
 
-func testCannotConnect(f *framework.Framework, ns *api.Namespace, podName string, service *api.Service, targetPort int) {
+func testCannotConnect(f *framework.Framework, ns *api.Namespace, podName string, service *api.Service, target string, targetPort int) {
 	By(fmt.Sprintf("Creating client pod %s that should not be able to connect to %s.", podName, service.Name))
-	podClient := createNetworkClientPod(f, ns, podName, service.Spec.ClusterIP, targetPort)
+	podClient := createNetworkClientPod(f, ns, podName, target, targetPort)
 	defer func() {
 		By(fmt.Sprintf("Cleaning up the pod %s", podName))
 		if err := f.ClientSet.Core().Pods(ns.Name).Delete(podClient.Name, nil); err != nil {
