diff --git a/.github/workflows/npa.yml b/.github/workflows/npa.yml new file mode 100644 index 0000000..97e5599 --- /dev/null +++ b/.github/workflows/npa.yml @@ -0,0 +1,152 @@ + +name: e2e_npa + +on: + push: + branches: + - 'main' + tags: + - 'v*' + pull_request: + branches: [ main ] + workflow_dispatch: + +env: + GO_VERSION: "1.22.0" + K8S_VERSION: "v1.29.2" + KIND_VERSION: "v0.22.0" + IMAGE_NAME: registry.k8s.io/networking/kube-network-policies + KIND_CLUSTER_NAME: kind + +permissions: write-all + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: ${{ env.GO_VERSION }} + id: go + + - name: Check out code + uses: actions/checkout@v2 + + - name: Build + run: | + docker build -t registry.k8s.io/networking/kube-network-policies:test -f Dockerfile . + mkdir _output + docker save registry.k8s.io/networking/kube-network-policies:test > _output/kube-network-policies-image.tar + + - uses: actions/upload-artifact@v2 + with: + name: test-image + path: _output/kube-network-policies-image.tar + + e2e_npa: + name: e2e_npa + runs-on: ubuntu-22.04 + timeout-minutes: 100 + needs: + - build + strategy: + fail-fast: false + matrix: + # TODO add "dual", waiting on KEP https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/3705-cloud-node-ips + ipFamily: ["ipv4", "ipv6"] + env: + JOB_NAME: "kube-network-policies-${{ matrix.ipFamily }}" + IP_FAMILY: ${{ matrix.ipFamily }} + steps: + - name: Check out code + uses: actions/checkout@v2 + + - name: Enable ipv4 and ipv6 forwarding + run: | + sudo sysctl -w net.ipv6.conf.all.forwarding=1 + sudo sysctl -w net.ipv4.ip_forward=1 + + - name: Set up environment (download dependencies) + run: | + TMP_DIR=$(mktemp -d) + # kubectl + curl -L https://dl.k8s.io/${{ env.K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl + # kind + curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 + # Install + sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl + sudo cp ${TMP_DIR}/kind /usr/local/bin/kind + sudo chmod +x /usr/local/bin/* + + - name: Create multi node cluster + run: | + # output_dir + mkdir -p _artifacts + # create cluster + cat < _artifacts/kubeconfig.conf + + - uses: actions/download-artifact@v2 + with: + name: test-image + + - name: Install kube-network-policies + run: | + /usr/local/bin/kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/v0.1.5/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml + # preload kube-network-policies image + docker load --input kube-network-policies-image.tar + /usr/local/bin/kind load docker-image registry.k8s.io/networking/kube-network-policies:test --name ${{ env.KIND_CLUSTER_NAME}} + sed -i s#registry.k8s.io/networking/kube-network-policies.*#registry.k8s.io/networking/kube-network-policies:test# install-anp.yaml + /usr/local/bin/kubectl apply -f ./install-anp.yaml + + - name: Get Cluster status + run: | + # wait network is ready + sleep 5 + /usr/local/bin/kubectl get nodes -o wide + /usr/local/bin/kubectl get pods -A + /usr/local/bin/kubectl wait --timeout=1m --for=condition=ready pods --namespace=kube-system -l k8s-app=kube-dns + /usr/local/bin/kubectl wait --timeout=1m --for=condition=ready pods --namespace=kube-system -l app=kube-network-policies + + - name: Run tests + run: | + # https://network-policy-api.sigs.k8s.io/npeps/npep-137-conformance-profiles/#integration + git clone https://github.com/kubernetes-sigs/network-policy-api.git + cd network-policy-api/ + go mod download + go test -v ./conformance -run TestConformanceProfiles -args --conformance-profiles=AdminNetworkPolicy --organization=kubernetes --project=kube-network-policies --url=https://github.com/kubernetes-sigs/kube-network-policies --version=0.1.1 --contact=antonio.ojea.garcia@gmail.com --additional-info=https://github.com/kubernetes-sigs/kube-network-policies + cd - + + - name: Upload Junit Reports + if: always() + uses: actions/upload-artifact@v2 + with: + name: kind-junit-${{ env.JOB_NAME }}-${{ github.run_id }} + path: './_artifacts/*.xml' + + - name: Export logs + if: always() + run: | + /usr/local/bin/kind export logs --name ${KIND_CLUSTER_NAME} --loglevel=debug ./_artifacts/logs + + - name: Upload logs + if: always() + uses: actions/upload-artifact@v2 + with: + name: kind-logs-${{ env.JOB_NAME }}-${{ github.run_id }} + path: ./_artifacts/logs diff --git a/install-anp.yaml b/install-anp.yaml new file mode 100644 index 0000000..560759f --- /dev/null +++ b/install-anp.yaml @@ -0,0 +1,103 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kube-network-policies +rules: + - apiGroups: + - "" + resources: + - pods + - namespaces + - nodes + verbs: + - list + - watch + - apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - watch + - apiGroups: + - "policy.networking.k8s.io" + resources: + - adminnetworkpolicies + verbs: + - list + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kube-network-policies +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-network-policies +subjects: +- kind: ServiceAccount + name: kube-network-policies + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-network-policies + namespace: kube-system +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-network-policies + namespace: kube-system + labels: + tier: node + app: kube-network-policies + k8s-app: kube-network-policies +spec: + selector: + matchLabels: + app: kube-network-policies + template: + metadata: + labels: + tier: node + app: kube-network-policies + k8s-app: kube-network-policies + spec: + hostNetwork: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + tolerations: + - operator: Exists + effect: NoSchedule + serviceAccountName: kube-network-policies + containers: + - name: kube-network-policies + image: registry.k8s.io/networking/kube-network-policies:v0.1.0 + args: + - /bin/netpol + - -v + - "2" + - -admin-network-policy + - "true" + volumeMounts: + - name: lib-modules + mountPath: /lib/modules + readOnly: true + resources: + requests: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: true + capabilities: + add: ["NET_ADMIN"] + volumes: + - name: lib-modules + hostPath: + path: /lib/modules +---