Newer
Older
#
# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den
# Ministerpräsidenten des Landes Schleswig-Holstein
# Staatskanzlei
# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung
#
# Lizenziert unter der EUPL, Version 1.2 oder - sobald
# diese von der Europäischen Kommission genehmigt wurden -
# Folgeversionen der EUPL ("Lizenz");
# Sie dürfen dieses Werk ausschließlich gemäß
# dieser Lizenz nutzen.
# Eine Kopie der Lizenz finden Sie hier:
#
# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
#
# Sofern nicht durch anwendbare Rechtsvorschriften
# gefordert oder in schriftlicher Form vereinbart, wird
# die unter der Lizenz verbreitete Software "so wie sie
# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN -
# ausdrücklich oder stillschweigend - verbreitet.
# Die sprachspezifischen Genehmigungen und Beschränkungen
# unter der Lizenz sind dem Lizenztext zu entnehmen.
#
suite: network policy test
release:
namespace: by-helm-test
templates:
- templates/network_policy.yaml
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- isAPIVersion:
of: networking.k8s.io/v1
networkPolicy:
dnsServerNamespace: test-dns-namespace
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- equal:
path: metadata
value:
name: network-policy-vorgang-manager
- it: should set policy target matchLabel
networkPolicy:
dnsServerNamespace: test-dns-namespace
path: spec.podSelector
matchLabels:
component: vorgang-manager
- it: should add policyType Egress
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Egress
- it: should add policyType Ingress
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.policyTypes
content: Ingress
- it: should add ingress rule for eingangsmanager and alfa
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
content:
from:
- podSelector:
matchLabels:
ozg-component: eingangsadapter
matchLabels:
ozg-component: xta-adapter
- it: should add ingress rule for monitoring scraper
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
content:
from:
- namespaceSelector:
name: openshift-user-workload-monitoring
- it: should set monitoring namespace for monitoring scraper ingress rule
networkPolicy:
dnsServerNamespace: test-dns-namespace
monitoringNamespace: test-monitoring
asserts:
- contains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
name: test-monitoring
- it: should add ingress rule for antragraum-proxy if antragraum is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
asserts:
- contains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: antragraum-proxy
podSelector:
matchLabels:
component: antragraum-proxy
- it: should set ingress rule for antragraum-proxy if antragraum is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
antragraumProxyNamespace: antragraum-proxy
- contains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: antragraum-proxy
podSelector:
matchLabels:
component: antragraum-proxy
- it: should not add ingress rule for antragraum if antragraum is disabled
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
asserts:
- notContains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: antragraum
podSelector:
matchLabels:
component: antragraum-server
- it: should not add ingress rule for antragraum-proxy if antragraum is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
asserts:
- notContains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: antragraum-proxy
podSelector:
matchLabels:
component: antragraum-proxy
any: true
- it: should add default ingress rule for zentraler-eingang
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zentraler-eingang
podSelector:
matchExpressions:
- key: ozg-component
operator: In
values:
- eingangsadapter
- xta-adapter
ports:
- protocol: TCP
port: 9090
- it: should add ingress rule for zentraler-eingang
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zentralerEingangNamespace: custom-namespace
- contains:
path: spec.ingress
content:
from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: custom-namespace
podSelector:
matchExpressions:
- key: ozg-component
operator: In
values:
- eingangsadapter
- xta-adapter
ports:
- protocol: TCP
port: 9090
- it: should add egress rule to elasticsearch
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
content:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: elastic-system
podSelector:
matchLabels:
elasticsearch.k8s.elastic.co/cluster-name: ozg-search-cluster
ports:
- port: 9200
protocol: TCP
- it: should add egress rule to mongodb
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
content:
ports:
- port: 27017
protocol: TCP
- it: should add egress rule to user-manager
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: user-manager
ports:
- port: 9000
protocol: TCP
- it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
proxy:
namespace: bayernidProxyNamespace
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: bayernid-proxy
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: bayernidProxyNamespace
- port: 9090
protocol: TCP
- it: should not add egress rule to bayernid-proxy if bayernid is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: false
asserts:
- notContains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: bayernid-proxy
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: bayernidProxyNamespace
- port: 9090
protocol: TCP
- it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
bayernid:
enabled: true
asserts:
- failedTemplate:
errorMessage: ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled
- it: should add egress rule to info-manager if antragraum is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
asserts:
- contains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: info-manager
matchLabels:
component: info-manager
- it: should set egress rule to info-manager if antragraum is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: true
infoManager:
namespace: info-manager2
asserts:
- contains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: info-manager2
matchLabels:
component: info-manager
- it: should not add egress rule to info-manager if antragraum is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
antragraum:
enabled: false
asserts:
- notContains:
path: spec.egress
content:
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: info-manager
matchLabels:
component: info-manager
- it: should add egress rule to zufi server if zufi is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: true
namespace: zufi
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: zufi-server
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
- port: 9090
protocol: TCP
- it: should not add egress rule to zufi server if zufi is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: false
asserts:
- notContains:
path: spec.egress
content:
to:
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
podSelector:
matchLabels:
component: zufi-server
any: true
- it: should add egress rule to forwarding service if forwarding is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
forwarding:
enabled: true
namespace: zentraler-eingang
serviceName: fs-adapter
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: fs-adapter
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zentraler-eingang
ports:
- port: 9090
protocol: TCP
- it: should not add egress rule to forwarding service if forwarding is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
forwarding:
enabled: false
namespace: zentraler-eingang
serviceName: fs-adapter
asserts:
- notContains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: fs-adapter
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zentraler-eingang
- it: should throw error if zufi is enabled but zufi namespace is not set
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
zufiManager:
enabled: true
asserts:
- failedTemplate:
errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
- it: should not enable zufi netpol by default
zufiManager:
namespace: zufi
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- notContains:
path: spec.egress
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: zufi
podSelector:
matchLabels:
component: zufi-server
- it: should add egress rule to dns service
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- contains:
path: spec.egress
content:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: test-dns-namespace
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- port: 5353
protocol: UDP
- port: 5353
protocol: TCP
- it: add ingress rule local by values
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigGlobal:
- from:
- podSelector:
matchLabels:
component: client2
- podSelector:
matchLabels:
component: client2
- it: add ingress rule global by values
dnsServerNamespace: test-dns-namespace
ssoPublicIp: 51.89.117.53/32
additionalIngressConfigLocal:
- from:
- podSelector:
matchLabels:
component: client2
asserts:
- contains:
path: spec.ingress
content:
from:
- podSelector:
matchLabels:
component: client2
- it: add egress rules local by values
dnsServerNamespace: test-dns-namespace
additionalEgressConfigGlobal:
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
- to:
- ipBlock:
cidr: 1.2.3.4/32
- to:
- podSelector:
matchLabels:
component: ozg-testservice
ports:
- port: 12345
protocol: TCP
asserts:
- contains:
path: spec.egress
content:
to:
- ipBlock:
cidr: 1.2.3.4/32
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
component: ozg-testservice
ports:
- port: 12345
protocol: TCP
- it: add egress rules global by values
dnsServerNamespace: test-dns-namespace
additionalEgressConfigLocal:
- to:
- ipBlock:
cidr: 1.2.3.4/32
- to:
- podSelector:
matchLabels:
additionalEgressConfigLocal: yes
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
additionalEgressConfigLocal: yes
- it: test network policy disabled
set:
disabled: true
asserts:
- hasDocuments:
count: 0
- it: test network policy unset should be disabled
set:
dnsServerNamespace: test-dns-namespace
asserts:
- hasDocuments:
count: 1
- it: test network policy dnsServerNamespace must be set message
set:
networkPolicy:
disabled: false
asserts:
- failedTemplate:
errorMessage: networkPolicy.dnsServerNamespace must be set
- it: test network policy should be enabled by default
set:
networkPolicy:
dnsServerNamespace: test-dns-server-namespace
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
count: 1
- it: should require elster transfer namespace if muk is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
muk:
enabled: true
asserts:
- failedTemplate:
errorMessage: ozgcloud.muk.elsterTransfer.namespace must be set if muk is enabled
- it: should add egress rule to elster transfer if muk is enabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
muk:
enabled: true
elsterTransfer:
namespace: elster-transfer
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: elster-transfer
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: elster-transfer
- port: 8081
protocol: TCP
- it: should set elster transfer name
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
muk:
enabled: true
elsterTransfer:
namespace: elster-transfer
name: elster-transfer-test
asserts:
- contains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: elster-transfer-test
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: elster-transfer
- port: 8081
protocol: TCP
- it: should not add egress rule for elster-transfer if muk is disabled
set:
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
muk:
enabled: false
elsterTransfer:
namespace: elster-transfer
asserts:
- notContains:
path: spec.egress
content:
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: elster-transfer
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: elster-transfer
- it: should add ingress rule for aggregation-manager
networkPolicy:
dnsServerNamespace: test-dns-namespace
ozgcloud:
aggregationManager:
enabled: true
asserts:
- contains:
path: spec.ingress
content:
- port: 9090
protocol: TCP
from:
- podSelector:
matchLabels:
component: aggregation-manager
- it: should not add ingress rule for aggregation-manager
networkPolicy:
dnsServerNamespace: test-dns-namespace
asserts:
- notContains:
path: spec.ingress
content:
- port: 9090
protocol: TCP
from:
- podSelector:
matchLabels:
component: aggregation-manager