Skip to content

Commit

Permalink
[elasticsearch] fix network policies http additional rules (elastic#1111
Browse files Browse the repository at this point in the history 
)

* [elasticsearch] fix network policies http additional rules

This commit fix http additional rules to use with `NetworkPolicies`.

Fix elastic#1106

* [elasticsearch] improve netpol tests

This commit adds some small improvements in network policies tests:
* update example Makefile to fix commands and use similar structure to
other examples Makefiles
* fix example values file extension
* use different values for http and transport network policies in python
test and example values to catch regressions where same values would be
used for both
  • Loading branch information
@jmlrt
jmlrt authored Mar 17, 2021
1 parent fa7bdd8 commit c5e42ed
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 29 deletions.
9 changes: 5 additions & 4 deletions elasticsearch/examples/networkpolicy/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
default: test

include ../../../helpers/examples.mk

RELEASE := helm-es-networkpolicy
TIMEOUT := 1200s

install:
helm upgrade --wait --timeout=600s --install $(RELEASE) --values ./values.yaml ../../ ; \
helm upgrade --wait --timeout=$(TIMEOUT) --install --values values.yaml $(RELEASE) ../../

restart:
helm upgrade --set terminationGracePeriod=121 --wait --timeout=600s --install $(RELEASE) --values ./values.yaml ../../ ; \
test: install goss

purge:
helm del --purge $(RELEASE)
helm del $(RELEASE)
16 changes: 8 additions & 8 deletions ...csearch/examples/networkpolicy/values.yml → ...search/examples/networkpolicy/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,34 +4,34 @@ networkPolicy:
explicitNamespacesSelector:
# Accept from namespaces with all those different rules (from whitelisted Pods)
matchLabels:
role: frontend
role: frontend-http
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-http]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-http
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-http
transport:
enabled: true
allowExternal: true
explicitNamespacesSelector:
matchLabels:
role: frontend
role: frontend-transport
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-transport]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-transport
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-transport
2 changes: 1 addition & 1 deletion elasticsearch/templates/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
namespaceSelector:
{{ toYaml . | indent 12 }}
{{- end }}
{{- with .Values.networkPolicy.transport.additionalRules }}
{{- with .Values.networkPolicy.http.additionalRules }}
# Or from custom additional rules
{{ toYaml . | indent 8 }}
{{- end }}
Expand Down
32 changes: 16 additions & 16 deletions elasticsearch/tests/elasticsearch_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1367,37 +1367,37 @@ def test_network_policy():
explicitNamespacesSelector:
# Accept from namespaces with all those different rules (from whitelisted Pods)
matchLabels:
role: frontend
role: frontend-http
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-http]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-http
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-http
transport:
enabled: true
allowExternal: true
explicitNamespacesSelector:
matchLabels:
role: frontend
role: frontend-transport
matchExpressions:
- {key: role, operator: In, values: [frontend]}
- {key: role, operator: In, values: [frontend-transport]}
additionalRules:
- podSelector:
matchLabels:
role: frontend
role: frontend-transport
- podSelector:
matchExpressions:
- key: role
operator: In
values:
- frontend
- frontend-transport
"""
r = helm_template(config)
Expand All @@ -1412,16 +1412,16 @@ def test_network_policy():
},
"namespaceSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-http"]}
],
"matchLabels": {"role": "frontend"},
"matchLabels": {"role": "frontend-http"},
},
},
{"podSelector": {"matchLabels": {"role": "frontend"}}},
{"podSelector": {"matchLabels": {"role": "frontend-http"}}},
{
"podSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-http"]}
]
}
},
Expand All @@ -1434,16 +1434,16 @@ def test_network_policy():
},
"namespaceSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-transport"]}
],
"matchLabels": {"role": "frontend"},
"matchLabels": {"role": "frontend-transport"},
},
},
{"podSelector": {"matchLabels": {"role": "frontend"}}},
{"podSelector": {"matchLabels": {"role": "frontend-transport"}}},
{
"podSelector": {
"matchExpressions": [
{"key": "role", "operator": "In", "values": ["frontend"]}
{"key": "role", "operator": "In", "values": ["frontend-transport"]}
]
}
},
Expand Down

0 comments on commit c5e42ed

Please sign in to comment.