Skip to content

Commit

Permalink
E2E test of Antrea native policy ICMP support
Browse files Browse the repository at this point in the history
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
  • Loading branch information
GraysonWu committed Apr 25, 2022
1 parent 2921271 commit d5025f0
Show file tree
Hide file tree
Showing 9 changed files with 475 additions and 281 deletions.
36 changes: 35 additions & 1 deletion docs/antrea-network-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
- [ACNP for strict Namespace isolation](#acnp-for-strict-namespace-isolation)
- [ACNP for default zero-trust cluster security posture](#acnp-for-default-zero-trust-cluster-security-posture)
- [ACNP for toServices rule](#acnp-for-toservices-rule)
- [ACNP for ICMP traffic](#acnp-for-icmp-traffic)
- [Behavior of <em>to</em> and <em>from</em> selectors](#behavior-of-to-and-from-selectors)
- [Key differences from K8s NetworkPolicy](#key-differences-from-k8s-networkpolicy)
- [kubectl commands for Antrea ClusterNetworkPolicy](#kubectl-commands-for-antrea-clusternetworkpolicy)
Expand Down Expand Up @@ -381,6 +382,33 @@ spec:
enableLogging: true
```

#### ACNP for ICMP traffic

```yaml
apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
name: acnp-reject-ping-request
spec:
priority: 5
tier: securityops
appliedTo:
- podSelector:
matchLabels:
role: server
namespaceSelector:
matchLabels:
env: prod
egress:
- action: Reject
protocols:
- icmp:
icmpType: 8
icmpCode: 0
name: DropPingRequest
enableLogging: true
```

**spec**: The ClusterNetworkPolicy `spec` has all the information needed to
define a cluster-wide security policy.

Expand Down Expand Up @@ -423,7 +451,7 @@ default tier i.e. the "application" Tier.
**action**: Each ingress or egress rule of a ClusterNetworkPolicy must have the
`action` field set. As of now, the available actions are ["Allow", "Drop", "Reject", "Pass"].
When the rule action is "Allow" or "Drop", Antrea will allow or drop traffic which
matches both `from/to` and `ports` sections of that rule, given that traffic does not
matches both `from/to`, `ports` and `protocols` sections of that rule, given that traffic does not
match a higher precedence rule in the cluster (ACNP rules created in higher order
Tiers or policy instances in the same Tier with lower priority number). If a "Reject"
rule is matched, the client initiating the traffic will receive `ICMP host administratively
Expand All @@ -439,6 +467,9 @@ configurations will be rejected by the admission controller.
**ingress**: Each ClusterNetworkPolicy may consist of zero or more ordered set of
ingress rules. Under `ports`, the optional field `endPort` can only be set when a
numerical `port` is set to represent a range of ports from `port` to `endPort` inclusive.
`protocols` defines additional protocols that are not supported by `ports`. Currently, only
ICMP protocol is under `protocols`. `icmpType` and `icmpCode` could be used to specify the ICMP
traffic that this rule matches.
Also, each rule has an optional `name` field, which should be unique within
the policy describing the intention of this rule. If `name` is not provided for
a rule, it will be auto-generated by Antrea. The auto-generated name will be
Expand Down Expand Up @@ -470,6 +501,9 @@ of egress rules. Each rule, depending on the `action` field of the rule, allows
or drops traffic which matches all `from`, `ports` sections.
Under `ports`, the optional field `endPort` can only be set when a numerical `port`
is set to represent a range of ports from `port` to `endPort` inclusive.
`protocols` defines additional protocols that are not supported by `ports`. Currently, only
ICMP protocol is under `protocols`. `icmpType` and `icmpCode` could be used to specify the ICMP
traffic that this rule matches.
Also, each rule has an optional `name` field, which should be unique within
the policy describing the intention of this rule. If `name` is not provided for
a rule, it will be auto-generated by Antrea. The rule name auto-generation process
Expand Down
4 changes: 2 additions & 2 deletions multicluster/test/e2e/antreapolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ import (
"time"

log "github.com/sirupsen/logrus"
v1 "k8s.io/api/core/v1"

antreae2e "antrea.io/antrea/test/e2e"
"antrea.io/antrea/test/e2e/utils"
)

const (
Expand Down Expand Up @@ -102,7 +102,7 @@ func (data *MCTestData) testAntreaPolicyCopySpanNSIsolation(t *testing.T) {
Name: "Port 80",
Reachability: reachability,
Ports: []int32{80},
Protocol: v1.ProtocolTCP,
Protocol: utils.ProtocolTCP,
}
testCaseList := []*antreae2e.TestCase{
{
Expand Down
Loading

0 comments on commit d5025f0

Please sign in to comment.