Adding Network Policy test #395
Conversation
jaydeokar
force-pushed
the
netpol_test
branch
2 times, most recently
from
44dfb0c
to
2aba942
Compare
| } | ||
|
|
||
| return ctx, nil | ||
| }, |
There was a problem hiding this comment.
Can you add waiter(s) here so that we don't try to run the test cases until your pre-reqs are met?
There was a problem hiding this comment.
The deployment function here uses wait for the resource to be ready
https://github.com/aws/aws-k8s-tester/pull/395/files#diff-4082a58579cf8719172663a0888661788612744805944b7e28a64de150aec95dR226
e2e2/test/cases/netpol/main_test.go
Outdated
| for _, resource := range resources { | ||
| if _, err := fwext.ResourceExists(resource, releaseNamespace, config.KubeconfigFile()); err == nil { | ||
| log.Printf("Patching resource: %s labels and annotations..", resource) | ||
| fwext.Label(resource, "app.kubernetes.io/managed-by=Helm", releaseNamespace, config.KubeconfigFile()) | ||
| fwext.Annotate(resource, fmt.Sprintf("meta.helm.sh/release-name=%s", releaseName), releaseNamespace, config.KubeconfigFile()) | ||
| fwext.Annotate(resource, fmt.Sprintf("meta.helm.sh/release-namespace=%s", releaseNamespace), releaseNamespace, config.KubeconfigFile()) | ||
| } else { | ||
| log.Printf("Resource %s does not exist, skipping patching labels/annotations..", resource) | ||
| } | ||
| } |
There was a problem hiding this comment.
So vpc-cni is installed by default on a cluster and we need to import the resource into the helm chart (apply annotations/labels). More details here -
https://github.com/aws/eks-charts/tree/master/stable/aws-vpc-cni#adopting-the-existing-aws-node-resources-in-an-eks-cluster
I've updated this to delete the resources instead of patching for labels/annotations
e2e2/test/cases/netpol/main_test.go
Outdated
| wait.For(conditions.New(config.Client().Resources()).ResourceMatch(cniDS, func(object k8s.Object) bool { | ||
| d := object.(*appsv1.DaemonSet) | ||
| status := false | ||
| if d.Status.DesiredNumberScheduled == d.Status.NumberReady { |
There was a problem hiding this comment.
Can you use the existing utility in the framework for your daemonset checks?
There was a problem hiding this comment.
Seems like we need a e2e-framework release to use this utility. I've added a TODO to update to use this when we have a new version of the framework
There was a problem hiding this comment.
we could pull in the latest changes with a go v0.0.0-$COMMIT version, but you could also use the one I've put in the frameworkextensions package: https://github.com/aws/aws-k8s-tester/blob/main/e2e2/internal/framework_extensions/conditions.go#L32
jaydeokar
force-pushed
the
netpol_test
branch
from
2aba942
to
93eabe3
Compare
jaydeokar
force-pushed
the
netpol_test
branch
from
93eabe3
to
6cdd07b
Compare
There was a problem hiding this comment.
My biggest concern is the use of the VPC CNI helm chart, which could change between executions of this test case. I assume you don't plan to use this test case to qualify the network policy agent itself (because it's using the prod helm chart), so it'd be more stable to at least pin a specific version of the chart.
Dockerfile.kubetest2
Outdated
| @@ -17,7 +17,7 @@ COPY kubetest2/ . | |||
| RUN go install ./... | |||
| WORKDIR $GOPATH/github.com/aws/aws-k8s-tester/e2e2 | |||
| COPY e2e2/ . | |||
| RUN go test -c ./test/cases/nvidia -o $GOPATH/bin/e2e-nvidia | |||
| RUN go test -c ./test/cases/nvidia -o $GOPATH/bin/e2e-nvidia && go test -c ./test/cases/netpol -o $GOPATH/bin/e2e-netpol | |||
There was a problem hiding this comment.
Can you move this to a separate RUN for readability? We're not too concerned about minimizing the number of layers in this image
(or add a line break)
Dockerfile.kubetest2
Outdated
| @@ -51,4 +51,5 @@ ENV PATH=$PATH:/info | |||
| RUN cp kubernetes-version.txt /info/ | |||
| RUN mv kubernetes/*/bin/* /bin/ | |||
| RUN rm -rf /workdir | |||
| RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 700 get_helm.sh && VERIFY_CHECKSUM=false ./get_helm.sh && rm -rf ./get_helm.sh | |||
There was a problem hiding this comment.
line breaks for readability
| RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 700 get_helm.sh && VERIFY_CHECKSUM=false ./get_helm.sh && rm -rf ./get_helm.sh | |
| RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \ | |
| chmod 700 get_helm.sh && \ | |
| VERIFY_CHECKSUM=false ./get_helm.sh && \ | |
| rm -rf ./get_helm.sh |
e2e2/test/cases/netpol/main_test.go
Outdated
| client, err := config.NewClient() | ||
|
|
||
| if err != nil { | ||
| log.Print("Failed to get client") |
There was a problem hiding this comment.
Instead of logging before returning errors throughout this function, you could use errors.Wrap if the added context is really valuable
e2e2/test/cases/netpol/main_test.go
Outdated
| // Delete Cluster role | ||
| client.Resources().Delete(ctx, &rbac.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "aws-node", Namespace: releaseNamespace}}) | ||
|
|
||
| // Delete Cluster-Role Binding | ||
| client.Resources().Delete(ctx, &rbac.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "aws-node", Namespace: releaseNamespace}}) | ||
|
|
||
| // Delete ServiceAccount | ||
| client.Resources().Delete(ctx, &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "aws-node", Namespace: releaseNamespace}}) | ||
|
|
||
| // Delete Daemonset | ||
| client.Resources().Delete(ctx, &appsv1.DaemonSet{ObjectMeta: metav1.ObjectMeta{Name: "aws-node", Namespace: releaseNamespace}}) | ||
|
|
||
| // // Delete Configmap | ||
| client.Resources().Delete(ctx, &v1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "amazon-vpc-cni", Namespace: releaseNamespace}}) |
There was a problem hiding this comment.
This seems fragile to me, we'll have to keep this in sync with the resources that the managed addon for VPC CNI provides
There was a problem hiding this comment.
Yes, you are right. I don't think we have an easier way to import the resources into the helm chart at the moment.
I also considered using eks managed addons to avoid this, but that would mean adding a extra dependency which doesn't seem right here.
I am going to try few more things to see if that helps remove this.
That being said, we have not added new resources to this chart in a while..
There was a problem hiding this comment.
Found a way to not keep this resource mapping by using helm template followed by applying the rendered manifest file. However we would need to use another go library for helm client as the inbuilt helm package (e2e-framework) only validates if the chart can be rendered.
Yes, this tests is not to qualify Network Policy agent. The main goal of this is to verify ebpf programs gets loaded on the node whenever a new AMI is being released (mostly to catch issues when there is a kernel version update).. I explicitly did not pin this to a specific version of helm chart because we need to ensure only the latest versions of network policy agent is compatible |
jaydeokar
force-pushed
the
netpol_test
branch
from
6cdd07b
to
04978e2
Compare
jaydeokar
force-pushed
the
netpol_test
branch
2 times, most recently
from
b441367
to
869e422
Compare
|
Thanks for all the work on this @jaydeokar ! |
Issue #, if available:
N/A
Description of changes:
go test -v --kubeconfig=$KUBECONFIGThis adds a basic test for aws-vpc-cni Network Policy. The test does the following -
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.