Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connectivity: Add Control Plane Node Connectivity Tests #2037

Merged
merged 1 commit into from
Nov 8, 2023
Merged

connectivity: Add Control Plane Node Connectivity Tests #2037

merged 1 commit into from
Nov 8, 2023

Conversation

nathanjsweet
Copy link
Member

The control plane nodes create unique policy selection contexts that allow us to test that label selection of host and kube-apiserver entities is correct.

@nathanjsweet nathanjsweet temporarily deployed to ci October 12, 2023 22:21 — with GitHub Actions Inactive
squeed
squeed reviewed Oct 13, 2023
View reviewed changes
connectivity/tests/k8s.go Outdated Show resolved Hide resolved
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from d813bd0 to 60a6477 Compare October 13, 2023 15:03
@nathanjsweet nathanjsweet temporarily deployed to ci October 13, 2023 15:03 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet marked this pull request as ready for review October 13, 2023 15:03
@nathanjsweet nathanjsweet requested review from a team as code owners October 13, 2023 15:03
@nathanjsweet nathanjsweet requested review from squeed and nebril October 13, 2023 15:03
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from 60a6477 to e8d08dc Compare October 13, 2023 15:38
@nathanjsweet nathanjsweet temporarily deployed to ci October 13, 2023 18:37 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet reopened this Oct 14, 2023
@nathanjsweet nathanjsweet temporarily deployed to ci October 14, 2023 00:56 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from e8d08dc to 93014cb Compare October 16, 2023 16:11
@nathanjsweet nathanjsweet temporarily deployed to ci October 16, 2023 16:11 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from 93014cb to 9effdf0 Compare October 17, 2023 14:36
@nathanjsweet nathanjsweet temporarily deployed to ci October 17, 2023 14:36 — with GitHub Actions Inactive
squeed
squeed reviewed Oct 18, 2023
View reviewed changes
connectivity/tests/k8s.go Outdated Show resolved Hide resolved
@squeed
Copy link
Contributor

squeed commented Oct 18, 2023

I think we want to have four test cases, depending on the status of features:

  1. pod -> remote apiserver, kube-apiserver entity in policy
  2. pod -> remote apiserver, cidr-based policy (only if node-cidr is enabled or control plane is remote)
  3. pod -> same-node apiserver, kube-apiserver entity (only if control plane is self-hosted)
  4. pod -> same-node apiserver, cidr-based policy (only if control plane is self-hosted and node-cidr is enabled)

Make sense?

squeed
squeed reviewed Oct 18, 2023
View reviewed changes
connectivity/tests/k8s.go Outdated Show resolved Hide resolved
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from 9effdf0 to 8de1163 Compare October 18, 2023 19:42
@nathanjsweet nathanjsweet temporarily deployed to ci October 18, 2023 19:42 — with GitHub Actions Inactive
@nathanjsweet
Copy link
Member Author

I think we want to have four test cases, depending on the status of features:

  1. pod -> remote apiserver, kube-apiserver entity in policy
  2. pod -> remote apiserver, cidr-based policy (only if node-cidr is enabled or control plane is remote)
  3. pod -> same-node apiserver, kube-apiserver entity (only if control plane is self-hosted)
  4. pod -> same-node apiserver, cidr-based policy (only if control plane is self-hosted and node-cidr is enabled)

Make sense?

Yes. My refactor guarantees this. Now, a control-plane client-pod will be deployed to every control plane node where a host ping and k8s curl will be tested.

@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from 8de1163 to b0496ba Compare October 19, 2023 15:20
@nathanjsweet nathanjsweet temporarily deployed to ci October 19, 2023 15:20 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from b0496ba to ffa5b6b Compare October 31, 2023 19:16
@nathanjsweet nathanjsweet temporarily deployed to ci October 31, 2023 19:16 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from ffa5b6b to 85355f3 Compare November 1, 2023 02:20
@nathanjsweet nathanjsweet temporarily deployed to ci November 1, 2023 02:20 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet requested review from nebril and squeed November 1, 2023 02:20
@nathanjsweet
connectivity: Add Control Plane Node Connectivity Tests
a03a6b8 
The control plane nodes create unique policy selection
contexts that allow us to test that label selection of
host and kube-apiserver entities is correct. This change
adds control plane client-pods on every control plan node
when the hidden test variable `--k8s-localhost-test` is enabled.
Control plane components, as well as the control plane host
are queried with control plane policy selections in place.

Signed-off-by: Nate Sweet <[email protected]>
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch from 85355f3 to a03a6b8 Compare November 2, 2023 19:43
@nathanjsweet nathanjsweet temporarily deployed to ci November 2, 2023 19:43 — with GitHub Actions Inactive
@nathanjsweet nathanjsweet reopened this Nov 6, 2023
@nathanjsweet nathanjsweet merged commit 3490b39 into main Nov 8, 2023
22 of 37 checks passed
@nathanjsweet nathanjsweet deleted the pr/nathanjsweet/add-kube-apiserver-localhost-policy-test branch November 8, 2023 17:11
@nathanjsweet nathanjsweet mentioned this pull request Dec 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebril nebril nebril approved these changes

@squeed squeed squeed approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nathanjsweet @squeed @nebril